Notifications
Clear all

Finding RAID...

3 Posts
3 Users
0 Likes
397 Views
(@subujoseph)
Posts: 51
Trusted Member
Topic starter
 

Dear All…

I have a E01 disk image. On loading it into EnCase it does not show any filesystem (showing as unallocated).

Tried partition recovery, No Luck!

I am guessing this disk might be a part of a Raid Array (I could be wrong). Is there any way to identify whether it belongs to a RAID array?

Or is there any way to view the file structure? Any Clues???

Thank..

 
Posted : 23/10/2014 8:31 pm
(@zul22)
Posts: 53
Trusted Member
 

Maybe was only the partition table damaged.

Have you tried some file carving with photorec, scalpel or foremost ?

Then, if you can't find any valid file, the disk may have been secure erased or may have belonged to a RAID-0 or RAID-5.

If you have the possibility to get a copy of a large file that should have belonged to the drive, you could search it using a typical sequence of bytes that it contained and then compare the hexadecimal contents. This could possibly help you to guess some RAID-0 configuration for instance.

 
Posted : 24/10/2014 12:40 am
(@sasha)
Posts: 16
Active Member
 

Find MBR/Boot/Superblock to figure out what file system is used.
If NTFS it's pretty easy to understand if drive belonged to RAID or not - find MFT (by GREP "FILE0" or hex). Each record has attribute "MFT Record No", follow it's sequence. If > 150 records follow sequentially, then data isn't sliced and spread across drives (sinle drive). If sequence breaks after 1/32/64/128 records (file record = 1kb), then it's part of RAID0/5/6…With Ext it's more tricky.
Here you can find info about MFT record structure and where to find MFT record No attribute.

 
Posted : 24/10/2014 1:10 am
Share: