Join Us!

Notifications
Clear all

Rebuilding RAID  

  RSS
capsize83
(@capsize83)
New Member

Hi all,

Does anyone have any advice in re-building the RAID of a server, with the catch is that even the client does not have the slightest clue on what is the original RAID configuration? The only info we know is that the OS is Windows 2003. Apparently, the RAID configuration was deleted by some disgruntled IT admin and we have to "recover" any usable data from it.

An acquisition of the server (with 4 SAS drives) was performed using LinEn which results in 2 image files (for /dev/sda &/dev/sdb). I have tried adding both images in Encase V6 and edit the disk configuration but it is not efficient.

Any advise would be appreciate.

Thanks.
Ben

Quote
Posted : 28/06/2013 2:21 pm
hc4n6
(@hc4n6)
New Member

I don't have extensive experience with RAIDs, but I you could try the following

- First of all pray for it to be RAID 0 or 1.
- If you can see a file system, it probably is.
- You want to look for files (xml or the like) that might contain information about how were the drives connected (to the motherboard) and how were they configured.
- To do so you could try to search for the serial numbers and model numbers of the original drives.

ReplyQuote
Posted : 28/06/2013 4:09 pm
jaclaz
(@jaclaz)
Community Legend

Hi all,

Does anyone have any advice in re-building the RAID of a server, with the catch is that even the client does not have the slightest clue on what is the original RAID configuration? The only info we know is that the OS is Windows 2003. Apparently, the RAID configuration was deleted by some disgruntled IT admin and we have to "recover" any usable data from it.

An acquisition of the server (with 4 SAS drives) was performed using LinEn which results in 2 image files (for /dev/sda &/dev/sdb). I have tried adding both images in Encase V6 and edit the disk configuration but it is not efficient.

Any advise would be appreciate.

Thanks.
Ben

I am not sure to understand.
It is a hardware RAID controller, isn't it?
The machine has 4 disks.
The acquisition created 2 images corresponding to 2 devices.
This should mean that two devices are "exposed".

This cannot logically be any of
Raid 0 (striping without parity)
Raid 1 (mirroring)
Raid 5 (striping with parity)
as all of them would "expose" only 1 device (or 4).
The only setup that may (when "settings are changed") expose 2 devices could be possibly be a Raid 10 (i.e. Raid 1+0), but it is not common.

Which specific hardware controller is it?
What are it's current settings?
How exactly did you make the images?

(I would normally be expecting four images out of four disks or a single image for a "working" Raid).

What I personally would do would be to create 4 "forensic sound" clones, then use something like
http//www.freeraidrecovery.com/
to see what it finds.
There is a tool by runtime
http//www.runtime.org/raid.htm
that you can try using (as a demo) to see if it can find/rebuild the array before acquiring a license, Winhex should also be able to access/rebuild a Raid, and you can always find the parameters manually, with a bit of work
http//pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html

jaclaz

ReplyQuote
Posted : 28/06/2013 4:30 pm
ThePM
(@thepm)
Active Member

Mount Image Pro also has the ability to find and recover a RAID configuration from disks or images.

As Jaclaz also mentioned, RAID Reconstructor from runtime.org also does a very decent job.

Good luck!

ReplyQuote
Posted : 28/06/2013 6:54 pm
Share: