±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27487
Visitors: 72

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Physical RAID Imaging

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Physical RAID Imaging

Post Posted: Sat May 10, 2014 11:41 am

Situation: Need to take a physical image of a RAID. Actually two RAIDs.

RAID A: Two HDDs, Running Windows Server 2003, I have the login and have already taken a logical image. About 2.5TB

RAID B: Two HDD and One SSD. I don't have the login. Again about 2.5TB

Task: Get full forensic physical images of both, to search slack space.

-------------------------------------------------------------------------------------------------------------------------
Tools: FTK Imager, EnCase 6.14, Tableau TD2, Paladin Boot Disc.

-------------------------------------------------------------------------------------------------------------------------
First: How do I figure out what version of RAID this is?

Second: What is the best way to take these images to be able to investigate the slack space?

Finally: Will this lead me to need a few drinks later?

Note: I have googled quite a bit and no clear good answer, so I put these questions out to this community here. Mahalo in advance.  

laughingman_nicoli
Newbie
 
 
  

Re: Physical RAID Imaging

Post Posted: Sat May 10, 2014 12:17 pm

hi,
u can use cain bootable CD, forensic tools, guymager for imaging physical/clone as per the requirement.
_________________
krishna m
cyber forensic expert
india 

krishna
Member
 
 
  

Re: Physical RAID Imaging

Post Posted: Sat May 10, 2014 12:41 pm

Let's go in reverse.
- laughingman_nicoli

Finally: Will this lead me to need a few drinks later?

Yes. Very Happy

- laughingman_nicoli

Second: What is the best way to take these images to be able to investigate the slack space?

There are no "best ways", you do a physical image of each and then you use a software capable of interpreting the images as RAID.

- laughingman_nicoli

First: How do I figure out what version of RAID this is?

Here is the issue. Wink

Raid "A" makes a lot of sense and there are ONLY two possible ways to make a RAID out of two disks:
RAID 0 <- striped set
RAID 1 <- mirrored set
If it is a RAID 1, you have two identical hard disks (and thus two identical physical images), and you can just analyze one of the two.
If it is a RAID 0, see previous answer, the software should be capable of producing a "whole image" alternating blocks from the two devices.

RAID "B" makes very little sense. Question
You DO NOT put in a RAID two hard disks and a SSD. Shocked

In practice RAID 2,3 and 4 are never used, and RAID 0 and RAID 1 are made of "couples" of disks, the only kind of RAID in use with three devices is RAID 5.

When you set up a RAID 5, you do that using all identical devices, as once the array is created the available size of the array will be determined by the smallest device.
See here for some simple explanation of different RAID levels:
en.wikipedia.org/wiki/...AID_levels

It is much more probable that the SSD hosts the Operating System and that the two hard disks host the actual data.
And you are back to the same case as Raid "A".

In my little experience it is uncommon to set a RAID 0 on a server (though it is possible), it would be more logical that it is set as RAID 1, which is a "poor man" way to have *some* redundancy of data, of course this choice depends on what was the actual use of the server.
As an example, if the server was an enterprise mail server data redundancy would have been more important than performance (and then a RAID 1 would have been used), if it was a server dedicated to streaming multimedia content it would have made more sense to have faster performance (and then a RAID 0 would have been used).

"Common" servers (meaning not *any* pc used as server, but rather server level hardware for "mission critical" use) tend to have however 3 or better 4 (3+spare) disks RAID 5.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Physical RAID Imaging

Post Posted: Sat May 10, 2014 1:47 pm

[quote="laughingman_nicoli"]

First: How do I figure out what version of RAID this is?


The best approach is to use the RAID manager software used. You could also talk to whoever set the thing up.

Try to find the user manual for the device to cut your choices down to what it is actually capable of. If you like to trust unknown software -- as you're asking, it's clearly unknown -- you use whatever magic RAID identifier software you like. Guessing is, however, not an option, as you have to be able to decide if a reconstructed RAID producing only a huge 'random' disk full of unrecognizable structures is a correct result or not. It could be, if encryption is used, for example, or if the RAID has been broken and disks overwritten individually. And you don't want to be drawn into false conclusions by a dropped, previous hot spare anywhere.

Second: What is the best way to take these images to be able to investigate the slack space?


What slack space *exactly* are you referring to? Where is it located?

If it's at the HDD level, i.e. partition slack at the end of a 'disk', or volume slack at the end of a partition, or slack inside a file system, then you image the running RAID 'device'. There will be no need to image each separate HDD, as far as I can see.

It's if you have the situation of dissimilar disks, with not fully utilized HDDs that you may want to check out any 'RAID slack' on the large and incompletely used HDD(s) as well.  

athulin
Senior Member
 
 
  

Re: Physical RAID Imaging

Post Posted: Sat May 10, 2014 2:18 pm

All very good answers and a lot of help. As to the reference of slack space. I basically need to find deleted files and to be able to carve fragments if I can.  

laughingman_nicoli
Newbie
 
 
  

Re: Physical RAID Imaging

Post Posted: Sat May 10, 2014 3:57 pm

You do not say what size the disks are (in GBs).

RAID 'B' could just possibly be JBOD (and so could RAID 'A').

You say Windows 2003 server - I presume this will mean NTFS. Have you checked that this is true, and not UNIX FS
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Physical RAID Imaging

Post Posted: Sun May 11, 2014 4:02 am

- mscotgrove
You do not say what size the disks are (in GBs).

RAID 'B' could just possibly be JBOD (and so could RAID 'A').

You say Windows 2003 server - I presume this will mean NTFS. Have you checked that this is true, and not UNIX FS


Well, a JBOD is not (IMHO) a RAID:
en.wikipedia.org/wiki/...hitectures

if it is not a RAID then both setups can be simply basic disks, or spanned ones.

As well, roughly 99.9999999% of Windows 2003 Server will use NTFS, the remaining 0.0000001% may be using UFS or XFS


You know, like Wink
Q. My car did not start this morning, what should I check?
A. Are you sure it is not a lawnmower? Are you sure it uses gasoline and it is not fuel cell powered?
Very Happy


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next