image a raid0 (fake raid0 with ntfs)

Hi K.W.,

Its been a while since I had one of these, so you need to check my command line syntax, but here are 2 ideas.

1. You can use the dmraid package (Ubuntu for certain, maybe others).
As usual, "dmraid -h" for help and "man dmraid" for further info. Here is a link to the manpages http//www.linuxmanpages.com/man8/dmraid.8.php

Use "dmraid -ay" to activate your ntfs raid 0

If it recognizes your chipset "dmraid -r" should show similar
/dev/sda raid_disk_id, stripe, ok, XXX sectors
/dev/sdb raid_disk_id, stripe, ok, XXX sectors

Show the active device Sets in the array with "dmraid -sa" ,
>>
Active
name raid_disk_id
size XXX bytes
stride 32
type stripe
status ok <—- good !!
subsets 0
devs 2
spares 0

Make a directory for the volume like "mkdir /mnt/myraid0"
then mount as read only
"mount -t ntfs ro /dev/mapper/raid_disk_id /mnt/myraid0"
and I think you can dd from here.

2. Alternatively, if you have some time to kill…

Raid 0 data is written sequentially in blocks striped (interleaved) across the drives in the set(array). If your OS does not recognize the array, you could image using dd the first drive, then second drive, etc.
If you know or work out the interleave block size you could read alternating blocks of data from each drive and reconstruct one larger image equivalent to the original combined raid set. Python has it's uses…

I have done this once during a practical for a data recovery course, but not with a customer raid paying in "real life".

The links I researched for the practical are Simón Anibal Ruiz Rolfs blog at http//indianalinux.blogspot.com/2008/05/howto-reconstruct-failed-raid-0-arrays.html
and his follow up http//indianalinux.blogspot.com/2008/05/howto-work-with-disk-images.html

and a big thanks goes to Steve Kamerman's Blog for the updated Python script
http//www.teratechnologies.net/stevekamerman/index.php?entry=entry090528-010324

my 2p

Ali

I think you may mount a "*.E01" File with "Mount Image Pro"

It contains both GUI and console pargma!
Here are some instructions

Mount Image Pro. v2.6.0 (0)
Command "MIP" is unknown.
Usage
MIP command [options]

Commands
STATUS Print status information.
MOUNT Mount a disk image as a virtual drive.
UNMOUNT Unmount a disk image.
VIEW Print disk image information.
LOOKUP Lookup mounted drive letters or image file(s).
INSTALL Install the MIP Driver or MIP Service.
REMOVE Remove the MIP Driver or MIP Service.

HELP Displays command help.

All commands and options are case insensitive.
Try "MIP HELP command" for detailed help for each command.

Good Luck, my firend!

Hi K.W.,

Its been a while since I had one of these, so you need to check my command line syntax, but here are 2 ideas.

1. You can use the dmraid package (Ubuntu for certain, maybe others).
As usual, "dmraid -h" for help and "man dmraid" for further info. Here is a link to the manpages http//www.linuxmanpages.com/man8/dmraid.8.php

Use "dmraid -ay" to activate your ntfs raid 0

If it recognizes your chipset "dmraid -r" should show similar
/dev/sda raid_disk_id, stripe, ok, XXX sectors
/dev/sdb raid_disk_id, stripe, ok, XXX sectors

Show the active device Sets in the array with "dmraid -sa" ,
&gt;&gt;
Active
name raid_disk_id
size XXX bytes
stride 32
type stripe
status ok &lt;—- good !!
subsets 0
devs 2
spares 0

Make a directory for the volume like "mkdir /mnt/myraid0"
then mount as read only
"mount -t ntfs ro /dev/mapper/raid_disk_id /mnt/myraid0"
and I think you can dd from here.

2. Alternatively, if you have some time to kill…

Raid 0 data is written sequentially in blocks striped (interleaved) across the drives in the set(array). If your OS does not recognize the array, you could image using dd the first drive, then second drive, etc.
If you know or work out the interleave block size you could read alternating blocks of data from each drive and reconstruct one larger image equivalent to the original combined raid set. Python has it's uses…

I have done this once during a practical for a data recovery course, but not with a customer raid paying in "real life".

The links I researched for the practical are Simón Anibal Ruiz Rolfs blog at http//indianalinux.blogspot.com/2008/05/howto-reconstruct-failed-raid-0-arrays.html
and his follow up http//indianalinux.blogspot.com/2008/05/howto-work-with-disk-images.html

and a big thanks goes to Steve Kamerman's Blog for the updated Python script
http//www.teratechnologies.net/stevekamerman/index.php?entry=entry090528-010324

my 2p

Ali

Really interesting, i'll try this out just in case this may happen in the field, i'd better be prepared.

But are you sure you need to mount the drive?
once the array is recognized can't you just image the /dev/mapper/raid_disk_id ?

Hi Rampage,

Yes you are of course correct. If you are imaging for forensic purposes do NOT mount the drive being examined! Sorry everybody, I was still wearing my data recovery hat.
As you say once the array is recognized just image " /dev/mapper/raid_disk_id" instead

Thanks for the pointer

Ali oops

Apologies for my inaccurate statements. I will explain my problem in more detail.

I keep having to back up computer (forensic) by a software (fake) Raid0. Usually I back up the hard drives with a hardware write protection blocker individually.

the problem is only when I'm with my forensics software (x-ways or encase) the raid0 composed again, I must specify the correct parameters. these parameters from the software raid0 are very different and I had many problems. The cluster sizes themselves can be determined by trial, but I have determined that the start raid0 at the harddrive in various sectors.

So my question
Is it possible to mount software (fake) raid0 ro (read only) in linux and then with dd, ddrescue, libewf, etc. afflib to image? because I would have only one image and would need no longer consist raid0.

thanks
k.w.

yoes, you can both mount a fake raid0 in read only using dmraid (if chipset is supported) or acquire it using any sort of acquisition utility, in the post above AliceKlaar has explained how really well )