We make a ShadowProtect image of absolutely every system and server that comes through our shop, or any system we touch while on-site.
In the case of our clients, the on-site servers are already running ShadowProtect.
For SBS 2008, we use the built-in SBS backup to run right before we touch the box.
Imaging or backing up the box before touching it is an absolute must.
This process is especially critical for stranger systems and networks where we have been called in to clean things up or make things right.
When it comes to the stranger situations there are just too many unknowns to walk in and begin the process of cleaning up without a fallback.
We can never know if the folks in there before us had data stashed in an unorthodox location, had users remote into the server to use their QuickBooks but the QB files were on a workstation, had data on the local workstations shared out to other users, and so much more.
We can never take things for granted when it comes to working with client data. One error, and it is game over for our company, or there will be a need for full restitution.
A ShadowProtect I.T. Edition license is required for use with client systems.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)
4 comments:
How long on average does it take to make these images before working on systems? Do you typically start the process before heading on-site?
Gantry,
For existing clients, an incremental image will take all of 10-15 minutes or a bit more depending on the volume of data and the roles on the server.
For new clients, we will either have them plug in a USB HDD and allow us remote access to install and configure ShadowProtect to run the night before (~30-60 minutes), or we will pop by with a drive at the end of the work day, install it and SP, reboot, and setup SP to run with a full backup and then incrementals.
When we explain what we are doing and why what we are doing gives us complete confidence moving forward, we have yet to have a prospective/new client say no to the extra time.
Either way, we end up in a position where all that is needed is a quick incremental to get going.
Thanks for the comment,
Philip
The super paranoid (or forensically minded) create an image, then work on the image, leaving the original intact.
Even imaging software has bugs, or worse, non-intuitive configuration options
Chris,
True enough. And a good pointer for those situations where we may restore the image once finished the work we need to do.
On the forensic subject, what do you do to analyze a production system memory dump?
Philip
Post a Comment