Forums
Main Category
General (Technical,...
Imaging Dead System...
 
Notifications
Clear all

Imaging Dead System with Hardware Based RAID configured

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by ForensicMania 16 years ago
10 Posts
5 Users
0 Reactions
910 Views
RSS
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 20/05/2009 9:34 am  

Hi,

Here is a quick question? I have come across a dead HP ML 350 Server with Hardware Raid configured for two hard drives. I need to know that how can How can i take forensically sound image of the RAID Volume. I even don't know about what kind of RAID configured over it.

Any food for the thought?


   
Quote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
20/05/2009 9:39 am  

Are the drives OK? If so image them and use X-Ways or similar and rebuild the array.


   
ReplyQuote
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 20/05/2009 9:53 am  

thanks bithead,

can you tell me exactly which X-Ways software (name) can do this job for me. Can i rebuild any level of RAID with it? i mean like nested RAID 1+0 or RAID 5+1?

I want to analyze the evidence on FTK 2.0 after taking images. Will it be possible?


   
ReplyQuote
Logg
 Logg
(@logg)
Eminent Member
Joined: 16 years ago
Posts: 42
20/05/2009 11:55 am  

800 Euros, ack!

http//www.paraben-forensics.com/catalog/product_info.php?products_id=374

Paraben .. 15 day trial for free. See if their RAID recovery will work for you. 😉


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
20/05/2009 3:13 pm  

Considering the two disks array i would say it's a raid1 array, it's really rare to find a raid0 on a server, for obvious reasons.
so i would suggest to make a bitstream image of both disks, and see if you can access their content, you should be able to access data on a single disk if it's a raid1 array.
else try using x-ways.


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
20/05/2009 5:11 pm  

800 Euros, ack!

http//www.paraben-forensics.com/catalog/product_info.php?products_id=374

Paraben .. 15 day trial for free. See if their RAID recovery will work for you. 😉

As I said or similar. As a long time X-Ways user it is my go to software for problems.

Run Time Software also has RAID Reconstructor for $99 with a trial available.


   
ReplyQuote
 brede
(@brede)
Trusted Member
Joined: 20 years ago
Posts: 64
20/05/2009 5:35 pm  

ForensicMania are You unable too see logical partitions on this drives? if the raid was 1 and it is simple mirror the one disk will be exact copy of second one.


   
ReplyQuote
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 21/05/2009 3:26 pm  

thanks everyone for taking your time to answer my question. It was RAID-1 so i was able to access the contents easily. But at the mean while i was wondering that what if i get servers for forensic analysis with Nested RAID levels.

Any reading material, anyone can refer me?

Is there available any specialized hardware + Software forensic tools for forensic analysis of Nested RAID levels?

Raid Reconstructor and X-Ways Forensics only detect RAID 0 and RAID 5 systems only.


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
25/05/2009 4:08 pm  

nasted raid arrays are a real pain in the…..
you better be able to boot with a live environment and acquire the volume from there.


   
ReplyQuote
ForensicMania
 ForensicMania
(@forensicmania)
Active Member
Joined: 16 years ago
Posts: 11
Topic starter 25/05/2009 4:14 pm  

then what about write blocking restriction???

I am unable to accept that there is no specialized tools for rebuilding or reconstructing all raid levels.

Why can't i accept?


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: