±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

"RAID" help!

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 


Re: "RAID" help!

Post Posted: Aug 01, 14 20:29

Well, I abandoned trying to rebuild the raid in EnCase and attempted to make a logical image with a boot disk. When I loaded the E01s from the logical image it came up as unused disk area. So i'm guessing maybe the RAID was not even being used. Seems weird though because when I imaged the three drives individually two of the drives came up with a C,D and E partition. There was nothing on them but partitions nonetheless. I did notice something in the boot sequence. The sequence is:
1)Optical Drive
2)Embedded NIC 1 MBA v12.2.2 Slot 0100
3)Hard Drive C

Does #2 signify that this machine is networked (for lack of a better term) and not a bootable machine? When I tried to regular boot the machine it didn't work and then when I disabled #2 so it would boot from #3, it said "no bootable device found".

Any ideas on these issues is appreciated, its more for my knowledge now, since there appears to be nothing on the RAID, this item is finished!  

Senior Member

Re: "RAID" help!

Post Posted: Aug 01, 14 21:57

There is something "wrong" (no offence intended Smile ) in your report, and IMHO *something* doesn't sound "right" in your hypothesis. Shocked

A Dell Power Edge is a "Server Class" machine.

While it is possible (though highly improbable) that it booted from network (PXE booting) an OS residing on another Server in the network, still it should have hosted data, what would otherwise "serve"?

If it "served" data residing on another machine on the network, it would have been more than anything else a "router" (and a typical router would have no local storage devices if not a - minimal - often a CF card or similar, hosting the actual OS).

So, while it is entirely possible that the three disks were wiped (or have their content deleted, one way or the other) it is at least improbable that that machine was setup by a mad hatter that bought a server and added to it largish mass storage devices to later use it as an OSless router.

Now the common ways to set up a server with a RAID controller:
are typically only four or five:
1. A Raid 0 (which is not really-really a RAID) with EVEN number of disks (2 or 4, etc.) <- faster but with no redundancy
2. A Raid 1 which would normally use an even number of disks, typically 2 <- pure "mirroring"
3. A Raid 0+1, but again it would use an even number of disks (minimum 4)
4. A Raid 1+0 or 10 but this would also need 4 disks minimum.
5. A Raid 5 that needs at least 3 disks (and the 3 disks setup is actually one among the most common ones, as an "entry level"). <- "real" redundancy with block level striping and distributed parity.

This scheme might help:

On a normal disk you have sequentially on the disk itself:
block A
block B
block C

When you have the same on a 3 disks RAID:
block A is on the FIRST disk
block B is on the SECOND disk
<here a parity block for A and B is inserted and stored on the THIRD disk>
block C is on the FIRST disk
<here a parity block for C and D is inserted and stored on the SECOND disk>
block D is on the THIRD disk

So, when you access a disk as "single disk" (or an image of it) there will be:
First disk that will start, like any "normal" disk with a MBR
Second disk that (unless a mirror of the MBR has been made exactly on the beginning on the second block) will NOT have a MBR as first sector.
Third disk that will also NOT have a MBR as first sector (should be detectable visually) contains "parity data" (please try reading this temporarily as "hex garbage")

So, when you access the three images as single disks, one and one only should have as first sector a MBR (please read as "have partitions"), and that would be the first disk.

If you can find "partitions" on two of the images, it sounds like there is an issue *somewhere*.

A logical explanation could be that the disks were not set in RAID 5 but rather in a two disks RAID 1 (pure mirroring) + a (unused) spare, but then two of the images should be identical between them. Confused (and of course any of these two identical disks would be readable "on it's own")

Another possibility could be a RAID 1 with three disks (double mirroring), but then all three disks would have "partitions" in them and would be readable "separately".

- In theory there is no difference between theory and practice, but in practice there is. - 


Re: "RAID" help!

Post Posted: Aug 01, 14 23:35


I don't know. I tried to read all three of these disks through EnCase as a preview and I didn't see anything that looked like an OS.

This was an "internet cafe" gambling operation and I wasn't there to take it down so I can't comment on the way everything was set up. I don't know what was hooked into this Dell or what it was being used for. As a last resort I turned the machine on to just go through it by hand and see if maybe I could just pull off any evidence of the gambling operation but it would not boot. That whats makes wonder where the OS is.

Any other ideas?  

Senior Member

Re: "RAID" help!

Post Posted: Aug 02, 14 14:34

Looking at the shipping spec of this Dell (using the service tag) it looks like it had a Dell PERC 6/i 6i PCI-e SAS RAID Controller fitted. In my experience, reconstruction of any RAIDs in EnCase that used company bespoke controllers can be very painful. Normally, I would take a logical in these instances but I see you are unable to boot the system to OS. Have you considered Linux boot disk (DEFT) with the disks fitted and logically acquire that way (and keeping fingers crossed that DEFT supports the Dell RAID controller)?


Senior Member

Re: "RAID" help!

Post Posted: Aug 02, 14 15:17

- jbarber

I don't know. I tried to read all three of these disks through EnCase as a preview and I didn't see anything that looked like an OS.

Sure, you won't find on any of them "anything that looked like an OS" unless they area a set of mirrored drives, which indirectly confirms that the most probable setup with three disks (a RAID 5) has been used.

Still one (and one only) of the disks should have as first sector the MBR (the first disk), which is something that you can easily check with a hex editor.
Even if it is not the first sector, a MBR must be present on first disk "near" the begiining.
If you carve the RAW disk for the Magic Bytes 55AA as last two bytes of a sector you should be able to find it in no time.

You reported earlier that TWO of the disks started with a MBR, which is the part that "sounds strange".

A number of specialized "automagic" or "autosensing" specialized tools were already recommended, personally I would have a (more "manual" ) try with DMDE which has a "raid reconstructor" that accepts a virtual reconstruction with the several possible parameters:

If you can identify first disk image, you just try adding the other two disk images, or one of the other two disk images and a NUL device, then play a bit with the possible parameters until you find something "making sense".

If it doesn't work, you then try again exchanging the two non-first disks and the non-first disk and the NUL device.

After all, even doing it "blind" or "random" it is a finite number of attempts.

- In theory there is no difference between theory and practice, but in practice there is. - 

Page 2 of 2
Page Previous  1, 2