Join Us!

hOW TO MAKE RAID IM...
 
Notifications
Clear all

hOW TO MAKE RAID IMAGE  

Page 1 / 2
  RSS
Aleks
(@aleks)
New Member

Can some body to help me step by step how to make forensic image of server RAID ,for both combination system and hardware raid.

Quote
Posted : 24/03/2016 6:16 am
Igor_Michailov
(@igor_michailov)
Senior Member

I have used Linen with Network Crossover.

ReplyQuote
Posted : 24/03/2016 11:45 am
mobileforensicswales
(@mobileforensicswales)
Active Member

There are a great number of methods that depend on your resources, how much time you have been allocated to the task, whether or not you can turn the server off?

Can you explain further or is this another homework exercise with the backwards caps not even being addresses in the title 😯

ReplyQuote
Posted : 24/03/2016 1:14 pm
Rapid015
(@rapid015)
New Member

The easiest way to get a viable image of data on a RAID is to boot it in as it stands and do a live acquisition.

There are tools out there to rebuild the RAID if you have taken individual disk images however I have not had success with these.

ReplyQuote
Posted : 29/03/2016 1:55 am
jaclaz
(@jaclaz)
Community Legend

The easiest way to get a viable image of data on a RAID is to boot it in as it stands and do a live acquisition.

But hardly the "best" option.

There are tools out there to rebuild the RAID if you have taken individual disk images however I have not had success with these.

Well, they are tools, and there are a lot of factors in the equation, usually a RAID can be rebuilt fine from single images.

@Aleks
http//pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html

jaclaz

ReplyQuote
Posted : 29/03/2016 3:11 pm
Igor_Michailov
(@igor_michailov)
Senior Member

R-Studio (for rebuild) and X-Ways (for hard drives analysis) can do it well.

ReplyQuote
Posted : 29/03/2016 4:40 pm
kacos
(@kacos)
Member

Don't you think the size of the RAID is a major factor affecting how you'll handle it? If you have a say 80Tb Raid you wouldn't image each disk and rebuild it, would you?

ReplyQuote
Posted : 29/03/2016 5:44 pm
jaclaz
(@jaclaz)
Community Legend

Don't you think the size of the RAID is a major factor affecting how you'll handle it? If you have a say 80Tb Raid you wouldn't image each disk and rebuild it, would you?

Well, let's first have an 80 Tb sized Raid, and later we will talk of the possible issues arising from its examination.

I would guess that thingies like this
http//www.buffalotech.com/products/desktop-hard-drives/drivestation/drivestation-ultra-10-drive
which sell for a mere US$ 9,999.99 😯 are not that much common ? .

However there are solutions based on NOT "consolidating" it (which I believe is what you actually mean by re-building) but rather "virtually" recreating it.
As an example, DMDE
http//dmde.com/
as well as the approach in the previously given link can rebuild a (virtual) RAID filesystem "assembling" separate images or disks.

jaclaz

ReplyQuote
Posted : 29/03/2016 6:29 pm
wookieshaver
(@wookieshaver)
Junior Member

I have used both Paladin and Paladin Edge to image a raid server. (Booting to the Paladin environment from either a usb external DVD drive or usb flash media depending upon responsiveness of the server)

Once booted to Paladin, open the paladin toolbox and click on disk manager, you should be able to see the raid volumes to image.

More information here https://www.sumuri.com/products/paladin/

ReplyQuote
Posted : 29/03/2016 7:48 pm
kacos
(@kacos)
Member

I would guess that thingies like this
http//www.buffalotech.com/products/desktop-hard-drives/drivestation/drivestation-ultra-10-drive
which sell for a mere US$ 9,999.99 😯 are not that much common ? .

Considering I have a 16Tb one for home use, I would expect larger ones to be quite common for enterprise use. And with 8Tb & 10Tb drives, a 80Tb solution is within SMB limits.

ReplyQuote
Posted : 29/03/2016 9:09 pm
jaclaz
(@jaclaz)
Community Legend

Considering I have a 16Tb one for home use, I would expect larger ones to be quite common for enterprise use. And with 8Tb & 10Tb drives, a 80Tb solution is within SMB limits.

Ok ) , let's take your existing 16 Tb RAID (which I presume to be a Raid 0 out of 4x4 Tb disks or a 1+0 out of 4x8 Tb one).
How would you propose to image it?
Where/how would you store the image(s)?

jaclaz

ReplyQuote
Posted : 29/03/2016 9:23 pm
kacos
(@kacos)
Member

Ok ) , let's take your existing 16 Tb RAID (which I presume to be a Raid 0 out of 4x4 Tb disks or a 1+0 out of 4x8 Tb one).
How would you propose to image it?
Where/how would you store the image(s)?

Actually it's Raid 5 (usable ~11Tb) 😉
This is exactly why I mentioned it. I think there should be a cost/benefit analysis of the potential evidence, and if it justifies the cost/time needed to image/recreate the entire thing, or document every step and do a live examination.

ReplyQuote
Posted : 29/03/2016 9:29 pm
jaclaz
(@jaclaz)
Community Legend

Actually it's Raid 5 (usable ~11Tb) 😉

How is it configured?
How many disks?
Which size each?

This is exactly why I mentioned it. I think there should be a cost/benefit analysis of the potential evidence, and if it justifies the cost/time needed to image/recreate the entire thing, or document every step and do a live examination.

Well, then it is Off Topic if someone asks "hOW TO MAKE RAID IMAGE".
Let us assume that the OP has the *need* to make an image (which is what was actually asked), and NOT a live examination, how to proceed, then?

jaclaz

ReplyQuote
Posted : 30/03/2016 1:10 am
kacos
(@kacos)
Member

How is it configured? How many disks? Which size each?

Qnap 4x4Tb Raid5

Well, then it is Off Topic if someone asks "hOW TO MAKE RAID IMAGE".
jaclaz

Since the initial question was not specific "..how to make forensic image of server RAID ,for both combination system and hardware raid..", I don't see how one can answer without considering the size/type of the said RAID. You could write a book and still not cover all the possibilities. So if I was asked I would answer it depends.

Anyway, here are a few articles to get started on RAID/NAS

NAS Forensics Explained by belkasoft
The Impact of RAID on Disk Imaging by NIST
RAID Reassembly - A forensic Challenge

ReplyQuote
Posted : 30/03/2016 2:02 am
jaclaz
(@jaclaz)
Community Legend

How is it configured? How many disks? Which size each?

Qnap 4x4Tb Raid5

Good ) (which in this case means IMHO "bad") 😯 .
As a side-side note, and JFYI there are some theories about RAID 5 being not-so-ideal with such large disk drives, of course it depends on the type/quality of the actual single disks inside the thingy, but just in case
http//www.raid-failure.com/Default.aspx

Anyway, here are a few articles to get started on RAID/NAS

NAS Forensics Explained by belkasoft
The Impact of RAID on Disk Imaging by NIST
RAID Reassembly - A forensic Challenge

Last one being strangely similar to the one I posted initially. wink

jaclaz

ReplyQuote
Posted : 30/03/2016 2:08 pm
Page 1 / 2
Share: