CEFS Test Instructions

This document is for CEFS version 1.0.8

System requirements

Server

Operating System

Ubuntu Server 20.10 (64-bit only)

Hardware OR Virtual Machine

  • CPU 2.0GHz dual core x86_64

  • RAM 4GB RAM (8GB recommend)

  • DISK 40GB for root and 100 GB for data mounted at /srv/cefs

Windows Network (Optional)

Pre-request

Recommended that you install Samba on the server using:

apt install samba

You can use CEFS with Windows in a variety of ways. There are many configurations here, please choose the one that works for your particular use-case.

Using CEFS as a Simple Network Share (Windows Workgroup)

Please make sure that a share drive is available over NFS or Samba.

Active Directory

When connecting CEFS server via SMB or NFSv4, please make sure that CEFS server is configured to be a domain member.

Installation & Tests

Install

  1. Install CEFS. As per CEFS Installation.

  2. Set the environment variables to point to the CEFS partition and mount directory.

    export CEFS_PARTITION=/dev/sdb1 CEFS_MOUNTDIR=/srv/cefs
    
  3. [OPTIONAL] Grab test data from https://saf.ai/downloads/beta/test-data

    Now let’s create, destroy, recover, and analyze!

Create

  1. On client side, navigate to CEFS directory.

    cd ${CEFS_MOUNTDIR}
    
  2. Copy or extract the test data in the directory. For example, if you grabbed 200.zip from https://saf.ai/downloads/beta/test-data, you can unzip it in the CEFS directory.

    unzip 200.zip
    
  3. Once your data is finished copying over, look at your CEFS server and list your recovery points using the below command:

    cefs recover ${CEFS_MOUNTDIR} show
    

    This should look something like the following:

    _images/cefs-recover-show.png

    Important

    You will notice that as the data copies in, CEFS will automatically create various points of intrest and identify them as sāf or dirty points. These recovery points can be made into backups or permanent recovery points by manually recovering them.

  4. To rescue your data from peril, you simply command CEFS to recover your mounted directory and your data will be recovered. There is also manual access if a more granular approach is neccesary.

    1. Automatically and immediately recover your data.

      cefs recover ${CEFS_MOUNTDIR} now
      
    2. Manually set up sāf points and recover from them.

      cefs recover ${CEFS_MOUNTDIR} memory ${RECOVERY_ID}
      cefs recover ${CEFS_MOUNTDIR} from --id ${RECOVERY_ID}
      
    3. Set up a schedule based on time or number of recovery points done.

      Warning

      TODO: how to convert a checkpoint into a sāf point via schedule

Destroy

Method 1:

  1. Manually delete your files

  2. Verify files are not available

Method 2:

  1. Install ransomware of choice. Or download and install from: https://github.com/safai-labs/Python-Ransomware.git

    Warning

    Procuring ransomware can be dangerous, only use trusted sources!

  2. Verify that your files are no longer accessible.

Recover

  1. Run a recovery in dry run mode to see what will be rescued from what point:

    cefs recover ${CEFS_MOUNTDIR} now --dry-run -v
    
  2. Run recover command:

    cefs recover ${CEFS_MOUNTDIR} now
    
  3. Your clean data is now available in the mounted directory!

    This should look something like the following:

    _images/cefs-recover-now-dry.png _images/cefs-recover-now.png

    Important

    Notice that, not only has your data been restored but also your permissions and settings.

Analyze

  1. You may go into your created recovery point files and analyze how your data looks at a certain point in time.

  2. You may also compare the differences between pre and post attacked data to determine what files were being targeted.

  3. You will notice that the restored data has no traces of the payload. Restoring your data with sāf.ai is like turning back the clock. It does not fix the damaged data it simply removes it from production and gives you back your healthy data.