±Forensic Focus Partners
|New Today: 0||Overall: 29198|
|New Yesterday: 1||Visitors: 55|
· SADFE 2015 – Malaga 30th September – 2nd October
· Countering Anti-Forensic Efforts – Part 2
· Windows 8 Touch Keyboard Forensics
· Countering Anti-Forensic Efforts – Part 1
· Linux Timestamps, Oh boy!
· Standard Processes in Windows 10
· NAS Forensics Explained
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
I obtained four (4) 500gb hard drives that were seized from a Mac Pro tower computer. The RAID configuration was not obtained when the hard drives were seized.
I made exact forensic images (E01) of each of the drives and placed the images in separate folders on its own 1.5tb external hard drive. (i.e. "Mac Drive 1 of 4", "Mac Drive 2 of 4") All the imaged were successful and hashes were verified!
Using EnCase v6.19.7 I brought each of the images into the same case file (drive 1 through 4). After bringing in the separate E01's into the same case file I wait for EnCase to finish its verification.
I then navigate to the "devices" tab in EnCase and see the four (4) separate drives here. From what I read and reviewed in an EnCase book/manual I now right mouse click the first drive and click "edit disk configuration" from here I add a new component (the first drive of the four) and now I have to choose a Disk Configuration (remembering that the RAID configuration wasn't obtained at time of seizure) and a Stripe Size. From reviewing a Mac Forensics book I found that the default stripe size is 32KB and the configuration is a mirror or RAID 1.
Using a Mirror Configuration I would obviously need to add another component device, and wouldn't be able to choose the Stripe Size with this option. With this information I choose to set each of the four separate drives to a configuration of "Stripe" with a stripe size of 32KB.
Now... navigating back to the "entries" tab in EnCase I now see the four (4) Stripes underneath the original four drives.
Under the first Stripe I see a "C" drive containing a "EFI" folder which had apple extensions and firmware folders within it. "1 Apple_RAID_OfflineV2_Untitled_2" drive being empty, and a "D" drive containing a Boot OSX folder with the private directory within it, trashes, and system folder (the system folder contains a library folder which is empty).
Under the second stripe there is the same drives as stripe one, but only the "D" drive contains any data (the data within "D" is the same as stripe one)
The last two stripes contain a "Backup2" and "Backup3" and "lost files".. The "backup2" contains a lot of data that I am still going through..
After my very long post here (if your still with me) I guess my question is, does anyone know of a way I should/can configure these drives another way? I am not getting any "root" that I should be seeing or "users" that would be under a root.
Thanks for your time! (I hope this is thorough enough)
The most likely configuration would be RAID-5.
You need to find out if the user knows what the original drive capacity was.
RAID-5 would probably be 1.5TB
RAID-1 for a pair of drives would be 500GB
RAID-0 would be 1TB for the 4 drives.
If you can find the Mac partition header sector (It starts with the string H+) this will give the partition size. A typical logical location for this sector is 0x6402a
For RAID-5, you need to determine the stripe size and the pattern and disk order. This may be a case of trial and error. Some RAID configurations start with RAID-1 then go to RAID-5
- Senior Member
See this Apple developer article for info about Apple software RAIDs: support.apple.com/kb/HT2559
With as many disks as you have I would doubt all four disks are set to either a RAID 0 (2tb of disk size without redundancy and several points of failure). I also doubt you would have two separate RAID 1 volumes (two 500Gb volumes using the mirrored disks). Additionally as said before, mirrored disks are readable without rebuilding a RAID and it sounds as though you aren't in that situation. So RAID 0 is a small possibility and it sounds RAID 1 is not a possibility at all.
You are left with a possible concatenated RAID depending upon the version of OSX being used or a hardware RAID. The hardware RAID could be literally anything the hardware RAID controller can support (0,1,5,6,10,50,60,etc).
You need to take in to account what the Mac was being used for an by whom. This may help you decide on what type of RAID was being used.
Do you have access to the Mac still? If so, check for a hardware RAID controller. You could always DD the original evidence to new drives and plug the cloned drives in the Mac. Look at Disk Utility to rebuild the RAID and see what it tells you.
I am guessing that in your "Lost Files" directory you are seeing a lot of files called "hard links"? This is the prime indicator that EnCase has not parsed your file system correctly. It also does this for certain EXT file systems (at least 4 off the top of my head).
Your only recourse, as far as I know, is to use a different forensic tool. I have requested support for this from GSI, but sadly they don't see it as a "bug" and aren't going to incorporate it in EnCase v6. The stock answer is to move to v7.
I could go on a rant about this, but it's not really relevant to your problem
- Senior Member
OK, here's the tool: Diskinternals RAID Recovery (www.diskinternals.com). When you launch the tool, you will be prompted to select physical devices comprising the array (I guess you will be able to do so by mounting each image you captured to appear as a drive letter; if not, you may need to physically connect all the disks to the computer). The tool will then analyze the disks and re-assemble them into a working array. This array will then be mounted as a new drive letter (or several drive letters if there are multiple partitions available). Please note that the tool runs in Windows; although it does support HFS, you'll be better off by simply imaging the new "drive" with any tool (e.g. EnCase), and then performing an analysis.
Digital Evidence Extraction Software
- Senior Member