How do I acquire an image of a RAID 0 two hard drive array? And once acquired, how do I process the image? I have FTK.
Um….need a little more than that to go on my friend…
NAS, server, workstation? OS? Live?
Details are important to design a plan.
The important apsect of RAID 0 is the size of the slices, typically 64K or 128K. You then need to work out which is drive 0 and which is drive 1.
You then need to either read both drives in turn, or build up a file image segment by segment. The image should then be readable by many image reading tools. It could be NTFS, Unix based, or anything else, but you should have what looks like an image of a large disk to work on.
If the drives are from a standard PC, it will probably be NTFS
I tend to use a forensic boot disk and acquire the whole thing logically, and to cover bases, also acquire each disk. The only downside is that some RAID cards aren't supported in some live CD builds. That's why it always pays to have more than 1 live solution, as well as a backup imaging solution.
Worst case scenario, I'd grab images of each disk and rebuild the raid with X-Ways.
Um….need a little more than that to go on my friend…
NAS, server, workstation? OS? Live?
Details are important to design a plan.
The target computer is a workstation with Windows XP Pro (it is a gaming machine) and is not live. There are two 120 GB hard drives in a RAID 0 configuration.
The only forensic software I have is FTK. I have a write blocked imaging bay for single hard drives only. I have a raid controller on the motherboard of my forensic computer, but it is not write blocked.
What is the motherboard on the target computer. This will help to narrow down the type of RAID controller and software.
I agree with other posts. Image each physical drive and rebuild with X-Ways.
http//
Try Linux build boot CD's to see if you can view the RAID as a logical disk. Google is your friend or http//
If your investigation allows for it, you could also boot the machine live and use F-Response and a x-over cable to image in FTK with your acquisition system.
Our SOP for RAIDs is to image the drives and stitch them back together in Encase or Xways. I am not sure if FTK has these capabilities in the newer versions so you may have to assemble a working RAID on your own equipment.
The target computer is a workstation with Windows XP Pro (it is a gaming machine) and is not live. There are two 120 GB hard drives in a RAID 0 configuration.
The only forensic software I have is FTK. I have a write blocked imaging bay for single hard drives only. I have a raid controller on the motherboard of my forensic computer, but it is not write blocked.
So you have a specific requirement and toolset… this narrows it down a bit.
Since FTK doesn't do RAID reconstruction, you're going to want to get a forensic boot disk and acquire the whole RAID logically. That logical image will go into FTK really easily.
BTW, I'm not sure of your specific circumstances, but X-Ways Forensic is only about $1000 USD so if you're in private consulting, it's going to pay for itself on the first job and when it comes to RAIDs, it's going to make your life much easier.
get a forensic boot disk
Opps should have been more clear. Correct you do want to get a distro that can write block the array when mounted (that link I provided is mixed with forensic and non-forensic).
The target computer is a workstation with Windows XP Pro (it is a gaming machine) and is not live. There are two 120 GB hard drives in a RAID 0 configuration.
The only forensic software I have is FTK. I have a write blocked imaging bay for single hard drives only. I have a raid controller on the motherboard of my forensic computer, but it is not write blocked.
So you have a specific requirement and toolset… this narrows it down a bit.
Since FTK doesn't do RAID reconstruction, you're going to want to get a forensic boot disk and acquire the whole RAID logically. That logical image will go into FTK really easily.
BTW, I'm not sure of your specific circumstances, but X-Ways Forensic is only about $1000 USD so if you're in private consulting, it's going to pay for itself on the first job and when it comes to RAIDs, it's going to make your life much easier.
Thanks a lot….I booted with Knoppix and acquired the image using dd_rescue…acquired a md5 hash of the original and compared it to the image….worked like a charm…FTK handles the image nicely…thanks again…