Physical RAID Imagi...
 
Notifications
Clear all

Physical RAID Imaging  

  RSS
laughingman_nicoli
(@laughingman_nicoli)
New Member

Situation Need to take a physical image of a RAID. Actually two RAIDs.

RAID A Two HDDs, Running Windows Server 2003, I have the login and have already taken a logical image. About 2.5TB

RAID B Two HDD and One SSD. I don't have the login. Again about 2.5TB

Task Get full forensic physical images of both, to search slack space.

————————————————————————————————————————-
Tools FTK Imager, EnCase 6.14, Tableau TD2, Paladin Boot Disc.

————————————————————————————————————————-
First How do I figure out what version of RAID this is?

Second What is the best way to take these images to be able to investigate the slack space?

Finally Will this lead me to need a few drinks later?

Note I have googled quite a bit and no clear good answer, so I put these questions out to this community here. Mahalo in advance.

Quote
Posted : 10/05/2014 11:41 pm
krishna
(@krishna)
Junior Member

hi,
u can use cain bootable CD, forensic tools, guymager for imaging physical/clone as per the requirement.

ReplyQuote
Posted : 11/05/2014 12:17 am
jaclaz
(@jaclaz)
Community Legend

Let's go in reverse.

Finally Will this lead me to need a few drinks later?

Yes. D

Second What is the best way to take these images to be able to investigate the slack space?

There are no "best ways", you do a physical image of each and then you use a software capable of interpreting the images as RAID.

First How do I figure out what version of RAID this is?

Here is the issue. wink

Raid "A" makes a lot of sense and there are ONLY two possible ways to make a RAID out of two disks
RAID 0 <- striped set
RAID 1 <- mirrored set
If it is a RAID 1, you have two identical hard disks (and thus two identical physical images), and you can just analyze one of the two.
If it is a RAID 0, see previous answer, the software should be capable of producing a "whole image" alternating blocks from the two devices.

RAID "B" makes very little sense. ?
You DO NOT put in a RAID two hard disks and a SSD. 😯

In practice RAID 2,3 and 4 are never used, and RAID 0 and RAID 1 are made of "couples" of disks, the only kind of RAID in use with three devices is RAID 5.

When you set up a RAID 5, you do that using all identical devices, as once the array is created the available size of the array will be determined by the smallest device.
See here for some simple explanation of different RAID levels
http//en.wikipedia.org/wiki/Standard_RAID_levels

It is much more probable that the SSD hosts the Operating System and that the two hard disks host the actual data.
And you are back to the same case as Raid "A".

In my little experience it is uncommon to set a RAID 0 on a server (though it is possible), it would be more logical that it is set as RAID 1, which is a "poor man" way to have *some* redundancy of data, of course this choice depends on what was the actual use of the server.
As an example, if the server was an enterprise mail server data redundancy would have been more important than performance (and then a RAID 1 would have been used), if it was a server dedicated to streaming multimedia content it would have made more sense to have faster performance (and then a RAID 0 would have been used).

"Common" servers (meaning not *any* pc used as server, but rather server level hardware for "mission critical" use) tend to have however 3 or better 4 (3+spare) disks RAID 5.

jaclaz

ReplyQuote
Posted : 11/05/2014 12:41 am
athulin
(@athulin)
Community Legend

First How do I figure out what version of RAID this is?

The best approach is to use the RAID manager software used. You could also talk to whoever set the thing up.

Try to find the user manual for the device to cut your choices down to what it is actually capable of. If you like to trust unknown software – as you're asking, it's clearly unknown – you use whatever magic RAID identifier software you like. Guessing is, however, not an option, as you have to be able to decide if a reconstructed RAID producing only a huge 'random' disk full of unrecognizable structures is a correct result or not. It could be, if encryption is used, for example, or if the RAID has been broken and disks overwritten individually. And you don't want to be drawn into false conclusions by a dropped, previous hot spare anywhere.

Second What is the best way to take these images to be able to investigate the slack space?

What slack space *exactly* are you referring to? Where is it located?

If it's at the HDD level, i.e. partition slack at the end of a 'disk', or volume slack at the end of a partition, or slack inside a file system, then you image the running RAID 'device'. There will be no need to image each separate HDD, as far as I can see.

It's if you have the situation of dissimilar disks, with not fully utilized HDDs that you may want to check out any 'RAID slack' on the large and incompletely used HDD(s) as well.

ReplyQuote
Posted : 11/05/2014 1:47 am
laughingman_nicoli
(@laughingman_nicoli)
New Member

All very good answers and a lot of help. As to the reference of slack space. I basically need to find deleted files and to be able to carve fragments if I can.

ReplyQuote
Posted : 11/05/2014 2:18 am
mscotgrove
(@mscotgrove)
Senior Member

You do not say what size the disks are (in GBs).

RAID 'B' could just possibly be JBOD (and so could RAID 'A').

You say Windows 2003 server - I presume this will mean NTFS. Have you checked that this is true, and not UNIX FS

ReplyQuote
Posted : 11/05/2014 3:57 am
jaclaz
(@jaclaz)
Community Legend

You do not say what size the disks are (in GBs).

RAID 'B' could just possibly be JBOD (and so could RAID 'A').

You say Windows 2003 server - I presume this will mean NTFS. Have you checked that this is true, and not UNIX FS

Well, a JBOD is not (IMHO) a RAID
http//en.wikipedia.org/wiki/Non-RAID_drive_architectures

if it is not a RAID then both setups can be simply basic disks, or spanned ones.

As well, roughly 99.9999999% of Windows 2003 Server will use NTFS, the remaining 0.0000001% may be using UFS or XFS

You know, like wink
Q. My car did not start this morning, what should I check?
A. Are you sure it is not a lawnmower? Are you sure it uses gasoline and it is not fuel cell powered?
D

jaclaz

ReplyQuote
Posted : 11/05/2014 4:02 pm
mscotgrove
(@mscotgrove)
Senior Member

HP Media Vault is typically defined as a RAID, but often is configured as a JBOD with 'funny' allocation sections.

RAID-0 - I am not sure where the Redundant part is, but is often called a RAID

The question talks about a RAID - I think we are assuming it is internal, but could be NAS, also a RAID. NAS tends to be XFS, Ext2/3/4 Reiser (and others)

I am sure we have all been caught making assumptions that were not valid. I am trying to understand a 3 disk RAID including a SSD and I suspect we may not have the full story.

(Yes, I did use the correct tool to cut my lawn this morning)

ReplyQuote
Posted : 11/05/2014 8:25 pm
jaclaz
(@jaclaz)
Community Legend

HP Media Vault is typically defined as a RAID, but often is configured as a JBOD with 'funny' allocation sections.

But does it run Windows Server 2003 or allows for more than two devices?

RAID-0 - I am not sure where the Redundant part is, but is often called a RAID

Yep, sometimes names are inaccurate. (

The question talks about a RAID - I think we are assuming it is internal, but could be NAS, also a RAID. NAS tends to be XFS, Ext2/3/4 Reiser (and others)

The Windows Server 2003 made me think of a server. ?

I am sure we have all been caught making assumptions that were not valid. I am trying to understand a 3 disk RAID including a SSD and I suspect we may not have the full story.

Sure ) .

(Yes, I did use the correct tool to cut my lawn this morning)

Race for pink slips? 😯
http//www.autoweek.com/article/20130723/CARNEWS01/130729954?
http//www.topgear.com/uk/car-news/top-gear-magazine-speed-week-2013-7-17
wink

jaclaz

ReplyQuote
Posted : 11/05/2014 10:47 pm
derdanielder
(@derdanielder)
New Member

Situation Need to take a physical image of a RAID. Actually two RAIDs.

First How do I figure out what version of RAID this is?

Second What is the best way to take these images to be able to investigate the slack space?

Most times, the easiest way to figure out what version of RAID it is, is to boot up the Machine, enter the BIOS (depending on the hardware it might be the Mainboard BIOS or the Raid Controller BIOS), and look what is configured.

As you have no password to the 2nd machine (I assume you are talking about the Operating System Bios, however that has to be confirmed), you have to boot it anyway.

Of course the RAID could be software level, but this is very seldom on Windows Server OS. While checking for the BIOS Settings, you should also note down the controller type, revision and BIOS Release. This might be usefull when it comes to rebuilding the RAID after you made an Image of all harddrives. Also check the cluster size in the RAID config.

ReplyQuote
Posted : 12/05/2014 8:56 pm
Cults14
(@cults14)
Active Member

I've only ever had one RAID issue to deal with so am a complete novice - we had a sister company with a failed server that our internal IT dept said couldn't be recovered.

\We deduced from the controller that RAID was in play, then used the free element of Runtime Software's suite and were able to establish what type of RAID it was, then purchased the necesary license to recover data (didn't have to look at slack space)

Realise this a simple point-and-shoot option that may not address your issue )

Cheers

ReplyQuote
Posted : 13/05/2014 4:37 pm
Share: