far fucking out man. dat timing. its certainly suspicious.
thoughts:
- if the narrative being presented is 'oh the drive failed so we gotta hot swap', whether or not they mirrored the original would not have impacted that timeline... is there forensic evidence in like, dmesg indicating that a third drive was introduced to the system at some point that went away after a measure of time attributable to a full-drive dd?
- an obvious point perhaps but this is why we use raid + striping; grab a drive, you get nada.
- did the .ro provider have root on the hypervisor OS? if so, the keys to your kingdom are in those memory images and those get wiped when the machine loses power.. suggesting this wasnt an attempt to grab data or that the belligerent parties were fantastically incompetent. i mean, if youre going to compromise a clients host for profit, ok sure you might have to boot into single user mode, but why bother mirroring a drive when you can install a thin backdoor, wait a few hours for RAM to gather significant passwords, then log in via backdoor and bobs your uncle.
- wow
- gecmis olsun my friend. what a huge pain in the ass this must have been. hopefully your troubles are behind you.