Good morning all,
I am posting on behalf of a colleague who is on site and is encountering problems imaging a Dell poweredge 1900 server running WinSBS 2003
"I am imaging a Dell power edge 1900 with windows SBS2003 on it. There are three drives in the box (0,1,2). I am told there is no raid or encryption and that the data resides on one or possibly 2 of the drives. In Encase two of the drives are showing up with 3 partitions with data on one of the partitions, respectively. The third drive appears to have been wiped.
> The problem I have is that the data on the main partitions does not appear to be readable in encase. This is a fairly contentious matter and we keep getting conflicting information from those involved. I will try and send a screen shot later.
> I am currently imaging all three drives and may then put them back in the box and see what I can see with it powered on. It may also be an option to seize the original drives in the circumstances in case I have to reimage.
> Any ideas or insights as what I am encountering gratefully received.
> Thanks",
Are you sure its not a RAID?
What Encase could be showing you is the data stripe on one drive and the parity stripe on the other.
Encase will show you the folder structures when you mount a single drive from a RAID array, exactly as you describe, and hey, its a server. Asuming you don't have a copy of F-Response (which is superb for acquiring servers). Try and get into the config of the RAID controller on boot up to see what type of RAID it is and the drive configuration so you can re-build it with your physical images. Note which image applied to which disk. Then boot and use FTK imager to create a logical image of the volumes. At least that way you are leaving with physical copies of each disk and a logical (useable) copy if you have trouble rebuilding the RAID.
"The third drive appears to have been wiped."
Please quantify an explain.
Thank You Guys,
i have forwarded your comments much appreciated