±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36604
New Yesterday: 3 Visitors: 190

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

How to mount / make forensic software 'see' SSD RAID 0

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

bobster100
Member
 

How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 22, 17 22:20

Hi everyone

I have come across a netbook / notepad / etc (Acer Aspire S5-391 with Windows 7, believed) which does not have a power cable, and I'm not going to get one for now. This means turning on the device and obtaining a live image is off the books. (It may be password protected as well.)

This machine has a SSD with 128GB arranged as a RAID-0. Both the SSD chips reside on a mSATA chipboard. Research suggests this device uses software RAID via the Intel Rapid Storage Technology systems.

I have imaged this mSATA chip, but cannot for the life of me, work out how to mount / get forensic software to recognise it?

I have tried looking at it in EnCase 6, and using the disk configuration options, but this is for two different disks, not the same disk. I have mounted it in FTK, but it is not recognised because the data itself is RAID'ed. Both the above were to be expected.

I have mounted it as a computer in virtualbox, but get a message stating that the operating system is missing. I don't know how to setup a software raid with Intel Rapid storage Technology on the virtual machine so it uses that to recognise and mount the RAID.
I have downloaded an executable version of Intel RST, but it is an executable; Im thinking if I can get that into an ISO of sorts, then add this as a CD in the virtual machine, this then executes before the virtual machine kicks into life and then recognises the RAID on vdisk and presents it as a live computer to me?  
 
  

bntrotter
Senior Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 23, 17 02:18

www.notebookcheck.net/...547.0.html

From this article, that model Acer contains 2 SSD 128GB RAIDED to 256GB.

If both those chips are 128s, I would suspect the machine has some proprietary RAID settings. You may have to perform a Forensic LIVE CD acquisition.  
 
  

thefuf
Senior Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 23, 17 02:34

Did you try tools like RAID reconstructor? These tools will attempt to guess the configuration of the array using a brute-force approach (they will try each configuration option possible for the array until there is valid assembled data). Of course, if there is a single encrypted partition only, such tools will fail.

Other options include booting the suspect system and taking a "live" image of an assembled drive, booting the suspect computer using a live forensic distribution and taking a "dead" image of an assembled drive. And since Intel RST is a fake RAID, you will likely get troubles when booting the suspect computer using a live distribution, because this distribution should include a RAID driver (otherwise you won't see an assembled drive). You will need a power cable, of course.

As a last resort, if solutions mentioned above aren't working in your situation, you can try to boot the suspect computer to a special boot loader (here; also, take a look at the paper there), which can be used to image an assembled drive without any additional drivers. Even if you don't have a power cable, you can try to use the remaining charge to quickly take a sample of assembled data to be used in the reconstruction of the array later.  
 
  

jaclaz
Senior Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 23, 17 13:39

It's a strange setup (Raid 0 on a same device). Confused
It is likely that the actual hardware exposes two devices to the OS.

But what is the result of the image you took?
I mean, 256 Gb or 128 Gb?
If 256, then nothing prevents you from making two separate images (i.e. splitting the image in two halves) and attempt mounting the two images as if they were two devices.

There are not so many ways to assemble a two disk RAID 0 (actually only two), the "half" containing the MBR (or protective MBR) will be "first disk" and the other one will be "second disk", but at the most, you need to try inverting the disk order, then there is only a limited amount of possible stripe sizes and other parameters.

Besides the very good Raid reconstructor, also DMDE allows to (manually) test different values:
dmde.com/
and pyflag:
pyflag.sourceforge.net...ction.html
explains in details the manual/visual procedure to follow before providing a suitable "guessing tool"...

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

bobster100
Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 23, 17 18:40

I imaged the device as an E01, and it is 119 GB overall. I believe it is a 128GB sized chip with two 64GB sections. I also used UFS Explorer when it was connected, which saw five separate partitions, and I created img files of all five partitions.

I tried splitting the E01, but it didn;t work, (as expected as each E01 is linked to another!)
The question then arises as to how to split this single image? Mount the E01 and image a RAW up to a certain point? Can I image a device to a specific byte? I have no idea, and also unsure as to what byte I would be imaging up to,

I am stuck as to how I would be able to image the two separate sections. When I added the device into FTK, it only saw it as one device, not two. It is safely back in the laptop, and so I am now working with the E01 image / img files.

I also downloaded RAID Reconstructor. This didn't recognise the IMG file.

Thanks for the help guys, it is much appreciated. (Im not going to use the Github route because we are not going to get extra for trying to do this device - it was only an intellectual challenge as it were, and to see if I could get it recognised.)  
 
  

jaclaz
Senior Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 23, 17 20:15

- bobster100

The question then arises as to how to split this single image? Mount the E01 and image a RAW up to a certain point? Can I image a device to a specific byte? I have no idea, and also unsure as to what byte I would be imaging up to,

Don't make it over complicated.
Coonvert the whole E01 to a RAW image than split the RAW image.

Impossible to know before hand where to split it, it should be exactly half, but it is possible that there is some "overhead" or sort of DCO/HPA in the implementation.

Anyway, the MBR is first sector of the device, and you should be able - by analyzing its partition table, to find out the extents of the partition(s) on the device.
If they sum up to around 64 Gb then it is like you say a 64 Gb disk on Raid 0.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

C.R.S.
Senior Member
 

Re: How to mount / make forensic software 'see' SSD RAID 0

Post Posted: Jun 24, 17 12:16

These laptops were sold in 2x64GB and 2x128GB configurations. Exposing 119GiB is the expected behaviour of the original Lite-On CMT-256L3M or compatible SSD, a 2x128GB dual SSD, when it is put into a standard mSATA adapter.

There are some high-res pictures of this type of SSD:
www.techpowerup.com/im...0/184c.jpg
www.techpowerup.com/im...0/184b.jpg

184c.jpg with odd pins and sticker is side A, 184b.jpg with even pins is side B.

Standard mSATA lanes are:

23: TX-
25: TX+
31: RX-
33: RX+

You can see, that these pins lead to nearby vias. Therefore, they probably connect to the SSD sub-assembly on side B, the one you imaged.

The second SSD on side A must be connected through a non-standard pin set. One channel, either TX or RX, is apparently located on 3/5 (standard NC), the other one on 11/13. 11/13 is REFCLK on standard miniPCIe, but can be used here in a proprietary mSATA setup (due to the mSATA presence indication, it won't damage other mSATA capable motherboards). I'm quite sure that these are the SATA connections, because the capacitor groups C120-C123 (side B) and C113-C116 are clearly related to the signal path of each SSD. The traces for the only other option, 45/47 (standard NC), are not properly aligned to each other to carry the signal. However, they obviously used 45/47 for something I cannot tell from the picture.
Given the general layout of each side of the board, my best guess is:

3: RX+
5: RX-
11: TX+
13: TX-  
 

Page 1 of 3
Page 1, 2, 3  Next