My coworkers brought me four drives from a failed Western Digital Sharespace. They have no information about what kind of RAID it is, but when I look at each drive individual in EnCase, they all appear to have the same folders/format. It's EXT3 format.
The problem I have is that it's got 4 2 tb drives. I currently am using all my storage for active cases. I'm not even sure if EnCase will put the RAID back together.
Has anyone got experience with restoring NAS raids? I've asked them to bring me the actual unit to start with. The IT guys assure me that they tried to rebuild the raid internally before pulling the drives. I'm not sure what their skill set with Linux is but other than trying to use a 3rd party tool I'm not sure where to start.
Any ideas or suggestions?
I'm not sure what their skill set with Linux is but other than trying to use a 3rd party tool I'm not sure where to start.
Any ideas or suggestions?
A good starting point seems to me the actual product manual
http//
Format and Configuration
WD ShareSpace is preformatted for maximum reliability as a RAID 5 volume (for four-drive systems) or for maximum capacity as a single large, spanned volume (for two-drive systems). In RAID 5, one quarter of the capacity is used to store parity information needed to restore data in the event of a drive failure.
In a spanned volume, the capacity is equal to the total of all drives in the volume. To access the maximum capacity using four drives on this device, the RAID configuration must be reset to either RAID 0 or Span. For more information on how to set up RAID, see “Manage RAID” on page 136.
The WD ShareSpace supports the following RAID levels
• RAID 0 (Striped) — provides data striping (spreading out blocks of each file across multiple hard drives) but no redundancy. This improves performance but does not deliver fault tolerance. If one drive fails then all data in the array is lost.
• RAID 1 (Mirrored) — provides disk mirroring. Mirroring creates an exact copy (or mirror) of a set of data on two drives, which increases reliability compared to a single drive. If either drive fails, the other continues to function as a single drive until the failed drive is replaced.
• Two Mirror — Two Mirror mode is available when four drives are installed in the WD ShareSpace. In this mode, two independent RAID 1 volumes are created.
• Span (Spanned) — combines drives into a linear fashion to create one large logical volume. Unlike RAID 0, which “stripes” all data bitwise to all drives, the volume is linear across both drives. A spanned drive is literally like a single bigger drive, in that files written to the volume earlier go to the “beginning” of the volume, on the first physical drive. As the volume fills, files written later are written toward the “end” of the volume, on the second drive. Like RAID 0, no data redundancy is provided. If one of the drives fails, all data is lost.
• RAID 5 — requires a minimum of 3 drives to implement. Similar to RAID 0 but adds fault tolerance by including parity information with the data. Parity is generated on Writes, recorded in a distributed location, and checked on Read. In this mode, failure of a single drive does not cause loss of data.
• RAID 10 — requires a minimum of four drives to implement. Provides data striping on top of disk mirroring.
At first sight what you report seems like not being compatible with any of the "standard" available modes above, though. 😯
Or maybe in "Span" mode the root folder/structure is the same (but contents differ)? ?
The thingy should be running an Open Source OS/firmware
http//
which on one hand means that modifying it's operating mode is possible with a relatively small effort, and on the other that it should be possible to understand how exactly it operates.
jaclaz
Thank you for the response. I read the manual a few days ago. The problem is that they've not provided the actual unit (so I might look at it natively) and no one knows what type or RAID it has.
So, all I essentially have are four hard drives with identical EXT3 partitions on it.
There in lies the issue. If I had the native box, I might be able to load it and use a tool to try to rebuild it.
Thank you for the response. I read the manual a few days ago. The problem is that they've not provided the actual unit (so I might look at it natively) and no one knows what type or RAID it has.
So, all I essentially have are four hard drives with identical EXT3 partitions on it.
There in lies the issue. If I had the native box, I might be able to load it and use a tool to try to rebuild it.
What I was pointing out was that seemingly the "standard" modes available on that unit cannot "produce" what you are describing.
The "default" mode for that unit with four disks is RAID 5 (and this cannot of course produce the drives you have in your hands,if you can access their contents without rebuilding a RAID structure), otherwise *someone* must have changed the unit default behaviour manually (and thus *someone* should know how he/she set it), BUT the issue seems to me that what you describe is also seemingly not compliant with any of the available modes (which might mean that a modification to the firmware/OS has been made, and thus another reason why *someone* should know).
Personally I would not even think of putting those drives back in the unit, as what you have in your hands may be the result of some malfunctioning of some kind of the actual unit (either hardware or software).
And of course it is well possible that the procedure the "IT guys" already attempted changed the pre-existing structure of the RAID (if any).
jaclaz
Thank you for stressing the main points. I too think something else "happened" during the course of the drives being fixed. When I say I can see the contents, I'm using EnCase and I can see the Linux file structure and two other empty partitions on each drive. Though I looked at it briefly with no attempt to rebuild the raid in EnCase, the drives all appear to be the same file structure and order.
I'm limited in my RAID knowledge. I've used them in a server farm before, but not really looked at many forensically, hence my confusion about the drives would look like individual in EnCase. Normally if I have a RAID, it's a machine that is in my possession and I can rebuild it with Encase.
I guess my limitations are showing too. More than likely, I will never get the full story and my boss doesn't want me neglecting my work for weeks to figure it out. I'm trying to find a way to get the issue resolved to help the employees out, while not ticking my chain of command off.
Thanks for the info so far!
I'm limited in my RAID knowledge. I've used them in a server farm before, but not really looked at many forensically, hence my confusion about the drives would look like individual in EnCase. Normally if I have a RAID, it's a machine that is in my possession and I can rebuild it with Encase.
That's nicely symmetrical as I have NO idea how a single disk form a RAID 5 setup can look in Encase. 😯
What I know is that a single disk taken outside a RAID 5 array is normally seen as a bunch of "random" data, as stripes are "disseminated" over several disks (+ parity) as seen here
http//
jaclaz