forensic image capt...
 
Notifications
Clear all

forensic image capturing to RAID 1 (mirrored) hard disks

Page 1 / 2
adiamond
(@adiamond)
New Member

Hi all.

I am new to the community and am very happy to find you all fellow forensics people.

We use Encase v6/v7 and FTK to perform forensic captures of source HDs. Typically, after a capture is made and verified, we will then make a backup/working copy of the HD.

My question is about RAID 1 mirroring as a way to simultaneously capture 2 (or more) copies of the same forensic image(s).

Using something like the below devices
Mediasonic http//www.amazon.com/Mediasonic-HF2-SU3S2-ProBox-Drive-Enclosure/dp/B003X26VV4/ref=pd_cp_e_3/190-9911345-6478833
Guardian Maximus http//eshop.macsales.com/shop/firewire/usb/raid_1/Gmax

I believe this would work in theory, but I was curious as to whether any of you have had any experience doing something like this.

In theory, once you have verified one copy (the RAID primary drive), you *should* be reasonably confident that you will have a sound secondary copy from the RAID array. However, I anticipate that one would be best off to also remove the secondary disk from the RAID array and verify it separately.

I would love to have anyone's thoughts about this.

Many thanks,

Anthony

Quote
Topic starter Posted : 07/08/2012 8:13 am
jhup
 jhup
(@jhup)
Community Legend

Are you saying you would 'mirror' the evidence drive to a blank drive using RAID?

Where would the RAID information be written for the evidence drive to properly function?

Or, are you saying using these devices as target for the storage of images?

ReplyQuote
Posted : 07/08/2012 9:14 am
adiamond
(@adiamond)
New Member

Are you saying you would 'mirror' the evidence drive to a blank drive using RAID?

Where would the RAID information be written for the evidence drive to properly function?

Or, are you saying using these devices as target for the storage of images?

Hi, jhup.

I would use the devices as target for the storage of images.

My goal would be to capture the forensic image to the RAID array of 2 drives configured in RAID 1 mirrored mode. The RAID array would appear to the capturing station as 1 drive. In the background, the RAID controller would simultaneously make an exact "mirrored" copy of the data. So, at the end of the imaging process, you would have two exact copies of the captured forensic image.

Thanks!

ReplyQuote
Topic starter Posted : 07/08/2012 9:23 am
Adam10541
(@adam10541)
Senior Member

Xways forensics (I think) now has the functionality to output an image to two separate hard drives to give you two images of the same source drive.

Might be far simpler to implement this than using RAID arrays to duplicate data that can be done more efficiently in other way. The cost of Xways is not prohibitive either so may even be a cheaper option and then you end up with another fully fledged forensic suite to add to the tool kit.

ReplyQuote
Posted : 07/08/2012 9:27 am
adiamond
(@adiamond)
New Member

Xways forensics (I think) now has the functionality to output an image to two separate hard drives to give you two images of the same source drive.

Might be far simpler to implement this than using RAID arrays to duplicate data that can be done more efficiently in other way. The cost of Xways is not prohibitive either so may even be a cheaper option and then you end up with another fully fledged forensic suite to add to the tool kit.

Hi, Adam10541.

Than you. Yes, I'm aware that there are plenty of tools that can forensically capture to multiple targets. In fact, we already use the Tableau (sp) TD2 which can do this.

However, I'm just interested to know if the RAID option will work. I have other reasons for wanting to know this. It will fit better into our existing workflow and equipment plan. Plus, these RAID enclosures are rather cheap and can serve other functions (that we are interested in) as well.

I'm taking a look at Xways site as well. I'd not heard of them until now. Thanks much.

Anthony

ReplyQuote
Topic starter Posted : 07/08/2012 9:32 am
jhup
 jhup
(@jhup)
Community Legend

How will the drives function as stand-alone drives?

ReplyQuote
Posted : 08/08/2012 8:32 am
jhup
 jhup
(@jhup)
Community Legend

How will the drives function as stand-alone drives?

ReplyQuote
Posted : 08/08/2012 8:35 am
adiamond
(@adiamond)
New Member

How will the drives function as stand-alone drives?

Initially, when capturing to them, they will function as a RAID 1 array, but once they are taken out of the RAID enclosure, they will function as individual drives with identical data.

ReplyQuote
Topic starter Posted : 08/08/2012 10:12 am
marcyu
(@marcyu)
Active Member

Hardware RAID is much faster and more reliable than software-based RAID. So an eSATA dual bay dock/enclosure with RAID 1 should fit the bill nicely, such as this item

http//bit.ly/OLUucQ

It's worth the $25.94 if you're willing to take a small gamble at this setup.

ReplyQuote
Posted : 08/08/2012 7:11 pm
C.R.S.
(@c-r-s)
Active Member

No problem, I'm using DAWICONTROL RAID modules as a multiplier for image deployment to up to five drives per channel
http//www.dawicontrol.com/index.php?cmd=proddet&id=stomo (unfortunately no English documentation)

For forensic purposes I'd recommend individual verification.

ReplyQuote
Posted : 09/08/2012 4:27 am
adiamond
(@adiamond)
New Member

Hardware RAID is much faster and more reliable than software-based RAID. So an eSATA dual bay dock/enclosure with RAID 1 should fit the bill nicely, such as this item

http//bit.ly/OLUucQ

It's worth the $25.94 if you're willing to take a small gamble at this setup.

marcyu,

Many thanks! The one you've posted a link to is rather inexpensive, actually. I was looking at far more expensive options, based on your experience, perhaps I don't have to. I will always be using RAID 1 (mirrored mode) with just 2 drives, and I've read that this kind of RAID'ing does not necessarily place a significant burden on typical, average RAID controller.

I will post here with my finding upon purchasing and testing one of these things.

Thanks again

ReplyQuote
Topic starter Posted : 09/08/2012 10:09 am
adiamond
(@adiamond)
New Member

No problem, I'm using DAWICONTROL RAID modules as a multiplier for image deployment to up to five drives per channel
http//www.dawicontrol.com/index.php?cmd=proddet&id=stomo (unfortunately no English documentation)

For forensic purposes I'd recommend individual verification.

C.R.S.,

Thanks much for the link and for sharing your experience. It's good to know that others have tried doing this. I was reasonably confident it would work, but I thought it wise to look for other people's input prior to spending time and money.

Thanks

ReplyQuote
Topic starter Posted : 09/08/2012 10:13 am
bmv_mcn
(@bmv_mcn)
New Member

I would use the devices as target for the storage of images.

My goal would be to capture the forensic image to the RAID array of 2 drives configured in RAID 1 mirrored mode. The RAID array would appear to the capturing station as 1 drive. In the background, the RAID controller would simultaneously make an exact "mirrored" copy of the data. So, at the end of the imaging process, you would have two exact copies of the captured forensic image.

Please correct me if I'm wrong, but I think that this is possible, however it is not ideal. Granted it will be faster to make copies of the image taken from the source drive, but you will run into a few problems.

1) You will only see one copy of the image as it will be mirrored. So in order to verify the second image on the RAID, the hard drive will need to be removed and this can cause you problems. This is because the destination does not show the hard drives independently. You should always be verifying each image and not "assume" that because it verified on one disk, it will on the next, even if they are in RAID1 configuration.

2) Granted hard drives are getting larger as time goes by, but surely we now have ports like USB 3.0/ Thunderbolt and even SATA 6 that provide pretty fast transfer speeds, so I don't know why you wouldn't take the time to just copy the image across to another target drive and verify that once again. Surely it can't take that long to do this task, assuming you are working on a relatively fast system.

ReplyQuote
Posted : 09/08/2012 5:04 pm
adiamond
(@adiamond)
New Member

I would use the devices as target for the storage of images.

<snip>

Please correct me if I'm wrong, but I think that this is possible, however it is not ideal. Granted it will be faster to make copies of the image taken from the source drive, but you will run into a few problems.

1) You will only see one copy of the image as it will be mirrored. So in order to verify the second image on the RAID, the hard drive will need to be removed and this can cause you problems. This is because the destination does not show the hard drives independently. You should always be verifying each image and not "assume" that because it verified on one disk, it will on the next, even if they are in RAID1 configuration.

2) Granted hard drives are getting larger as time goes by, but surely we now have ports like USB 3.0/ Thunderbolt and even SATA 6 that provide pretty fast transfer speeds, so I don't know why you wouldn't take the time to just copy the image across to another target drive and verify that once again. Surely it can't take that long to do this task, assuming you are working on a relatively fast system.

In reply to your 1) -
Yes, I agree with everything you say here, and it actually is my exact plan to verify the second drive independently by taking it out of the enclosure. I was not planning to assume that it would be OK. What I meant to communicate is that upon successfully verifying the primary RAID 1 image, one should, under normal circumstances, be reasonbly confident that he/she will have an exact copy of that image on the second drive but that it will need to be verified independently, of course.

In reply to your 2) -
I understand. The reason I'm interested in this is because my company is doing this work for profit, and my goal is to improve upon the business process. If a technology or business workflow is faster or more efficient, that can translate into $$. So, yes, drives and data buses are getting faster every year, but making a copy of the image and then verifying will never be faster than essentially capturing two copies of the image at the same time, and then just verifying them independently. If you're looking at the business model on a very large scale, saving 1 or 2 or 3 or more hours per average forensic capture is a BIG deal. )

Thanks so much for your reply. I've ordered the RAID device and I will update with my findings.

ReplyQuote
Topic starter Posted : 10/08/2012 8:00 am
RarelyVisits
(@rarelyvisits)
New Member

Apologies if I have missed the point here but a software solution may be simpler and a bit more automated.

You could always use FTK Imager (free from AccessData). It can be set to image once but copy to multiple locations simultaneously (and even in different formats if you wish - E01, dd, SMART, AFF). This could be one locally to work on, one to a backup folder and even one to a file server / NAS for image storage / archiving. The software then verifies each copy independently and stores a verification text file with each image. It also displays a summary window on the screen after each verification so you don't have to go looking at / for each of the verification text files.

By its very nature this must be slower than reading once and just writing one copy but this avoids the need to break apart a mirrored drive pair and place each drive into another machine for independent verification.

Additionally you can set different E01 metadata for each image so you could actually "brand" a copy as a backup or even mark each copy with a different "reference number" in the notes. That may be useful if you routinely supply copies to others and want to know who a copy came from if it was ever distributed without consent.

ReplyQuote
Posted : 04/09/2012 11:35 pm
Page 1 / 2
Share:
Share to...