Notifications
Clear all

"RAID" help!

12 Posts
8 Users
0 Likes
1,432 Views
(@jbarber)
Posts: 5
Active Member
Topic starter
 

I am working a case with a Dell Power Edge T300. Service Tag#B27G1L1. It contains 3 250 GB hard drives. Here is the info from the Dell site using this tag #

System summary

Service Tag

B27G1L1

Computer Model

PowerEdge T300

Shipping Date

10/26/2009

Country

United States

Components

Part Number

Quantity

Description

R708H

1

PROCESSOR, X3323, 2.5/1.3, 6M, XUP, E0

KJ582

1

HEATSINK, PLASTIC GRID ARRAY, 2.5X3.5X4.27

C584K

1

Overpack Kit, WS8XBP, english

0R215

2

CORD, POWER, 15A, 125V, 10, 5-15/C13

PD147

1

ASSEMBLY, CABLE, LIGHT EMITTING DIODE, HARD DRIVE, AUXILIARY, PRECISION WORKSTATION, 490

70P6G

1

Assembly, Digital Video Disk Drive, 16X, Serial Ata, Half Height, Hitachi Lg Data Storage, Enterprise Systems Group

J105C

3

ASSEMBLY, CARRIER, HARD DRIVE, Serial ATA, 1IN

NT154

2

Assembly, Power Supply Redundant, 528W, DLT

H7511

2

ASSEMBLY, CARRIER, BLANK , HARD DRIVE, UNIVERSAL, 1IN, 2

F420T

3

HARD DRIVE, 250G, ES3, 7.2K, 3.5, V2, SEAGATE, MAGNETO OPTICAL DRIVE

KP010

1

ASSEMBLY, CHASSIS, HOT PLUG, REDUNDANT, T300

T774H

1

PRINTED WIRING ASSY, CONTROLLER, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , SERIAL ATTACHED SCSI, PERC6/I, ADAPTER

K278H

1

ASSEMBLY, CABLE, Serial ATA, MOTHERBOARD, OPTICAL DEVICE DRIVE, STATE AND LOCAL GOVERNMENT, T300

X3959

1

Card, Network, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , COPPER, DUAL PORT

WP130

2

DUAL IN-LINE MEMORY MODULE, 2G, 667M, 256X72, 8, 240, 2RX8

GG460

1

KIT, STRAIN RELIEF, CABLE, POWER

NP393

1

ASSEMBLY, CABLE, POWEREDGE EXPANDABLE RAID CONTROLLER NUMBER, BTTRY, T300

I have imaged all three of the hard drives separately (E01s) and loaded them into EnCase 6. I haven't been able to find much information about the presumable "RAID" set up. I went into the BIOS and the only info I can find is that it may be a RAID 5. I have the RAID analyzer and RAID Source Disk Sector Locator EnScripts but without the RAID info I haven't been able to use them. The system is running Windows SBS Premium 2008. Looking at the info of the three hard drives through EnCase, I haven’t been able to determine which hard drive is the primary with an OS. Where do I go from here? I found no more info on Dell's site than what I listed here. I think I have read every post I can find on several sites and am still stuck.

I am prepared to do a live acquisition but was giving this a go first.

Thank

Jim

 
Posted : 31/07/2014 12:04 am
(@deltron)
Posts: 125
Estimable Member
 

Are you trying to rebuild the raid in encase?
You may have to guess the order, and use popular stripe sizes, well thats what i was told from guidance support when i was in the same situation.

 
Posted : 31/07/2014 12:49 am
(@jbarber)
Posts: 5
Active Member
Topic starter
 

Yes I am trying to rebuild the RAID with EnCase. Yeah using the "Edit Disk Configuration" is a little confusing. Did you have any luck with your case?

 
Posted : 31/07/2014 1:10 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Find the $MFT - this is the best guidance for stripe and order and parity. A $MFT is normally reasonably sequential so very good for raid analysis.

This is assuming it is an NTFS disk

 
Posted : 31/07/2014 3:05 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

A former colleague of mine bought this tool a couple of weeks ago and hasn't stopped raving about it since

http//www.diskinternals.com/raid-recovery/
I've not used it personally but he told me it was pretty much automated and does what it says on the box. Might be worth a try..

 
Posted : 31/07/2014 5:29 am
(@bithead)
Posts: 1206
Noble Member
 

PRINTED WIRING ASSY, CONTROLLER, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , SERIAL ATTACHED SCSI, PERC6/I, ADAPTER

If you can get into the controller software (typically Ctrl-R) you should see the stored settings.

When you unplugged the drives you should have noted the order. The controller software orders the discs as 0,1,2 by default.

The default stripe size for the PERC6I is Stripe Element Size – Default value is 64KB
http//www.thegeekstuff.com/2009/05/dell-tutorial-create-raid-using-perc-6i-integrated-bios-configuration-utility/

RAID Reconstructor V4.32 is another good choice for the price. https://www.runtime.org/raid.htm

 
Posted : 31/07/2014 6:35 am
(@cults14)
Posts: 367
Reputable Member
 

Another vote for Runtime software, only had to use it once but worked a charm on RAID0

Cheers

 
Posted : 01/08/2014 2:23 pm
(@jbarber)
Posts: 5
Active Member
Topic starter
 

Well, I abandoned trying to rebuild the raid in EnCase and attempted to make a logical image with a boot disk. When I loaded the E01s from the logical image it came up as unused disk area. So i'm guessing maybe the RAID was not even being used. Seems weird though because when I imaged the three drives individually two of the drives came up with a C,D and E partition. There was nothing on them but partitions nonetheless. I did notice something in the boot sequence. The sequence is
1)Optical Drive
2)Embedded NIC 1 MBA v12.2.2 Slot 0100
3)Hard Drive C

Does #2 signify that this machine is networked (for lack of a better term) and not a bootable machine? When I tried to regular boot the machine it didn't work and then when I disabled #2 so it would boot from #3, it said "no bootable device found".

Any ideas on these issues is appreciated, its more for my knowledge now, since there appears to be nothing on the RAID, this item is finished!

 
Posted : 01/08/2014 8:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There is something "wrong" (no offence intended ) ) in your report, and IMHO *something* doesn't sound "right" in your hypothesis. 😯

A Dell Power Edge is a "Server Class" machine.

While it is possible (though highly improbable) that it booted from network (PXE booting) an OS residing on another Server in the network, still it should have hosted data, what would otherwise "serve"?

If it "served" data residing on another machine on the network, it would have been more than anything else a "router" (and a typical router would have no local storage devices if not a - minimal - often a CF card or similar, hosting the actual OS).

So, while it is entirely possible that the three disks were wiped (or have their content deleted, one way or the other) it is at least improbable that that machine was setup by a mad hatter that bought a server and added to it largish mass storage devices to later use it as an OSless router.

Now the common ways to set up a server with a RAID controller
http//en.wikipedia.org/wiki/RAID
are typically only four or five
1. A Raid 0 (which is not really-really a RAID) with EVEN number of disks (2 or 4, etc.) <- faster but with no redundancy
2. A Raid 1 which would normally use an even number of disks, typically 2 <- pure "mirroring"
3. A Raid 0+1, but again it would use an even number of disks (minimum 4)
4. A Raid 1+0 or 10 but this would also need 4 disks minimum.
5. A Raid 5 that needs at least 3 disks (and the 3 disks setup is actually one among the most common ones, as an "entry level"). <- "real" redundancy with block level striping and distributed parity.

This scheme might help

On a normal disk you have sequentially on the disk itself
block A
block B
block C
…etc.

When you have the same on a 3 disks RAID
block A is on the FIRST disk
block B is on the SECOND disk
<here a parity block for A and B is inserted and stored on the THIRD disk>
block C is on the FIRST disk
<here a parity block for C and D is inserted and stored on the SECOND disk>
block D is on the THIRD disk

So, when you access a disk as "single disk" (or an image of it) there will be
First disk that will start, like any "normal" disk with a MBR
Second disk that (unless a mirror of the MBR has been made exactly on the beginning on the second block) will NOT have a MBR as first sector.
Third disk that will also NOT have a MBR as first sector (should be detectable visually) contains "parity data" (please try reading this temporarily as "hex garbage")

So, when you access the three images as single disks, one and one only should have as first sector a MBR (please read as "have partitions"), and that would be the first disk.

If you can find "partitions" on two of the images, it sounds like there is an issue *somewhere*.

A logical explanation could be that the disks were not set in RAID 5 but rather in a two disks RAID 1 (pure mirroring) + a (unused) spare, but then two of the images should be identical between them. ? (and of course any of these two identical disks would be readable "on it's own")

Another possibility could be a RAID 1 with three disks (double mirroring), but then all three disks would have "partitions" in them and would be readable "separately".

jaclaz

 
Posted : 01/08/2014 9:57 pm
(@jbarber)
Posts: 5
Active Member
Topic starter
 

Jaclaz

I don't know. I tried to read all three of these disks through EnCase as a preview and I didn't see anything that looked like an OS.

This was an "internet cafe" gambling operation and I wasn't there to take it down so I can't comment on the way everything was set up. I don't know what was hooked into this Dell or what it was being used for. As a last resort I turned the machine on to just go through it by hand and see if maybe I could just pull off any evidence of the gambling operation but it would not boot. That whats makes wonder where the OS is.

Any other ideas?

 
Posted : 01/08/2014 11:35 pm
Page 1 / 2
Share: