±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35741
New Yesterday: 3 Visitors: 123

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

RAID 5

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

PensiveHike
Newbie
 

Re: RAID 5

Post Posted: Apr 13, 19 12:55

When I've had disks with no information of order etc., after imaging them, I've used this software to determine disk order and block size.

I'd then rebuild the RAID using X-Ways or Encase. To determine Stripe size you need to find a picture of 2MB or so and see if it displays correctly. If not, change the stripe size and check again.  
 
  

athulin
Senior Member
 

Re: RAID 5

Post Posted: Apr 13, 19 15:40

- jaclaz
Sure, everything is possible, but most of the time the disks are on trays with the top one being #1 and in order, they are assembled in factory like that.


Forensic collection and analysis should be done regardless of if a system has been built to some preconceived standard or not. It should be done for the system at hand. Saying that it's probably standard, so we skip point 18, 19 and 20 in our SOPs for imaging raid without even verifying that we can, is ... well, like basing expert evidence in a murder case based on presumptive blood testing, but skipping confirmatory testing. (That is, you have not ensured that the risk for false positives are at an acceptable level. Yes, there are such cases out there.)

I've seen a factory delivered system get raid installation totally 'wrong'. That caused a big headache, as we were responsible for it being right ... and we assumed the factory would get it right. But when they didn't -- and they didn't even install the switch-over power supply and protection that we had ordered -- (again, we assumed we got a correct delivery) and bad things happened to the power, and indirectly took down a disk or two ... we were in the hot seat.

Forensic analysis should not begin with the assumption that everything is according to the book. The job is to get it done, no matter how non-sane or nondefault the setup is, and to do it in a way that is forensically sound. If it's not done correctly, there is damage done to the case by the investigation itself. That damage has to be documented. Basically, you have to say 'we skipped a few steps in best practice acquiry, because we really couldn't be bothered' in the report.

That's not acceptable, in my opinion. It may be acceptable in DFIR case. I no longer think of DFIR as any kind of 'forensic analysis'.

This said, we are talking of a RAID 5 made with 4 disks, it is not brain surgery or rocket science, you can blindy try all the remaining possible 23 combinations for drive order if "plain" 1-2-3-4 is doesn't work:


Provided that ... well, you should be able to fill in the blanks. You have to ensure two, perhaps three things, before you 'blindly try' anything at all in this situation with any hope of being able to interpret the results.

Or ... you document that 'we just blindly tried everything, until it worked, and continued from there'.  
 
  

jaclaz
Senior Member
 

Re: RAID 5

Post Posted: Apr 15, 19 08:08

- athulin

I've seen a factory delivered system get raid installation totally 'wrong'. That caused a big headache, as we were responsible for it being right ... and we assumed the factory would get it right. But when they didn't -- and they didn't even install the switch-over power supply and protection that we had ordered -- (again, we assumed we got a correct delivery) and bad things happened to the power, and indirectly took down a disk or two ... we were in the hot seat.

Yes, anecdotally they once delivered a server to a data center that was cabled in factory for 110 V AC instead of 220/240, the switching power supply took fire, the fire alarm was down for maintenance, the fire blew off a window left open and went out setting of fire the tarpaulin of a passing by truck, which set on fire all the trees along the road for 1 km, and of course it extended to the bush and woods nearby ...

Come on Smile , we are talking of a set of 4 (read only) images, everything becomes "virtual" once the images are acquired, you can juggle them every which way you can without making any damage until you find the right settings to mount them as the RAID 5 array they once were.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JaredDM
Senior Member
 

Re: RAID 5

Post Posted: Apr 15, 19 15:44

- mcman
Personally, I hate rebuilding RAIDs


You can always outsource this part to a data recovery pro to handle remotely. I love rebuilding RAIDs, it's one of my favorite tasks in data recovery. But, maybe I just enjoy the challenge.
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 
 
  

athulin
Senior Member
 

Re: RAID 5

Post Posted: Apr 15, 19 15:47

- jaclaz
Come on Smile , we are talking of a set of 4 (read only) images, everything becomes "virtual" once the images are acquired, you can juggle them every which way you can without making any damage until you find the right settings to mount them as the RAID 5 array they once were.


No, we're talking of HDDs (or images), without any information about the RAID controller and configuration, and where assumptions about what port they were connected to are incorrect. (That's what my previous example ended up in: we had a huge problem matching disks because were assumed that the ports were sequential, and in an 'obvious' order. But the RAID insisted on 'right-disk-on-right port' and refused to work if it didn't. Consider the problems that would lead to if you or a forensich tech had to restore the RAID to working condition if you assume that you know what you're doing.)

We're talking HDDs that aren't verified to belong to the same setup. (Unless you're have the same soft RAID implementation, that performs this check, and screams if it fails. If so, exit here. Congratulations: you're doing the right thing.) Shouldn't happen, yet it does. Any half-decent forensic analyst should be able to detect the fact, and stop racking up analysis hours for something that probably is going to be useless. ]

We're talking 'blind' rebuild of HDD's that may have not been verified to be one RAID.

We're talking about a RAID whose health is unknown: is it 'OK', that is, is it known that there are no internal inconsistencies. Or is it a RAID, when HDDs are connected to its 'home controller' (hard or soft), screams 'RED: state inconsistent'. If you don't check it ... you are obliged to document that you didn't check.

And we're very probably also talking rebuild without validation of behaviour with foreign disks. What does the tool do with an assumed 5-disk RAID, where disk 5 doesn't belong at all? And how does that affect work? (In particular, does anything from the foreign disk risk ending up in the result? )

It's not a question of muddling through, thinking that 'oh, well, it works in 95% of the cases'. It's a matter of being able to identify if the setup at hand is one of those 95% cases, where your testimony cannot be shown to be correct due to all unsubstantiated assumptions you've been working from.

Remember, everything should be possible to repeat.

RAID is a chapter of its own.

o+o/  
 
  

jaclaz
Senior Member
 

Re: RAID 5

Post Posted: Apr 15, 19 19:49

- athulin

No, we're talking of HDDs (or images), without any information about the RAID controller and configuration, and where assumptions about what port they were connected to are incorrect.


Well, then we are talking of different things.

I was talking of hard disk images ONLY and how to virtually rebuild an array out of them.

Numbering the physical disk drives from #0 or #1 from top to bottom and numbering the images in the same way helps (and no it is not the ONLY solution for EVERY issue that can be imagined when working with RAID disks and their images , but it helps).

Please re-read what I actually originally wrote:
- jaclaz

The more info you get about the current configuration of the array, the easier will be to re-build it, there are usually no particular problems in "guessing" (actually discovering) the parameters, but directly providing the correct settings is obviously easier/faster.
As well, marking/numbering the disks i.e. disk 1, 2, 3, 4 as they are physically in the current server/case - say - from top to bottom will help.

before you started with the "If no information ...", and now we are into "HDDs that aren't verified to belong to the same setup" ...

And still you can make ANY kind of experiment with (mounted read only) images, without any "damage" to the case, basically when (IF) you will have them mounted in the right order and with the right parameters you will be able to read the contents, otherwise you won't, so you could even use a brute force (or infinite monkeys) approach.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 3 of 3
Page Previous  1, 2, 3