Duplicating a foren...
 
Notifications
Clear all

Duplicating a forensic image by splitting a RAID1

8 Posts
5 Users
0 Likes
145 Views
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

Link to the blog post

http//integriography.wordpress.com/2010/01/31/duplicating-forensic-images-by-splitting-a-raid0/

Actual post

It is considered very good practice to make two copies of any image collected, particularly in the field. On one very long collection trip we did this by collecting to one set of drives during the day and running Robocopy over night to duplicate the image set. FTK allows writing to two destinations, and the various versions of dd have always allowed this via one means or another. But these all require either time or precious IO bandwidth.

So, I thought, is there any way to create two images in real time without pushing the data down the pipe twice? Isn’t that what RAID 1 is supposed to provide? But, are two drives in a hardware RAID 1 *really* identical? Turns out, that at least in my test case, they are.

I bought a vAGE220-SAU two drive, USB 2.0/eSATA, RAID0/1 external enclosure. ($275 @ Amazon.) It’s fairly well constructed, compact, and easy to use. The instructions were clearly translated but were sufficient unto the task. Once I flipped the dip switches correctly and waited a few hours for it to do the initial mirroring, I was good to go.

I hooked my source drive up to one port on my field laptop’s eSATA card and the RAID enclosure up to the other one. Fired off FTK (but dd, or EnCase, or whatever would have done just as well.) Imaged the drive and it ran at near expected speeds. The process finished and the image was verified.

Now the test. I pulled both drives and hashed them via a writeblocker. The hashes matched. I had two identical, forensically sound, images of my source drive. This required less time that imaging to two destinations using the hardware available on my field laptop, and a lot less time than running a copy overnight.

I need to try this a few more times and do some more performance measurements, but I’m pretty happy with the outcome. I wish there was a drop in drive dock with RAID1 capability. That would eliminate the need to open the enclosure up when changing disks.

 
Posted : 31/01/2010 7:16 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think the VoomIIIs allow you to take one drive and image to two destinations simultaneously.

 
Posted : 31/01/2010 7:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Well, last time I checked, it was RAID 1 that is by definition a same set of data "mirrored" on two drives.

Possibly a mix-up between 0 and 1 when posting, since the enclosure allowed for both 0 and 1 type of setting?

AFAIK there are tens of external Raid 1 capable enclosures which can be fitted with HD trays, examples
http//www.bjorn3d.com/read.php?cID=1020
http//www.usb-ware.com/esata-usb-raid-2-drive-ezraid3.htm

jaclaz

 
Posted : 31/01/2010 7:28 pm
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

Greetings,

Whups, yes, RAID1. That's what I get for writing on little sleep while sitting at ORD.

Vooms allow you to do this, so does the Dossier, and probably other solutions. At the time, I was looking for a way to create two images simultaneously using my existing field kit which contained a laptop but not a hardware imager. I'm maxed out on space in the kit….

-David

 
Posted : 31/01/2010 7:31 pm
(@seanmcl)
Posts: 700
Honorable Member
 

I think the VoomIIIs allow you to take one drive and image to two destinations simultaneously.

So does the ImageMASSter Solo III and IV.

 
Posted : 31/01/2010 7:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also, something like this may be useful
http//www.addonics.com/products/host_controller/ad2sahpmeu.asp

as you can use "normal" single e-sata drives.

More
http//www.addonics.com/products/host_controller/default.asp

jaclaz

 
Posted : 31/01/2010 8:13 pm
CFP001
(@cfp001)
Posts: 36
Eminent Member
 

It's a matter of sitting down and testing this out, and that's what you did, which saved me time, thanks David. I know what you mean by "maxed out" on the kit. I used the inventory you posted to help build mine, and it is getting very heavy and full.

So what your saying is that is you "wipe" the two destination drives, set them to RAID1 and make them the destination drives you end up with two identical (actually now you have three right?) drives.

Do they mirror at the same time? Is anyone else using a similar set-up?

Also, thanks for the addonics link Jaclaz.

 
Posted : 31/01/2010 8:21 pm
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

Greetings,

I set two drives into a RAID1 configuration, wiped the RAID1, wrote an image to the RAID1, unmounted the RAID, and then took the disks out. I then had the original disk plus two disks containing identical copies of the image of the source.

The external RAID enclosure mirrors on the fly so as soon as the image is done you can shut it down and split it.

-David

 
Posted : 01/02/2010 12:31 am
Share: