I have a question, i recently took hold of 2 drives in a Raid Stripe and used EnCase to rebuild the raid. Now that the Stripe icon shows up in my entries i see the folder structure of what was on the main volume but majority of the files i cannot view and is unreadable. Is this because my begin sectors are off and Encase doesnt have all the information to rebuild the files or is it that the drives are somewhat the problem. I would appreciate any guidance or advice. Thank you!
My first stop would be to go to the EnCase User Forums and perhaps take a look at some docs I could find there…
You might want to check if you have correctly configured the raid within encase. You might be seeing file and folder entries as the MFT is being seen but their offsets might not be matching up properly
If you go on the guidance forums there is a script for encase 6 that will pass over the drives and tell you all the possible working combinations of a RAID for the two drives
Hope this helped
Steve
We recently had an issue with a Raid 5 that had a drive out of order. The server had been off for 5 years and we had no information available to us. Encase correctly saw the size of the raid, but no data. The Encase V6 script did not work well for us in this case, but Raid Reconstructor did. We imported the raw image files into RR and it gave us several suggestions for the raid settings (order, stripe size, etc.). RR's first suggested setting worked using the manual disk configurator in Encase.
The freeware version of RR will allow you to perform the above function.
Cory
There is an EnScript that tries to detrmine the raid configuartion.
Especially with hardware raids, there is no configuartion block.
You just have to keep trying. The fact that the files show up means that you are clos. Maybe it's the stripe size or the ordering. (left / right and the drive order) It takes some work but it can be done, as cmock said.
Just ask thier tech support for the script.