Notifications
Clear all

MacPro RAID

5 Posts
5 Users
0 Likes
776 Views
(@sverronneau)
Posts: 1
New Member
Topic starter
 

Good Morning everyone,

I obtained four (4) 500gb hard drives that were seized from a Mac Pro tower computer. The RAID configuration was not obtained when the hard drives were seized.

I made exact forensic images (E01) of each of the drives and placed the images in separate folders on its own 1.5tb external hard drive. (i.e. "Mac Drive 1 of 4", "Mac Drive 2 of 4") All the imaged were successful and hashes were verified!

Using EnCase v6.19.7 I brought each of the images into the same case file (drive 1 through 4). After bringing in the separate E01's into the same case file I wait for EnCase to finish its verification.

I then navigate to the "devices" tab in EnCase and see the four (4) separate drives here. From what I read and reviewed in an EnCase book/manual I now right mouse click the first drive and click "edit disk configuration" from here I add a new component (the first drive of the four) and now I have to choose a Disk Configuration (remembering that the RAID configuration wasn't obtained at time of seizure) and a Stripe Size. From reviewing a Mac Forensics book I found that the default stripe size is 32KB and the configuration is a mirror or RAID 1.

Using a Mirror Configuration I would obviously need to add another component device, and wouldn't be able to choose the Stripe Size with this option. With this information I choose to set each of the four separate drives to a configuration of "Stripe" with a stripe size of 32KB.

Now… navigating back to the "entries" tab in EnCase I now see the four (4) Stripes underneath the original four drives.

Under the first Stripe I see a "C" drive containing a "EFI" folder which had apple extensions and firmware folders within it. "1 Apple_RAID_OfflineV2_Untitled_2" drive being empty, and a "D" drive containing a Boot OSX folder with the private directory within it, trashes, and system folder (the system folder contains a library folder which is empty).

Under the second stripe there is the same drives as stripe one, but only the "D" drive contains any data (the data within "D" is the same as stripe one)

The last two stripes contain a "Backup2" and "Backup3" and "lost files".. The "backup2" contains a lot of data that I am still going through..

After my very long post here (if your still with me) I guess my question is, does anyone know of a way I should/can configure these drives another way? I am not getting any "root" that I should be seeing or "users" that would be under a root.

Thanks for your time! (I hope this is thorough enough)

 
Posted : 22/02/2013 9:04 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

If the disks were RAID1, then they read as a normal drive.

The most likely configuration would be RAID-5.

You need to find out if the user knows what the original drive capacity was.

RAID-5 would probably be 1.5TB

RAID-1 for a pair of drives would be 500GB

RAID-0 would be 1TB for the 4 drives.

If you can find the Mac partition header sector (It starts with the string H+) this will give the partition size. A typical logical location for this sector is 0x6402a

For RAID-5, you need to determine the stripe size and the pattern and disk order. This may be a case of trial and error. Some RAID configurations start with RAID-1 then go to RAID-5

Good luck

 
Posted : 22/02/2013 9:33 pm
(@davepawlak)
Posts: 29
Eminent Member
 

Without more knowledge about the box you are in a bit of trouble. Macs offer a software RAID and optional hardware RAID controller. Macs are very intuitive in that if you put the disks back into the Mac and it was using a software RAID the Disk Utility application would tell you which disk is which.

See this Apple developer article for info about Apple software RAIDs http//support.apple.com/kb/HT2559

With as many disks as you have I would doubt all four disks are set to either a RAID 0 (2tb of disk size without redundancy and several points of failure). I also doubt you would have two separate RAID 1 volumes (two 500Gb volumes using the mirrored disks). Additionally as said before, mirrored disks are readable without rebuilding a RAID and it sounds as though you aren't in that situation. So RAID 0 is a small possibility and it sounds RAID 1 is not a possibility at all.

You are left with a possible concatenated RAID depending upon the version of OSX being used or a hardware RAID. The hardware RAID could be literally anything the hardware RAID controller can support (0,1,5,6,10,50,60,etc).

You need to take in to account what the Mac was being used for an by whom. This may help you decide on what type of RAID was being used.

Do you have access to the Mac still? If so, check for a hardware RAID controller. You could always DD the original evidence to new drives and plug the cloned drives in the Mac. Look at Disk Utility to rebuild the RAID and see what it tells you.

Best,
Dave

 
Posted : 24/02/2013 9:19 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

It is possible you have configured the RAID correctly - however the bad news is that EnCase 6 does a very poor job of parsing HFS+ file systems.

I am guessing that in your "Lost Files" directory you are seeing a lot of files called "hard links"? This is the prime indicator that EnCase has not parsed your file system correctly. It also does this for certain EXT file systems (at least 4 off the top of my head).

Your only recourse, as far as I know, is to use a different forensic tool. I have requested support for this from GSI, but sadly they don't see it as a "bug" and aren't going to incorporate it in EnCase v6. The stock answer is to move to v7.

I could go on a rant about this, but it's not really relevant to your problem )

 
Posted : 25/02/2013 2:14 pm
(@belkasoft)
Posts: 169
Estimable Member
 

There is an easy and safe way to finish the job. You will need a tool to mount the RAID array without the original RAID controller present, and without knowing the original RAID configuration. For today's tools this is no problem.

OK, here's the tool Diskinternals RAID Recovery (www.diskinternals.com). When you launch the tool, you will be prompted to select physical devices comprising the array (I guess you will be able to do so by mounting each image you captured to appear as a drive letter; if not, you may need to physically connect all the disks to the computer). The tool will then analyze the disks and re-assemble them into a working array. This array will then be mounted as a new drive letter (or several drive letters if there are multiple partitions available). Please note that the tool runs in Windows; although it does support HFS, you'll be better off by simply imaging the new "drive" with any tool (e.g. EnCase), and then performing an analysis.

 
Posted : 25/02/2013 7:31 pm
Share: