How to create a for...
 
Notifications
Clear all

How to create a forensic image, for example E01, from a RAID0 array of three disks

3 Posts
3 Users
0 Reactions
628 Views
(@john-stockton)
Active Member
Joined: 2 years ago
Posts: 4
Topic starter  

Hi,

Could I create a forensic image (E01) on a Windows 10 system on a server configured with RAID 0, composed of three physical hard drives with a capacity of 1TB each, resulting in a logical unit (volume) with a total capacity of approximately 3TB?

Regards,

John


   
Quote
(@mastered)
New Member
Joined: 3 years ago
Posts: 1
 

hello, you must create image from physical device "MD" or other raid name, it is important because all data is striped on the harddrives.


   
ReplyQuote
(@benuk)
Trusted Member
Joined: 19 years ago
Posts: 45
 

There are a few considerations, depending on the circumstances. You can either take out each of the disks, image them individually and then reconstruct them in software like Encase, X-Ways or another and take a new image of the reconstructed volume it presents you with.

The other way is to boot the server with a forensic boot medium like CAINE or similar, and then image the volume that the server has presented to you. This is assuming that the RAID is a hardware one, that's built in the server's own firmware. Obviously this means having physical access to the server, and being able to take if offline for the duration of the imaging process.


   
ReplyQuote
Share: