Macrium Reflect Pro --- Backup ??'s

Discussion in 'backup, imaging & disk mgmt' started by Palancar, Oct 20, 2016.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I don't post in this forum too often. I am very comfortable with backups and restores but yesterday I ran into something new and thought I would ask here.

    I am using my subscribed and updated MR Pro version 5. Further I am using a bootable usb with USB3 drivers all included in the build. I have not updated to version 6 and don't have plans to do so. MR Pro performs flawlessly and I have done tons of sector images of my Linux partitions in the past. My restores, which I have done dozens of times are also flawless. Usually I fully encrypt my Linux partitions. However; this time I built a machine for a family member with a custom install. I did not encrypt the disk. The disk was partitioned (Gparted) by me to GPT alignment (not MBR) and setup to use UEFI on the machine. I created the following partitions:

    1. 200 meg FAT32 - EFI and boot flags set

    2. /home formatted to EXT4

    3. / root formatted to EXT4

    4. swap

    I proceeded with the install and it runs perfectly. Slick, fast, professional configuration but no encryption. This is a general family computer setup with kids using it so encryption is not needed.

    After going through the setup time I wanted to backup the entire system to make a full restore "one click" so to speak. I inserted my MR recovery USB flash with the computer "cold" and fired it up. Loaded fine, recovery environment is now up and running in RAM. Then I configured MR to do a sector based (not intelligent copy) image of the above noted partitions. I set my parameters (password, VERIFY, etc...) as desired and watched it do its thing. I spun out two backups --- one to a large NTFS partition on the same sata, but outside the scope of area being imaged. Second, to a 2TB external drive in case the sata goes bad. Both backups ran and took almost exactly the same time. Just over an hour using usb3, which is why I use MR Pro instead of dd. USB3 is not supported by dd. So, an hour to write out and fully VERIFY about a 100 Gig on USB3 is about right. I have done this with encrypted LUKS partitions too many times to count.

    A turn though:

    The output file is around 5-6 Gig?? I had the compression parameter set, but that seems way beyond compression to me. I watched MR Pro do the full VERIFY during the hour long process. I pretty much assume that MR doesn't know EXT4 but that is why I selected sector (forensic level) imaging. I figure that like with my LUKS partitions if MR writes back the exact sector by sector bytes it will work perfectly. I get exact size to size imaging when I do this using an encrypted LUKS setup.

    Of course an "acid test" would give me the answer I am looking for but the computer is already in use and not in my house any longer. Would MR somehow have made an intelligent copy of my Linux system? I looked through the gnome disk editor and sort of added up the space being used in total over those partitions. If I shrink the size just a bit to compensate for "compression" then the saved file size makes sense to me. I am absolutely CERTAIN I configured MR to make a sector image and not an intelligent copy.

    Trying to learn here. What exactly did MR Pro save and verify ----- two times by the way - with the same output file both times. Do I have a backup??

    If not, I either have to encrypt the linux partitions (new setup) to use MR still, or endure the slower process of dd'ing the system. 100 Gig is not that large so dd is doable.
     
  2. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,915
    Location:
    The Pond - USA
    Palancar, you didn't say what kind of disk (HDD/SSD) you were imaging, and I believe Reflect v5 does know about EXT4 partitions without having to use Forensic imaging mode.

    Also, can you see how much USED SPACE is actually being used on the partitions?
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Thanks for the follow up. I'll examine the backup on my 2TB external when I get home later. I should have addressed this while I still had the physical machine here. I can go over, but if I determine the backup is OK I'ld rather not.

    BTW ------ > its a HDD (1TB WD 7200 rpm). The computer is very basic homeowner stuff so a high end SSD didn't make sense. This reads at a whopping 6 Gps. LOL!!

    IF Reflect Pro v5 can adequately read EXT4 that would make things super easy on this end. I don't know if you use linux AND Reflect on your gear? Obviously I am referring to running recovery in RAM and then imaging the entire Linux system (all partitions).

    It sounds like you believe I could just run an intelligent copy of the Linux partitions (all of them), and then restore just as easily.

    Space wise: I remember what gnome disk editor displayed for used space on the partitions. I'll compare what Reflect shows me when I open the backup. I'll report back with those details.




    Is there anyone reading along here that is backing up ANY EXT4 stuff using Reflect Pro??
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Found this post/answer from Reflect's old v5 forum:

    http://support.macrium.com/topic.asp?TOPIC_ID=5508

    paste:

    Macrium Reflect when running under Windows includes support for ext2/ext3/ext4 file systems. You can safely backup these file system when running under Windows. Restoration is limited to image files, you cannot mount and selectively restore items from an ext2/ext3/ext4 file system image file.

    end paste.

    The explanation makes it clear that WHILE running windows it does support ext4. When my Reflect recovery USB flash was made (using Win 10 and Reflect) it obviously created a Win PE environment. I have never created a linux recovery version using Reflect. Glad I went the PE route!! Looks like I am good to go on doing intelligent copy of that Linux system. The only drawback is you cannot open and selectively restore a single file. Its great for a system wide restore, which is all I need on this project.

    I totally love Reflect Pro for backing up all my stuff. Those well designed USB3 drivers are just so much faster than dd when you are spinning out 500 Gig or so at a time. My personal gear is all encrypted so I have to do forensic imaging. This simple little home project only came up because I am "that guy" in the family. Lucky me!!
     
  5. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,915
    Location:
    The Pond - USA
    Indeed you are good to go, especially since you have a WinPE10 Recovery Media already built... no more forensic images (and, hopefully, much smaller partition images).
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I wish that was totally the case for me. Due to my hobby ALL my gear is 100% encrypted Linux. So on my stuff its forensic all the way for backups. They work great and as mentioned numerous times on this thread, the usb3 drivers really help out. MR Pro might have been the best money I ever spent. LOL!!

    However; you are correct about this one little project.

    Thanks again.
     
  7. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,915
    Location:
    The Pond - USA
    You just might wanna see what "standard" imaging of your encrypted EXT4 partitions does... if the FileSystem itself (not the file content) is open and unencumbered, it just may work. Forgive me... I'm a Linux yet-to-be-newbie in this area so I really don't know what "encryption" means when it comes to EXT4 partitions.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402

    So my linux encryption goes like this. Before starting, the disk space is wiped extremely clean and ALL sectors are "noise filled" so there is jibberish in all space. Next I form what in linux is called a LUKS encrypted container that sits over the entire partition. Therefore no filesystem or anything within the partition is visible until the crypt is opened. A LUKS header occupies around 2 meg at the header end of the partition, which reveals lots about how its built, but no filesystem or content clues at all. Now we use cryptsetup to open the volume and then insert the Linux OS inside, and in my case I use LVM within the LUKS container. This is called LVM on LUKS in the linux world.

    When it comes to backups of such a system there is NO access to anything when its all cold. Using a RAM recovery environment you must therefore write out a sector based clone/image. No software can interpret anything during creation of the backup. If done properly an examiner/adversary cannot determine whether or not the LUKS container is completely full or maybe 10% used or whatever. In fact when closed you don't know if the container is an archive, or an OS, etc....

    Hope this gave you a steer about the basics.
     
  9. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,915
    Location:
    The Pond - USA
    Thanks much for the explanation above!
    I'm not really sure what the purpose of the above step is, but if the space is ZERO (or ONE) filled, the compression algorithm for a forensic image should really reduce the size of that image unless the partiton is quite filled up with DATA.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    NOPE

    This is a very forensically crucial step. In general the purpose of this step is to obfuscate or eliminate any possible way for an examiner/adversary to know where your data stops and "noise filling" starts. e.g. - If I plan to use a Serpent algo on my LUKS container, than I will randomly fill (completely) the partition using a Serpent based randomizer tool. Utilizing this method in theory it is impossible to draw a contrast between any data OR even a totally "noise filled" partition (other than the giveaway header). Of course over-passing the bytes (maybe a couple of times if the disk platter is really sensitively dirty) is also a good play. Once again, this leaves such a highly encrypted disk platter that only a forensic level snapshot assures a clean restore. Funny, because just 20 minutes ago I had to restore a 120 Gig partition due to my experimenting with VirtualBox code, which blew away the stability of my machine. I would have been frustrated but with my ongoing slick backups and the convenience of Reflect Pro; writing back 120 Gig using usb3 takes about 15-20 minutes or so. My restores absolutely do NOT fail using this method.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.