The Final Day of Black Hat 2008 Print E-mail
Written by Brian E. Dykstra   
Thursday, 07 August 2008 23:09
The final day of Black Hat 2008 was a mixed bag of presentations from vendor fluff to overly technical slide shows that NASA scientists will be studying for years to come. Social engineering and a variety of non-hacking technical tricks were the highlights of the day.

The morning started out well with a very entertaining and informative presentation by Shawn Moyer and Nathan Hamiel, Idea Information Security, on all the mischief that can be accomplished on social networking web sites. The presentation ranged from simple tricks for forcing your way onto peoples MySpace friends list to simple Java Trojans that automatically log an unsuspecting user out of their account as soon as they log in. They even got computer security luminary, Marcus Ranum to help them demonstrate how even security professionals divulged personal information to a fake Linkedin profile posing as him. The presenters had much more material than they were actually able to cover in the time allotted and we will be following up with them to get more information on the implications of fake corporate social networks.

One of the most cutting-edge presentations this year was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean, US Military Academy West Point. They effectively demonstrated the advantages and efficiencies possible by viewing data in two dimensions rather than one. Their research also demonstrated the potential advantages of unknown data visualization over traditional identification techniques. This area of computer forensics is in its infancy but shows a great deal of potential.

Internet scams are alive and well as chronicled by Jerimiah Grossman and Arian Evans. The duo presented eleven different hacking and scamming scenarios not related by computer intrusion but through business logic. Some of the schemes presented included establishing 58,000 accounts to collect the few cents used to verify a valid account and collected over $60,000.00 before being caught. Another scam involves exploiting the business logic of online shopping networks to receive products that were initially purchased but then rapidly cancelled before the scammer was actually charged. The disconnect between the ordering systems and shipping systems allowed over $400,000.00 worth of cancelled orders to be shipped. This was defiantly a case of seller beware.

Bruce Dang of Microsoft provided a very informative briefing on how hackers exploit flaws in Microsoft Office products to attack the unwary. The presentation was extremely technical (including Assembly language opcode) but organized in such a way made it easy to understand what went into these exploits so commonly used as the payload in phishing attacks. Bruce also provided some simple protection techniques and offered various free Microsoft software and knowledge resources to the audience.

In the next several weeks we will pull together our notes from all the presentation, conduct some follow-up interviews and bring Law.com readers the best of Black Hat USA 2008. 
 
Black Hat 2008 - Day One Print E-mail
Written by Brian E. Dykstra   
Thursday, 07 August 2008 11:33
The opening day of Black Hat 2008 was mix of highs and lows that makes this annual technology conference so much fun to attend. The Bad Sushi phishing presentation by Nitesh Dhanjani and Billy Rios lived up to its name. Together they effectively demonstrated just how simple it is for a phisher to get started in the identity theft business and the variety of "phisher-on-phisher" crime that occurs in the "phishing ecosystem".

During the Highway to Hell: Hacking Toll Systems presentation by Mark Lawson, Root Labs, demonstrated how you could steal and change the unique FasTrak toll pay system transponder identification code commonly used in the San Francisco Bay area. Although the Bay Area Transportation Administration (BATA) states that the transponder device is read-only according to the manufacturer's specifications, Mr. Lawson presented credible information to the contrary.

The DNS Goodness presentation presented by IOActive, Director of Penetration Testing, Dan Kaminisky was definitely the big event of the day. With over 2,000 attendees packed in to a room suitable for about 800, Dan told the intriguing story of his discovery of the Internet-wide DNS vulnerability and the careful planning by the world's leading technology companies to distribute a fix. We'll have more on the Kaminisky DNS exploit in a later article from our private interview with Dan.

In a pre-presentation demonstration by Michael Zusman, Intrepidus Group, we got to see a potentially very dangerous vulnerability that runs through a variety of vendors SSL VPN (Virtual Private Network) clients commonly used in web browsers. Michael demonstrated how simply having the vulnerable ActiveX or Java control installed in a web browser , allowed him to gain full access to a remote user's laptop by simply visiting a web page.

We had one of those serendipitous Black Hat moments during an unexpectedly interesting presentation by researchers Tadayoshi Kohno and Kevin Fu from academia on the Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices. Together they showed how private patient data could be extract from an implanted medical device such as an implanted cardiac defibrillator. The presenters also showed how device could be altered via radio transmissions to harm or possibly even kill a patient.

Today we are looking forward to attending presentations on attacking social network, virtualization security, cutting-edge computer forensic visualization and database tools. Our wildcard presentations of the day include technical threats to the 2008 presidential elections and targeted attacks on Microsoft Office documents.
 
Welcome to Black Hat 2008 Print E-mail
Written by BD   
Wednesday, 06 August 2008 11:08
We've got ourselves successfully registered and have a full day ahead of us. We'll be attending the best of the great selection of presentation available at this year's Black Hat 2008 Briefings in Las Vegas. We'll then be writing a series articles about the latest and most interesting items for Law.com. Today we are scheduled to attend presentations on:
  • Bad Sushi - Fighting back against phishing attacks
  • When Lawyers Attack - Strangely the only presentation focused on E-Discovery
  • Highway to Hell - A presentation on privacy flaws in the EZ-PASS and FasTrak toll systems
  • Storm Botnet - A look at the largest automated computer attack plaguing the Internet
  • XPloiting Google Gadgets - Apparently there are some security flaws in these handy little tools
  • BlueTooth 2.1 - A presentation on new security features and flaws
  • The Virtualization Security Apocalypse - The title really says it all

Later today we will also be doing a one-on-one interview with Dan Kaminsky, Directory of Penetration Testing for IOActive, of recent Domain Name Service (DNS) flaw discovery fame. Dan was responsible for identifying and carefully notifying the government and vendors about a serious security flaw in the DNS system that literally affected the security of the entire Internet.  

For our readers not familiar with DNS, it is the behind-the-scenes service on the Internet that makes sure all web browsing, email and instant messaging makes it back-and -forth between the right computers. Mr. Kominisky and his team of researchers discovered a previously unknown flaw in the DNS protocol that we all use that would allow a hacker to redirect your or intercept your Internet traffic.

We also plan to do several other interviews to day with the more "interesting" presenters and getting comments from some the computer security elite that attend this annual event. We'll pull together a summary of the best of today's events for a new blog posting later today.
 
7 Myths about Computer Forensics Print E-mail
Written by Ryan Lerminiaux   
Tuesday, 06 May 2008 14:14

            We live in a very technologically advanced society. These days everyone relies on computers in one way or another. Whether it is ordering your groceries online, buying a gift for your mother on an auction site, or doing your tax returns. We are all very dependent on computers. This trend has held true in the legal system as well. Everyday more and more computers and computer related accessories are being introduced as evidence in courtrooms around the world. This presents a daunting task for the computer forensics professional. This task is made even more difficult by myths and unrealistic expectations about a computer’s capabilities, as well as what a forensic professional can do with a computer, spawned by popular culture. Computers and the internet are the new fad. There are hundreds of books, movies, and TV shows about computers. Some of them true, but the majority of the material we see on TV shows and movies is very fictionalized and unrealistic.

I’m sure most people are familiar with CSI, the popular forensics show. At some point each season they use “computer forensics” to solve parts of their cases. I was recently watching an episode where the CSI crew used “computer forensics” to track down a suspect via the airline tickets he had purchased. The computer technician mashed furiously on his keyboard while the words “Computer Forensics” flashed in red on the top of his screen. Before I knew it, they had located their suspect. Unfortunately folks that is not really how it works. I am sure lawyers feel the same way about shows like Law and Order.

With all of this in mind I will attempt to dispel the most common myths about computer forensics. These are things we have been asked about time and time again. Computer Forensics isn’t nearly as sexy as TV and movies make it out to be and here is why:


A computer forensics analyst can recover any file that was ever deleted on a computer since it was built. This simply is not true. We can, however, recover deleted files, and/or parts of deleted files, but this number differs for every computer. When you delete a file or empty your recycle bin the file you have selected has its entry removed from the computer’s file system. The contents of the file has not been written over or removed from your hard drive, it simply has had its entry in the file system directory removed. This means that the file will hang around in unallocated file space until the file system writes a new file over it. A new file can be written over the old one because it no longer has a placeholder in the directory, in the form of a directory entry. For example, if you are in a movie theatre and decide you need to use the restroom, you will usually leave something in your seat, like your coat, in order to let others know that seat is occupied. You can think of the coat as the file’s directory entry. If you decide to take your coat with you when you go, there is no way for others to know that you are occupying that seat. There is a good possibility when you return from the restroom your seat will still be there, but there is a chance it may now be occupied by another person, and you just lost the best seat in the house.

Metadata is the all knowing, all seeing, end all piece of information on a file. Not even close. Most people think of Metadata like the slip that comes in a book you check out from the library. Those slips contain a list of all the people that have checked the book out recently, and for how long they had it. Metadata is not like that. While it does contain some useful information about the file, the scope of that information is much more limited than most people think. In general here is a list of the information contained in a file’s Metadata:

             I. The Author

             II. MAC Time (Modified, Accessed, Created)

             III. File Name

             IV. File Size

             V. File Location

             VI. File Properties (i.e. Hidden , Read-Only)

This is still very useful information but it is by no means the information rich tome that people make it out to be.

Having a forensic software license makes someone a computer forensics expert. If owning a hockey stick makes me an NHL all star than yes. I don’t know that I need to go into great detail on this issue. Since computer forensics is still such a new field, there is a lack of standards and guidelines for practicing computer forensics. If you want to practice law in America, you must pass the Bar. There is no system like this in place for the computer forensics field. Therefore, there are a lot of people out there that claim to be computer forensics experts, when in truth they have a decent understanding of a computer forensics program and that is about it. Simply put, would you want someone to perform surgery on you because they happen to own an MRI machine, or someone that went to school for it?

E-Discovery is an uncontrollable money eating machine. If you work with a veteran firm that has a lot of experience in this area, this is not the case. We do a lot of EDD work here at Jones Dykstra and Associates, I’d say about eighty percent of my time is spent doing EDD work for my clients. Most of the time when clients come to us with EDD request we spend a great deal of time getting background information from them, like the number of laptops, desktops, and servers they currently employ, as well as what types of information they need us to produce. Then we figure out, based on their needs, which systems we need to target. Based on this analysis we are able to give them a very accurate fixed price up front, with no hidden surprises. Our veteran experience allows us to judge very accurately the amount of work we will have to do, to produce the desired results for our clients, and thusly we are able to give them a fixed price on our work most of the time.

Cell phone forensics is easy. Not really. There are few programs available to do cell phone forensics. These programs also don’t work very well. This is due in part to the fact that new cell phones come out every day, and it’s very hard for these software vendors to keep up with the ever changing cell phone market. These programs are also targeted at older phone types, not the Smartphone/PDA/Espresso maker type that most business people use today. In our line of work these tend to be the type of people targeted for investigation. These new phones contain their own operating systems, like Windows Mobile and others, which causes problems for the forensic programs. Many of these newer Smartphones are still being tested by software vendors. Even if you are able to make a forensic duplicate of one of these phones, the data you get out of it is very hard to view.

The best available data is on running machines. Not always, there are options that a lot of people do not consider. It is not a problem to shut down an employee’s workstation and duplicate it, but what do you do if you need to pull information from a company’s main database? Can you shut it down? How will that affect daily operations? I’ve seen the fear in the faces of a company’s IT staff when we asked them to shut down their domain controller or Exchange Server. They know that those systems can be very temperamental and may not come back if we have to shut them down. A lot of the time when we are doing EDD work, the information we are looking for occurred in the past. Why not pull the information we need from backup tapes? Most responsible companies keep an accurate library of backup tapes. Isn’t that the point of a backup tape, to store important company information in a non-volatile format? In the case of the Exchange Server, do we really have to shut down the system to duplicate it, or can we pull the PSTs we need using Exmerge. These are very safe alternatives to shutting down vital running systems, and will most likely contain the information we are looking for, in these scenarios everyone wins.

Computer forensics experts catch the hacker every time. Most of the time they go untouched. When companies call us in after an intrusion, they usually want us to stop the bleeding but rarely care about catching the group responsible for the intrusion. Most of the attacks we have seen recently originate in China, and there isn’t really anything we can do to stop them. We have no jurisdiction there and the hackers know we can’t touch them. Most companies are not willing to put the time, the money, or the effort into catching the people that attack them. They want the intrusion to stop, the attacker removed, and they want information on how to better protect themselves in the future.

 

            Well I hope I’ve done a decent job at dispelling some of the myths about computer forensics. It’s not as sexy as CSI makes it sound is it? On the other hand we do get to do a lot of cool things in the field, and we do get to help a lot of people during their time of need. Those things definitely make up for the lack of flash that TV portrays.
 
Some of my thoughts on E-Discovery versus Computer Forensics Print E-mail
Written by Keith J. Jones   
Tuesday, 29 April 2008 18:27

Some of my thoughts on E-Discovery versus Computer Forensics

I find that e-discovery and computer forensics are commonly misunderstood and often used in the wrong context. Many skills used during computer forensics projects can be easily applied to e-discovery projects, and vice versa, even though the goals of these processes are very different. In this blog article I will attempt to highlight the similarities and clarify the differences between both. I will also attempt to show how they can be combined for a more complete and comprehensive computer investigation.

In order to put e-discovery and computer forensics in context, I will discuss these terms used during the situation of litigation. The graph below represents any litigation involving computer data that you may experience. Imagine that any litigation will begin at the top stage and progress towards the bottom stage. As the litigation starts at the top and travels downward, it may be solved in any of the current stages before reaches the next stage. In those cases, the litigation does not have to travel the whole triangle but can be easily solved with less work. That is a reason why I made the graph into a triangle. A number of filed litigations are settled before they actually go to court, and therefore not every stage in the graph below is needed.

The pre-litigation advice stage usually takes place before any incident occurs. For example, common pre-litigation advice could consist of a recommendation to implement e-mail and documentation retention systems in order to make future incidents easier and less costly. Since the initial advice stage is usually dependent on the situation and client we speak with, we will switch gears for the purposes of this article to talk about the e-discovery and computer forensic stages of your incident.

E-discovery:

The first stage of litigation consists of determining what documents or files exist and where they exist on all of the computer systems in question. At the early stages of litigation, you may just want all of the relevant documents or files from the computer systems so that you can use them to build the specifics of your case. The criteria for any e-discovery project usually boils down to needing every relevant document on the computer systems that matches a certain specification. Keyword searching is the most commonly used specification in these cases and usually yields sufficient results for most situations. Keyword searching usually yields an acceptable percentage of deleted and undelete files from your computer systems.

Although it sounds simple, e-discovery is far from that. There are a lot of factors that can make e-discovery a lot more complicated than it sounds. The sheer quantity of data is usually the driving factor in how difficult an e-discovery project will be. For most companies is not out of the question to have 10 or more employees involved in any one litigation. Each of those employees may have at least one laptop or desktop and probably has one or more e-mail mailboxes. A single file could be duplicated hundreds of times across each person's computer and e-mail mailbox. In many instances, multiple files are duplicated in this manner amongst many users. This duplication becomes difficult when you must process, analyze, and produce the data so somebody can easily review it by hand. One of the goals we attempt to accomplish during e-discovery is to provide the smallest most relevant data set from a very large unstructured data set. By limiting the duplication of the files mentioned above, we make it possible for reviewers to review only one file and then the review is simultaneously applied to many different places that file originally existed.

Computer Forensics:

E-discovery may be used at the beginning of a project when it is more important to find a great quantity of relevant data rather than the minute artifacts in a computer system. On the other hand, computer forensics is often used when a specific piece of data needs to be analyzed at great depth. Computer forensics is often used to explain, in technical terms, what a person did and when it was done on a computer system. An examiner could use computer forensics on a very small set of data, such as one file, to help prove the case. Sometimes only one file could be the "smoking gun".

For example, we may use computer forensics to determine if a computer system was maliciously modified before the investigation began. Computer forensics would allow us to examine specific portions of the hard drive, such as file metadata, in order to determine if the computer system was modified in an unauthorized manner. Another example of computer forensics may be the examination of a rogue file on a computer system. A painstaking examination can be made of any unknown file in order to determine what the file is for, what it accomplishes, why it is on the computer system, and how it originally got there.

Similarities:

First, people that perform e-discovery and computer forensics use the same types of data. Computer data is usually acquired by the same forensic software using the same techniques which saves every bit of a computer hard drive for your processing efforts. Both e-discovery and computer forensics can undelete computer files and recover data that the user believes has been removed from their computer system. This is because in most circumstances the data that is acquired is the same for both processes.

Second, some of the same software tools can be used for e-discovery and computer forensics. For example, we have used the forensic toolkit (FTK) and both e-discovery projects and computer forensic projects. Most software along these lines provides the user with deleted and undeleted files in an easy to navigate format. What you choose to do with the files is dictated by the type of project you are working on, such as an e-discovery project or computer forensics examination. Most software, like FTK, offers functionality for a mass export of the files matching your criteria, or you can use the software to examine specific files as you would do during a computer forensic examination.

Third, the same basic skill sets for the examiner are required for e-discovery and computer forensics. Since we use the same software for e-discovery and computer forensic projects, the user does not have to learn anything new to use the software to accomplish two different goals. Therefore, the same basic skill sets of data acquisition, processing, and presentation are used in both e-discovery and computer forensic projects. Once you have learned the software and the methodologies behind it, it is very easy to apply them to other types of projects.

Lastly, the same basic processes are used for e-discovery and computer forensics. Most of the same basic processes are initially used in both types of projects. For example, in nearly every e-discovery and computer forensic project you will want the capability of examining deleted files. Usually the first steps to these projects undelete any deleted files on the computer you are examining. Keyword searching is often used during e-discovery projects in order to reduce the data set that you have to review. Keyword searching is also used during computer forensics to locate the file or files you want to examine. Also, in both e-discovery and computer forensic projects you do not want to examine the same file over and over, which would dramatically waste your time. This is a process that we call de-duplication. You can de-duplicate the data using the same process during e-discovery and when performing computer forensics. Nearly any type of process you use on one you can apply to the other.

Differences:

First, there is a vast difference in breadth versus the depth of the analysis that occurs between e-discovery and computer forensics. In e-discovery, you usually produce a large number of files with little regard to their actual content. Granted, you may still care some about the content of the files as you are producing data that is responsive to some set of predefined criteria, but very rarely do we actually examine the content of every single file during an e-discovery project. We are usually producing these documents for a different party, such as our client, to review. While performing computer forensics, we may be interested in all of the files on the computer system, but we spend a majority of our time examining a select few files. We could spend many hours, days, or months just examining one file on a computer system if it is relevant to our investigation.

Second, an examiner's goals are very different between e-discovery and computer forensics. During e-discovery, our goal is usually to produce relevant documents for a third party to examine. During computer forensics, we are usually performing the examination of the relevant files ourselves. The files we examine during computer forensics tend to be a lot more difficult to view natively. For example, we will examine event logs, installed programs, file metadata, and many other types of files that the reviewers during an e-discovery project would not be able to understand. Furthermore, e-discovery is typically used to produce a large number of files in order to substantiate your case while computer forensics is used to play back a user's activity on computer system.

Third, a different level of planning goes into an e-discovery project versus a computer forensic examination. We find that often during e-discovery engagements that the client wants us to grab a large number of computers versus focusing our examination on a select few during computer forensics examinations. A different sense of planning is needed when large numbers of computers are to be examined versus only a few. It is not uncommon to see hundreds and hundreds of computers during e-discovery when we would only examine a select few during a computer forensics project. It can be very difficult getting access to hundreds of computers when each has a person using them during the normal workday. If you have to examine only a few computers, your planning becomes much easier.

Bringing It Together:

You may be wondering: "Why take the time to differentiate between these two different types of projects?" In my opinion, I think it is unnecessary for people to choose two different companies or individuals to provide the same basic services. As you can see above, there are more similarities than differences between e-discovery and computer forensics. It is my belief that being good at one makes you better with the other. Allow me to explain.

Being able to manage large data sets (we have worked on some cases that involved more than 54 terabytes of information) and getting to the relevant data more efficiently, as it is often done during e-discovery projects, only complements your computer forensics efforts that you perform later on. Sometimes finding the really important files for your computer forensic analysis is very similar to finding the relevant files in e-discovery project. Conversely, understanding a large number of computer file formats in painstaking detail, as often done in computer forensic projects, can make your e-discovery procedures much better because you can process files that common software and consultants may not be able to process. In some cases these more difficult files, such as proprietary files, can hold the most important information for your case.

The moral the story? The next time you are hiring a person or engaging an outside company for your e-discovery or computer forensic needs, I recommend that you select a person or company that can complete the full triangle I presented above for you. There should be no need for you to select one person or company to complete just the e-discovery process and then find another person or company to take care of your computer forensic needs.


On the other hand, if you are a person or company that takes care of these needs, I recommend that you do not pigeonhole yourself into only one type of analysis. The e-discovery and computer forensics industry is large and still waiting for its superstars. Be sure to explore all that it offers.

 

Additional References:

http://en.wikipedia.org/wiki/E-discovery

http://en.wikipedia.org/wiki/Computer_forensics

 
 
Affordable iSCSI Storage, Part 2 Print E-mail
Written by Steve Malloy   
Monday, 21 April 2008 14:52

How To Connect To iSCSI Storage From A Client System

Windows:

To access your new created iSCSI storage solution using Windows, the Microsoft iSCSI Software Initiator must be obtained and installed. It can be downloaded from Microsoft at the following location:

Microsoft iSCSI Software Initiator

Once downloaded, install the software by double clicking the icon that is named similar to Initiator-2.06-build3497-x86fre.exe, this may be different depending on the version downloaded.

Once installed, double click the icon titled Microsoft iSCSI Initiator. This will open up a new window which is the setup and configuration window for your remote iSCSI target.

From this window, click on the Discovery tab. In relation to iSCSI, discovery is the step in which, by means of IP address, the initiator is able to reach across the network and attach to the remote disk(s).

Under target portals, click add. This will bring up a new windows which asks for the IP address or the DNS name and port of the remote disk(s) that you wish to attach to.

In my setup, I used 10.50.100.100 as the address of the remote target on port 3260 which is the default iSCSI port. Enter the IP address which was used during the setup of the iSCSI target along with the port which was set (typically 3260). Once this information is set, click ok. If a connection is made, no error message will be returned, otherwise an error message stating “Unable to make connection” will be displayed.

Now that a connection has been established, click on the Targets tab. Under targets, you should be able to see the name of your target, which was decided upon during the target setup. Click on this name and click the Log On button.

This will open a new window, in this window, you will be able to choose if the initiator connects to the remote disks automatically each time Windows is booted. It is recommended that this option is chosen so that if the power goes out, or should your system be rebooted without you being on hand to reconnect to the remote disk(s), any automated tasks will not loose the ability to access them.

Click the Bound Volumes/Devices tab. At the bottom of the Window, click Add.

From this window, click Bind All. This will attach all current iSCSI drives to the initiator. This step does not format the drives, and drives can be removed from this setup if only certain drives are to be used.

Once the drives are bound, click ok and exit the iSCSI initiator, right click on my computer and select manage. This will open a new window, in this window double clock Storage.

Then double click Disk Management(Local).

This will then open a new menu of all disks available to Windows. If the iSCSI disks have not been formated yet, they will appear as an unallocated drive. Right click on the unallocated drive and click New Partition. This will open up a guided wizard for partitioning the disk. Once the wizard is completed, the new disk will be accessible like a local disk.

 

Linux:

To use the iSCSI server with a Linux operating system, use the following steps. Note: All steps assume that the iSCSI Initiator that was installed earlier during this document is also installed on the machine you wish to use to connect to the server.The first steps in connecting to the iSCSI server under Linux is that it must be discovered. To discover a iSCSI server, use the following command.

iscsiadm –m discovery –t sendtargets –p <IP address of the iSCSI storage computer>:3260

Now that the target is discovered the iSCSI service must be restarted so that the target is setup. To do this type

service iscsi restart

Now that the target is setup, it can be access like a normal disk under fdisk and formated as needed. If the hard disk is already formated, it will remain formated as what is previously was formated as.

 

VMware ESX Server:

NOTE: Due to graphics quality issues, images were excluded from this section. To view these instructions with images, view the attached PDF documentation at the end of this article.

To use the iSCSI server with ESX Server 3i, use the following steps. Once logged into the Virtual Infrastructure Client, click on Configuration than Networking. From the networking screen, clock Add Networking and create a new VMkernel. Follow the steps in the wizard to setup the VMkernel.

Once the VMkernel is setup, click on Storage Adapters and look for iSCSI Software Adapter. Click on the adapter listed and in the lower window click on properties.

This will open a new tabbed window. Click on the Dynamic Discovery tab and then click add. A new window will open asking for the IP address and port of the iSCSI server. Once this information is entered, click ok, the IP address should now be listed in the Dynamic Discovery window. Click close to exit this window.

Right click on the iSCSI adapter and click rescan, this should discovery the available hard drives in the iSCSI server and list them.

Now that the iSCSI server has been attached to, the disks need to be configured for use by the ESX server. To do this, click on Storage, once in the storage window click Add Storage.

A new window will appear, in this window choose the Disk/Lun option.

Follow the wizard presented until you get to the Formatting step of the wizard. At this step, a few options are presented. These are the maximum sizes that any disk created in a virtual machine can be. For instance, if set to 256 GB as in the picture, a new disk created under a virtual machine running Windows can be no larger than 256 GB. Make sure to choose accordingly to your needs when at this step.

Finish the wizard and a new storage location will be accessible under ESX server which any virtual machine can be configured to use.


To download these instructions in PDF format, use the following link: Affordable iSCSI Storage, part 2.pdf

 
 
Affordable iSCSI Storage Part 1 Print E-mail
Written by Steve Malloy   
Wednesday, 09 April 2008 15:03

I was recently put in charge of the task of finding an affordable and widely implementable solution for network storage that could be used for a near line backup solution. The solution had to allow all servers being backed up to have access to it, and allow access from the tape backup system. Of course, the solution also had to support multiple RAID configurations to prevent a catastrophic hard disk failure. After hours of searching, I decided to use the iSCSI Enterprise Target (IETD) (http://iscsitarget.sourceforge.net/) on a CentOS 5 Linux base operating system.

Hardware Needs

The following items are the hardware needs to setup this iSCSI solution. A Linux supported raid card, I am currently using the Adaptec RAID3405 SATA/SAS controller which retails for around $390. You will also need a motherboard which has the correct internal card slots for the RAID controller. In most cases this will mean a PCI Express (PCIe) x1, 36 pin internal card slot on the motherboard. More advanced combination SAS/SATA RAID controllers may require PCIe x4 internal card slots. A decent motherboard will normally retail between $150 and $300. Unless you have a separate gigabit Ethernet adapter available make sure there is at least one gigabit Ethernet connection on the motherboard. Remember iSCSI uses the network as the means of transferring and receiving data which is stored on the hard drives. A CPU, which does not have to be the top of the line, will normally cost around $100 to $300 depending on your processor. Remember this system will not be processing data, just handling storage functions which are mostly offloaded to the RAID controller. You should plan on at least 512MB of RAM; this will normally cost between $25 and $100 depending on the brand of memory, and the type required by your motherboard.

Assuming that a monitor and all input devices are already owned, the final items needed for this affordable iSCSI storage solution are dependent on the needs of the person implementing the solution. They are a power supply with enough wattage and power leads to support the number of hard drives needed and a case big enough to hold everything. WARNING: Make sure that you have enough airflow in your case, a 500-1000 watt power supply and a bunch of large capacity hard disks can rapidly create CPU killing temperatures. The Adaptec RAID controller I mentioned above, will support four SATA or SAS hard drives without extenders. This small configuration fits nicely in a basic mid-size case with a 500 watt power supply. The power supply will run around $50 and the case will cost about the same. Quality SATA II hard drives, depending on capacity will cost about $150 each for the 500GB variety, while a 1TB drive will cost around $400 a piece.

For a complete 2TB iSCSI storage solution, the cost will be roughly around $1400, unless you have this hardware lying around, then it will be significantly cheaper. This solution can be scaled upwards to larger then 2TB by using RAID controllers with more drive capacity, extenders, or multiple RAID controllers. With commercial iSCSI SAN solutions ranging ge from $5000 to $40,000 or more, a home built solution is often the right answer for many situations where every IT dollar is critical.

1. Set Up A CentOS 5 Linux System

The first step to building an affordable iSCSI solution is to install CentOS 5 Linux on a computer similar to what is outlined above. Once installed, CentOS needs to be upgraded to the newest kernel and patch set. To do this use the following command at the console:

# yum upgrade

Once the upgrade completes, restart the computer and select the newest kernel when prompted during the boot process. Once the system is back up, open a command prompt and install the kernel-devel, openssl-devel, and gcc packages using the following command:

# yum install kernel-devel openssl-devel gcc

Once these packages are finished installing, obtain the newest version of iSCSI Enterprise Target from http://iscsitarget.sourceforge.net/. Unpack it using the following command at the console:

# tar –xvfz iscsitarget-0.4.15.tar.gz

Now change directory into the directory created by unpacking the tarball. These are the install files for the iSCSI target demon, install them by using the following command at the console:

# make && make install

Once the install finishes, the following command should be used so that the iscsi-target daemon will be started every time the operating system starts. At the command console type:

# chkconfig iscsi-target on

2. Set Up The Target Drive(s)

Now that the iscis-target daemon is installed, it must be setup for future use. First identify the hard drives that you plan to use for storage. To do this, type the following command at the console:

# fdisk-l

This should provide a similar output as seen below. In the example you will notice that there are two hard drives attached, /dev/sda and /dev/sdb. For this example, /dev/sda is the bootable hard drive that CentOS 5 is installed on. /dev/sdb will be our storage drive. While this is not a RAID array in the example, a RAID array will produce the same output.

 

Now that the storage drive is identified, the configuration file for the iscsi-target needs to be modified to reflect the correct hard disk. To change the configuration file, type the following command:

# vim /etc/ietd.conf

While the /etc/ietd.conf is quite large only the following section needs to be editted to create our storage target.

To create the target, edit the line “Target iqn.2001-04.com.example:storage.disk2.sys1.xyz” to reflect the name of the users choice. IQN stands for iSCSI Qualified Name and is typically presented in the iqn.YYYY-MM.(reverse domain name) format. I have changed my target line to “Target iqn.2008-02.com.jonesdykstra:storage.disk1”

Below the target, there will be several lines which read similar to:

 

We will edit the “Lun” line to match the informattion in the “fdisk -l” step above. An example of how this should all look together is:

Target iqn.2008-02.com.jonesdykstra:storage.disk1
Lun 1 Path=/dev/sdb, Type=fileio

If more then one disk or RAID array is to be used for iSCSI storage, then the configuration file would look something similar to.

Target iqn.2008-02.com.jonesdykstra:storage.disk1
Lun 1 Path=/dev/sdb, Type=fileio
Lun 2 Path=/dev/sdc, Type=fileio
Lun 5 Path=/dev/sdf, Type=fileio

Save the configurtion file and restart the iSCSI target by issuing the following command at the console.

# service iscsi-target restart

 

3. Set Up The iSCSI Initiator

Now that the iscsi-target is configured and started, an iSCSI initiator must be established so that other computers can connect to the iSCSI storage. An iSCSI initiator is software that replaces a traditional hardware iSCSI Host Bus Adapter (HBA). Instead of sending SCSI commands over a SCSI cable attached to disks the iSCSI initiator send SCSI commands over Ethernet. To install the initiator, use the follow command:

# yum install iscsi-initiator-utils

Once the iscsi-initiator service is installed it needs to be started. To start this service, type the following command at the console.

# service iscsi start

Once the iSCSI service starts, the target must be discovered by the initiator.We use the “iscsiadm” command in the following structure to discover the iSCSI target. # iscsiadm –m discovery –t sendtargets –p <IP address of the iSCSI storage computer>:3260

If a iSCSI target is found, output similar to the following should be observed. The target name will be whatever was entered when the ietd.conf file was edited. The first line in the example directs the initiator to discover iSCSI targets on a system with the IP address of 10.50.100.100. The iSCSI target daemon on our storage computer responds back with the IQN on the second line.

Now that an iSCSI target has been identified, the iSCSI initiator must be set to start at bootup, to do this, type the following command.

# chkconfig iscsi on

After all of these steps are completed, a working iSCSI storage solution is implemented. Note that older versions of CentOS will not work with the steps defined above due to changes in the the iSCSI initiator software.

To download these instructions in PDF format, use the following link: Affordable iSCSI Storage, Part 1.PDF

 
Keeping Your Virtual Environment Secure Print E-mail
Written by Brian E. Dykstra   
Monday, 31 March 2008 04:49
I wanted to get my slides out in advance of this Virtualtradeshow so folks could look at them right away.  So here is my presentation from the April 3, 2007, Ziff-Davis Enterprise Virtualtradeshow panel Keeping Your Virtual Environment Secure.  Enjoy.
 
Entrepreneur Magazine: Storage Smarts Print E-mail
Written by Brian E. Dykstra   
Saturday, 23 February 2008 04:10

Keith and I were recently featured in the March 2008 edition of Entrepreneur magazine discussing the challenges of data retention and data destruction for small businesses.  The article "Storage Smarts" by Amanda C. Kooser, Entrepreneur's Assistant Technology Editor on page 28 of the magazine is kind of short but has a great picture of us.  I wanted to take this opportunity to expand a little bit on what was covered in the article.

Amanda's article focused on the difficulties and expense that small businesses face when trying to determine how long they have to retain various types of data and how to go about proper destruction of the data when it is no longer needed.  When we get questions like this from our clients I like to point to the 1999 Gramm-Leach-Bliley Act, commonly known as GLB or GLBA, as a model for what to protect and how to properly dispose of it later.  Better yet the GLBA charges the Federal Trade Commission with developing standards for protection and destruction of "personal information".  The FTC defines personal data as:

  • Names
  • Addresses
  • Phone numbers
  • Bank and credit card account numbers
  • Income and credit histories
  • Social Security numbers

While the GBLA and the FTC's Safeguard and Disposal Rules are really intended to address the responsibilities of "financial institutions", I believe they are excellent policies for almost every organization.  The FTC has created clear and concise documentation that is designed with enough flexibility that even the smallest company could implement a safeguard and disposal program without great difficulty or expense.

In paragraph four of the article Amanda asked me how we stored sensitive client data that was no longer being used.  We were specifically discussing the data storage problems associated with long term storage of large quantities of client data from our e-discovery and computer forensic services.  I know that I come off sounding kind of old school stating "Hard drives fail. If we have to hold data for more than six months, we transfer it to tape."  I know that kind of thinking gets a lot of SAN, NAS and other RAID storage vendors sputtering but I live in the real world where hardware just inexplicably dies.  The average expected life time of a hard disk is 5 years while the expected life time of a tape is 30 years.  I don't expect you to take my word for this; I direct your attention to the really smart guys at Google Research and their award winning paper "Failure Trends in a Large Disk Drive Population", where they go into great detail on how and why hard disks fail.  They also debunk the myth that hard drives fail due to heat or overuse.  One of my other references for hard disk failure is a highly technical paper from the Computer Science Department at Carnegie Mellon University, with the provocative tile "Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?" (Beware: there is math with Greek characters and Poisson assumptions) where researchers are able to show that the Mean Time To Failure (MTTF) of a hard drive is actually much lower than what drive manufactures suggest.   

On the other hand, tape drives have actually been around since 1951, although they didn't start to see common use until the IBM System/360 "9 track" tapes arrived in 1964.  I was personally still using the IBM System/360 tapes on military systems as late as 1995 and I'm sure there are still some in use today.  To summarize my point, magnetic data tapes are very survivable, highly portable and with proper care will store large amounts of data for decades.  I know that some people also dismiss tape as being too slow.  For data that needs to be accessed on a regular basis I completely agree that tape is not the ideal storage media.  When we are talking about long term data retention of large amounts of data, the current generation of LTO-4 tapes store 1.2-1.4TB at a transfer rate of 120MB/sec.  In real world daily use we can typically transfer a little over 100GB of data from SATA II disks to LTO-4 tape in one hour.  Things like hashing, encryption and Write Once Read Many (WORM) can all slow down the tape speed.  The ability to easily do WORM on LTO-4 tape is a big bonus if you are required to be Health Information Portability and Accountability Act (HIPAA) compliant.  By simply using WORM tapes in a most LTO-4 drives you get a tape that can be read but not altered.  We have found the Exabyte/Tandberg Data external SCSI LTO-4 drives to be easy-to-use and very reliable.

As for destruction of large amounts of magnetic media, check back for our upcoming paper on the disposal process of over 600 (60TB) pieces of media.  We'll discuss everything from the initial planning through physical shredding of hard disks.

I want to express our thanks to Amanda C. Kooser, Matt Samarin and everyone else at Entrepreneur magazine.

 
More Articles...
<< Start < Prev 1 2 3 Next > End >>

Page 1 of 3