How to mount / make...
 
Notifications
Clear all

How to mount / make forensic software 'see' SSD RAID 0

15 Posts
7 Users
0 Likes
3,550 Views
(@bobster100)
Posts: 11
Active Member
Topic starter
 

Hi everyone

I have come across a netbook / notepad / etc (Acer Aspire S5-391 with Windows 7, believed) which does not have a power cable, and I'm not going to get one for now. This means turning on the device and obtaining a live image is off the books. (It may be password protected as well.)

This machine has a SSD with 128GB arranged as a RAID-0. Both the SSD chips reside on a mSATA chipboard. Research suggests this device uses software RAID via the Intel Rapid Storage Technology systems.

I have imaged this mSATA chip, but cannot for the life of me, work out how to mount / get forensic software to recognise it?

I have tried looking at it in EnCase 6, and using the disk configuration options, but this is for two different disks, not the same disk. I have mounted it in FTK, but it is not recognised because the data itself is RAID'ed. Both the above were to be expected.

I have mounted it as a computer in virtualbox, but get a message stating that the operating system is missing. I don't know how to setup a software raid with Intel Rapid storage Technology on the virtual machine so it uses that to recognise and mount the RAID.
I have downloaded an executable version of Intel RST, but it is an executable; Im thinking if I can get that into an ISO of sorts, then add this as a CD in the virtual machine, this then executes before the virtual machine kicks into life and then recognises the RAID on vdisk and presents it as a live computer to me?

 
Posted : 22/06/2017 10:20 pm
(@bntrotter)
Posts: 63
Trusted Member
 

https://www.notebookcheck.net/Review-Acer-Aspire-S5-391-73514G25akk-Ultrabook.82547.0.html

From this article, that model Acer contains 2 SSD 128GB RAIDED to 256GB.

If both those chips are 128s, I would suspect the machine has some proprietary RAID settings. You may have to perform a Forensic LIVE CD acquisition.

 
Posted : 23/06/2017 2:18 am
(@thefuf)
Posts: 262
Reputable Member
 

Did you try tools like RAID reconstructor? These tools will attempt to guess the configuration of the array using a brute-force approach (they will try each configuration option possible for the array until there is valid assembled data). Of course, if there is a single encrypted partition only, such tools will fail.

Other options include booting the suspect system and taking a "live" image of an assembled drive, booting the suspect computer using a live forensic distribution and taking a "dead" image of an assembled drive. And since Intel RST is a fake RAID, you will likely get troubles when booting the suspect computer using a live distribution, because this distribution should include a RAID driver (otherwise you won't see an assembled drive). You will need a power cable, of course.

As a last resort, if solutions mentioned above aren't working in your situation, you can try to boot the suspect computer to a special boot loader (here; also, take a look at the paper there), which can be used to image an assembled drive without any additional drivers. Even if you don't have a power cable, you can try to use the remaining charge to quickly take a sample of assembled data to be used in the reconstruction of the array later.

 
Posted : 23/06/2017 2:34 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It's a strange setup (Raid 0 on a same device). ?
It is likely that the actual hardware exposes two devices to the OS.

But what is the result of the image you took?
I mean, 256 Gb or 128 Gb?
If 256, then nothing prevents you from making two separate images (i.e. splitting the image in two halves) and attempt mounting the two images as if they were two devices.

There are not so many ways to assemble a two disk RAID 0 (actually only two), the "half" containing the MBR (or protective MBR) will be "first disk" and the other one will be "second disk", but at the most, you need to try inverting the disk order, then there is only a limited amount of possible stripe sizes and other parameters.

Besides the very good Raid reconstructor, also DMDE allows to (manually) test different values
http//dmde.com/
and pyflag
http//pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html
explains in details the manual/visual procedure to follow before providing a suitable "guessing tool"…

jaclaz

 
Posted : 23/06/2017 1:39 pm
(@bobster100)
Posts: 11
Active Member
Topic starter
 

I imaged the device as an E01, and it is 119 GB overall. I believe it is a 128GB sized chip with two 64GB sections. I also used UFS Explorer when it was connected, which saw five separate partitions, and I created img files of all five partitions.

I tried splitting the E01, but it didn;t work, (as expected as each E01 is linked to another!)
The question then arises as to how to split this single image? Mount the E01 and image a RAW up to a certain point? Can I image a device to a specific byte? I have no idea, and also unsure as to what byte I would be imaging up to,

I am stuck as to how I would be able to image the two separate sections. When I added the device into FTK, it only saw it as one device, not two. It is safely back in the laptop, and so I am now working with the E01 image / img files.

I also downloaded RAID Reconstructor. This didn't recognise the IMG file.

Thanks for the help guys, it is much appreciated. (Im not going to use the Github route because we are not going to get extra for trying to do this device - it was only an intellectual challenge as it were, and to see if I could get it recognised.)

 
Posted : 23/06/2017 6:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The question then arises as to how to split this single image? Mount the E01 and image a RAW up to a certain point? Can I image a device to a specific byte? I have no idea, and also unsure as to what byte I would be imaging up to,

Don't make it over complicated.
Coonvert the whole E01 to a RAW image than split the RAW image.

Impossible to know before hand where to split it, it should be exactly half, but it is possible that there is some "overhead" or sort of DCO/HPA in the implementation.

Anyway, the MBR is first sector of the device, and you should be able - by analyzing its partition table, to find out the extents of the partition(s) on the device.
If they sum up to around 64 Gb then it is like you say a 64 Gb disk on Raid 0.

jaclaz

 
Posted : 23/06/2017 8:15 pm
(@c-r-s)
Posts: 170
Estimable Member
 

These laptops were sold in 2x64GB and 2x128GB configurations. Exposing 119GiB is the expected behaviour of the original Lite-On CMT-256L3M or compatible SSD, a 2x128GB dual SSD, when it is put into a standard mSATA adapter.

There are some high-res pictures of this type of SSD
https://www.techpowerup.com/img/12-12-20/184c.jpg
https://www.techpowerup.com/img/12-12-20/184b.jpg

184c.jpg with odd pins and sticker is side A, 184b.jpg with even pins is side B.

Standard mSATA lanes are

23 TX-
25 TX+
31 RX-
33 RX+

You can see, that these pins lead to nearby vias. Therefore, they probably connect to the SSD sub-assembly on side B, the one you imaged.

The second SSD on side A must be connected through a non-standard pin set. One channel, either TX or RX, is apparently located on 3/5 (standard NC), the other one on 11/13. 11/13 is REFCLK on standard miniPCIe, but can be used here in a proprietary mSATA setup (due to the mSATA presence indication, it won't damage other mSATA capable motherboards). I'm quite sure that these are the SATA connections, because the capacitor groups C120-C123 (side B) and C113-C116 are clearly related to the signal path of each SSD. The traces for the only other option, 45/47 (standard NC), are not properly aligned to each other to carry the signal. However, they obviously used 45/47 for something I cannot tell from the picture.
Given the general layout of each side of the board, my best guess is

3 RX+
5 RX-
11 TX+
13 TX-

 
Posted : 24/06/2017 12:16 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yes, the NAND chip Toshiba TH58TE69D2HBA89 is 64 Gb, so that there are four of them, it is 256 Gb total arranged as 2x128 in RAID 0.

This should be the actual label
http//www.hwmaster.com/wp-content/uploads/2012/12/Label.jpg

It seems like there is no third party adapter for those. (

jaclaz

 
Posted : 24/06/2017 7:03 pm
(@einstein9)
Posts: 50
Trusted Member
 

You have 2 options here

1- create Full 2 RAW dumps of both ans assemble the RAID0 outside later with any 3rd-party App. like r-studio for example or winhex.

everytime you need something from it you have to re-assemble it again

2- Assemble the RAID0 with R-studio for example and once its done, you may EXPORT the FULL image and use it with any forensic tool later.

i`ll go for option-2

good luck

 
Posted : 06/07/2017 7:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

1- create Full 2 RAW dumps of both ans assemble the RAID0 outside later with any 3rd-party App. like r-studio for example or winhex.

The issue here is seemingly that only one dump of "one side" is possible without a special adapter/a modified one. ?

It has to be seen if it is possible to re-mount the card in the original laptop and boot the laptop to a "forensic safe" OS to make the dump on the running machine.

jaclaz

 
Posted : 06/07/2017 9:39 pm
Page 1 / 2
Share: