Hi,
Could I create a forensic image (E01) on a Windows 10 system on a server configured with RAID 0, composed of three physical hard drives with a capacity of 1TB each, resulting in a logical unit (volume) with a total capacity of approximately 3TB?
Regards,
John
hello, you must create image from physical device "MD" or other raid name, it is important because all data is striped on the harddrives.
There are a few considerations, depending on the circumstances. You can either take out each of the disks, image them individually and then reconstruct them in software like Encase, X-Ways or another and take a new image of the reconstructed volume it presents you with.
The other way is to boot the server with a forensic boot medium like CAINE or similar, and then image the volume that the server has presented to you. This is assuming that the RAID is a hardware one, that's built in the server's own firmware. Obviously this means having physical access to the server, and being able to take if offline for the duration of the imaging process.