CEFS Test Instructions

This document is for CEFS version 2.0.0-beta+1000

System requirements

Server

Operating System

Ubuntu Server 20.10 (64-bit only)

Hardware OR Virtual Machine

  • CPU 2.0GHz dual core x86_64

  • RAM 4GB RAM (8GB recommend)

  • DISK 40GB for root and 100 GB for data mounted at /srv/cefs

Windows Network (Optional)

Pre-request

Recommended that you install Samba on the server using:

apt install samba

You can use CEFS with Windows in a variety of ways. There are many configurations here, please choose the one that works for your particular use-case.

Using CEFS as a Simple Network Share (Windows Workgroup)

Please make sure that a share drive is available over NFS or Samba.

Active Directory

When connecting CEFS server via SMB or NFSv4, please make sure that CEFS server is configured to be a domain member.

Installation & Tests

Install

  1. Install CEFS. As per CEFS Installation.

  2. Set the environment variables to point to the CEFS partition and mount directory.

    export CEFS_PARTITION=/dev/sdb1 CEFS_MOUNTDIR=/srv/cefs
    
  3. [OPTIONAL] Grab test data from https://saf.ai/downloads/beta/test-data

    Now let’s create, destroy, recover, and analyze!

Create

  1. On client side, navigate to CEFS directory.

    cd ${CEFS_MOUNTDIR}
    
  2. Copy or extract the test data in the directory. For example, if you grabbed 200.zip from https://saf.ai/downloads/beta/test-data, you can unzip it in the CEFS directory.

    unzip 200.zip
    
  3. Once your data is finished copying over, look at your CEFS server and list your recovery points using the below command:

    cefs recover list ${CEFS_PARTITION}
    

    This should look something like the following:

    _images/cefs-recover-list.png

    Important

    You will notice that as the data copies in, the CEFS AI created various recovery points. You will also notice that the recovery points are marked as transient. These recovery points can be made into backups or permanent recovery points by recovering them.

  4. To make a recovery point available, you will need to turn a transient recovery point into a permanent recovery point. There are three ways in which you can use this capability:

    1. Set up a schedule based on time or number of recovery points done.

      Warning

      TODO: how to convert a checkpoint into a backup via schedule

    2. Manually set back up points based on important events.

      cefs recover ${CEFS_PARTITION} ${RECOVERY_ID}
      
    3. Ask CEFS to set backup based on what it deems to be a major event.

      Warning

      TODO: how to set up conversion of a checkpoint into a backup AI intervention.

Destroy

Method 1:

  1. Manually delete your files

  2. Verify files are not available

Method 2:

  1. Install ransomware of choice. Or download and install ours from ……

    Warning

    Procuring ransomware can be dangerous, only use trusted sources!

  2. Verify that your files are no longer accessible.

Recover

  1. Go into your CEFS server.

  2. List your recovery points:

    cefs recover list ${CEFS_PARTITION}
    
  3. Choose a recovery point based on the recovery id.

  4. Run recover command:

    cefs recover ${CEFS_PARTITION} ${RECOVERY_ID}
    
  5. A directory gets created with your recovered files and the recover command will display the path. Navigate to the directory to check the data. You can prefix the command with cd and surround the recover command with $() to navigate there quickly like so:

    cefs recover memory ${CEFS_PARTITION} {RECOVERY_ID}
    

    This should look something like the following:

    _images/cefs-recover-cd.png
  6. Copy over what you wish to restore to “production”.

    Important

    Notice that, not only has your data been restored but also your permissions and settings.

Analyze

  1. You may go into your created recovery point files and analyze how your data looks at a certain point in time.

  2. You may also compare the differences between pre and post attacked data to determine what files were being targeted.

  3. You will notice that the restored data has no traces of the payload. Restoring your data with sāf.ai is like turning back the clock. It does not fix the damaged data it simply removes it from production and gives you back your healthy data.