Notifications
Clear all

"RAID" help!  

  RSS
jbarber
(@jbarber)
New Member

I am working a case with a Dell Power Edge T300. Service Tag#B27G1L1. It contains 3 250 GB hard drives. Here is the info from the Dell site using this tag #

System summary

Service Tag

B27G1L1

Computer Model

PowerEdge T300

Shipping Date

10/26/2009

Country

United States

Components

Part Number

Quantity

Description

R708H

1

PROCESSOR, X3323, 2.5/1.3, 6M, XUP, E0

KJ582

1

HEATSINK, PLASTIC GRID ARRAY, 2.5X3.5X4.27

C584K

1

Overpack Kit, WS8XBP, english

0R215

2

CORD, POWER, 15A, 125V, 10, 5-15/C13

PD147

1

ASSEMBLY, CABLE, LIGHT EMITTING DIODE, HARD DRIVE, AUXILIARY, PRECISION WORKSTATION, 490

70P6G

1

Assembly, Digital Video Disk Drive, 16X, Serial Ata, Half Height, Hitachi Lg Data Storage, Enterprise Systems Group

J105C

3

ASSEMBLY, CARRIER, HARD DRIVE, Serial ATA, 1IN

NT154

2

Assembly, Power Supply Redundant, 528W, DLT

H7511

2

ASSEMBLY, CARRIER, BLANK , HARD DRIVE, UNIVERSAL, 1IN, 2

F420T

3

HARD DRIVE, 250G, ES3, 7.2K, 3.5, V2, SEAGATE, MAGNETO OPTICAL DRIVE

KP010

1

ASSEMBLY, CHASSIS, HOT PLUG, REDUNDANT, T300

T774H

1

PRINTED WIRING ASSY, CONTROLLER, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , SERIAL ATTACHED SCSI, PERC6/I, ADAPTER

K278H

1

ASSEMBLY, CABLE, Serial ATA, MOTHERBOARD, OPTICAL DEVICE DRIVE, STATE AND LOCAL GOVERNMENT, T300

X3959

1

Card, Network, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , COPPER, DUAL PORT

WP130

2

DUAL IN-LINE MEMORY MODULE, 2G, 667M, 256X72, 8, 240, 2RX8

GG460

1

KIT, STRAIN RELIEF, CABLE, POWER

NP393

1

ASSEMBLY, CABLE, POWEREDGE EXPANDABLE RAID CONTROLLER NUMBER, BTTRY, T300

I have imaged all three of the hard drives separately (E01s) and loaded them into EnCase 6. I haven't been able to find much information about the presumable "RAID" set up. I went into the BIOS and the only info I can find is that it may be a RAID 5. I have the RAID analyzer and RAID Source Disk Sector Locator EnScripts but without the RAID info I haven't been able to use them. The system is running Windows SBS Premium 2008. Looking at the info of the three hard drives through EnCase, I haven’t been able to determine which hard drive is the primary with an OS. Where do I go from here? I found no more info on Dell's site than what I listed here. I think I have read every post I can find on several sites and am still stuck.

I am prepared to do a live acquisition but was giving this a go first.

Thank

Jim

Quote
Posted : 31/07/2014 1:04 am
Deltron
(@deltron)
Active Member

Are you trying to rebuild the raid in encase?
You may have to guess the order, and use popular stripe sizes, well thats what i was told from guidance support when i was in the same situation.

ReplyQuote
Posted : 31/07/2014 1:49 am
jbarber
(@jbarber)
New Member

Yes I am trying to rebuild the RAID with EnCase. Yeah using the "Edit Disk Configuration" is a little confusing. Did you have any luck with your case?

ReplyQuote
Posted : 31/07/2014 2:10 am
mscotgrove
(@mscotgrove)
Senior Member

Find the $MFT - this is the best guidance for stripe and order and parity. A $MFT is normally reasonably sequential so very good for raid analysis.

This is assuming it is an NTFS disk

ReplyQuote
Posted : 31/07/2014 4:05 am
Adam10541
(@adam10541)
Senior Member

A former colleague of mine bought this tool a couple of weeks ago and hasn't stopped raving about it since

http//www.diskinternals.com/raid-recovery/
I've not used it personally but he told me it was pretty much automated and does what it says on the box. Might be worth a try..

ReplyQuote
Posted : 31/07/2014 6:29 am
BitHead
(@bithead)
Community Legend

PRINTED WIRING ASSY, CONTROLLER, PERIPHERAL COMPONENT INTERCONNECT EXPRESS , SERIAL ATTACHED SCSI, PERC6/I, ADAPTER

If you can get into the controller software (typically Ctrl-R) you should see the stored settings.

When you unplugged the drives you should have noted the order. The controller software orders the discs as 0,1,2 by default.

The default stripe size for the PERC6I is Stripe Element Size – Default value is 64KB
http//www.thegeekstuff.com/2009/05/dell-tutorial-create-raid-using-perc-6i-integrated-bios-configuration-utility/

RAID Reconstructor V4.32 is another good choice for the price. https://www.runtime.org/raid.htm

ReplyQuote
Posted : 31/07/2014 7:35 am
Cults14
(@cults14)
Active Member

Another vote for Runtime software, only had to use it once but worked a charm on RAID0

Cheers

ReplyQuote
Posted : 01/08/2014 3:23 pm
jbarber
(@jbarber)
New Member

Well, I abandoned trying to rebuild the raid in EnCase and attempted to make a logical image with a boot disk. When I loaded the E01s from the logical image it came up as unused disk area. So i'm guessing maybe the RAID was not even being used. Seems weird though because when I imaged the three drives individually two of the drives came up with a C,D and E partition. There was nothing on them but partitions nonetheless. I did notice something in the boot sequence. The sequence is
1)Optical Drive
2)Embedded NIC 1 MBA v12.2.2 Slot 0100
3)Hard Drive C

Does #2 signify that this machine is networked (for lack of a better term) and not a bootable machine? When I tried to regular boot the machine it didn't work and then when I disabled #2 so it would boot from #3, it said "no bootable device found".

Any ideas on these issues is appreciated, its more for my knowledge now, since there appears to be nothing on the RAID, this item is finished!

ReplyQuote
Posted : 01/08/2014 9:29 pm
jaclaz
(@jaclaz)
Community Legend

There is something "wrong" (no offence intended ) ) in your report, and IMHO *something* doesn't sound "right" in your hypothesis. 😯

A Dell Power Edge is a "Server Class" machine.

While it is possible (though highly improbable) that it booted from network (PXE booting) an OS residing on another Server in the network, still it should have hosted data, what would otherwise "serve"?

If it "served" data residing on another machine on the network, it would have been more than anything else a "router" (and a typical router would have no local storage devices if not a - minimal - often a CF card or similar, hosting the actual OS).

So, while it is entirely possible that the three disks were wiped (or have their content deleted, one way or the other) it is at least improbable that that machine was setup by a mad hatter that bought a server and added to it largish mass storage devices to later use it as an OSless router.

Now the common ways to set up a server with a RAID controller
http//en.wikipedia.org/wiki/RAID
are typically only four or five
1. A Raid 0 (which is not really-really a RAID) with EVEN number of disks (2 or 4, etc.) <- faster but with no redundancy
2. A Raid 1 which would normally use an even number of disks, typically 2 <- pure "mirroring"
3. A Raid 0+1, but again it would use an even number of disks (minimum 4)
4. A Raid 1+0 or 10 but this would also need 4 disks minimum.
5. A Raid 5 that needs at least 3 disks (and the 3 disks setup is actually one among the most common ones, as an "entry level"). <- "real" redundancy with block level striping and distributed parity.

This scheme might help

On a normal disk you have sequentially on the disk itself
block A
block B
block C
…etc.

When you have the same on a 3 disks RAID
block A is on the FIRST disk
block B is on the SECOND disk

block C is on the FIRST disk

block D is on the THIRD disk

So, when you access a disk as "single disk" (or an image of it) there will be
First disk that will start, like any "normal" disk with a MBR
Second disk that (unless a mirror of the MBR has been made exactly on the beginning on the second block) will NOT have a MBR as first sector.
Third disk that will also NOT have a MBR as first sector (should be detectable visually) contains "parity data" (please try reading this temporarily as "hex garbage")

So, when you access the three images as single disks, one and one only should have as first sector a MBR (please read as "have partitions"), and that would be the first disk.

If you can find "partitions" on two of the images, it sounds like there is an issue *somewhere*.

A logical explanation could be that the disks were not set in RAID 5 but rather in a two disks RAID 1 (pure mirroring) + a (unused) spare, but then two of the images should be identical between them. ? (and of course any of these two identical disks would be readable "on it's own")

Another possibility could be a RAID 1 with three disks (double mirroring), but then all three disks would have "partitions" in them and would be readable "separately".

jaclaz

ReplyQuote
Posted : 01/08/2014 10:57 pm
jbarber
(@jbarber)
New Member

Jaclaz

I don't know. I tried to read all three of these disks through EnCase as a preview and I didn't see anything that looked like an OS.

This was an "internet cafe" gambling operation and I wasn't there to take it down so I can't comment on the way everything was set up. I don't know what was hooked into this Dell or what it was being used for. As a last resort I turned the machine on to just go through it by hand and see if maybe I could just pull off any evidence of the gambling operation but it would not boot. That whats makes wonder where the OS is.

Any other ideas?

ReplyQuote
Posted : 02/08/2014 12:35 am
shep47
(@shep47)
Member

Looking at the shipping spec of this Dell (using the service tag) it looks like it had a Dell PERC 6/i 6i PCI-e SAS RAID Controller fitted. In my experience, reconstruction of any RAIDs in EnCase that used company bespoke controllers can be very painful. Normally, I would take a logical in these instances but I see you are unable to boot the system to OS. Have you considered Linux boot disk (DEFT) with the disks fitted and logically acquire that way (and keeping fingers crossed that DEFT supports the Dell RAID controller)?

Regards

ReplyQuote
Posted : 02/08/2014 3:34 pm
jaclaz
(@jaclaz)
Community Legend

I don't know. I tried to read all three of these disks through EnCase as a preview and I didn't see anything that looked like an OS.

Sure, you won't find on any of them "anything that looked like an OS" unless they area a set of mirrored drives, which indirectly confirms that the most probable setup with three disks (a RAID 5) has been used.

Still one (and one only) of the disks should have as first sector the MBR (the first disk), which is something that you can easily check with a hex editor.
Even if it is not the first sector, a MBR must be present on first disk "near" the begiining.
If you carve the RAW disk for the Magic Bytes 55AA as last two bytes of a sector you should be able to find it in no time.

You reported earlier that TWO of the disks started with a MBR, which is the part that "sounds strange".

A number of specialized "automagic" or "autosensing" specialized tools were already recommended, personally I would have a (more "manual" ) try with DMDE which has a "raid reconstructor" that accepts a virtual reconstruction with the several possible parameters
http//dmde.com/

If you can identify first disk image, you just try adding the other two disk images, or one of the other two disk images and a NUL device, then play a bit with the possible parameters until you find something "making sense".

If it doesn't work, you then try again exchanging the two non-first disks and the non-first disk and the NUL device.

After all, even doing it "blind" or "random" it is a finite number of attempts.

jaclaz

ReplyQuote
Posted : 02/08/2014 4:17 pm
Share: