Join Us!

Notifications
Clear all

RAID5 Hard Disk  

  RSS
aandroidtest
(@aandroidtest)
Junior Member

A noob on RAID forensics here. Just clarifying some info

Not necessary for a RAID 5 HDD to have a partition? Data could be just written onto the whole hard disk?

Recently took a look at a RAID 5 HDD, I believe you cannot not reconstruct the data without all 3 HDDs but is there any telltale sign that the HDD is indeed part of a RAID 5?

Like parity data etc? Or there is no such data and no way to recover the data?

Quote
Posted : 31/05/2018 3:31 pm
jaclaz
(@jaclaz)
Community Legend

Not necessary for a RAID 5 HDD to have a partition? Data could be just written onto the whole hard disk?

Sure it is necessary, or at least it is as necessary as the partition is necessary on a single hard disk. (depending on the OS you could have a normal Hard Disk formatted as "superfloppy", i.e. with a filesystem applied to it without the MBR and partitioning, but this is normally not supported on "fixed" devices).
A RAID 5 setup is at a different level from partitioning and filesystem.
You need a partition to have a filesystem on a normal single hard disk, so you need one in a RAID 5 setup, to the OS, the RAID will be not different from a single hard disk, the way data is saved on the actual multiple devices is "transparent" to the OS in normal operations.

Recently took a look at a RAID 5 HDD, I believe you cannot not reconstruct the data without all 3 HDDs but is there any telltale sign that the HDD is indeed part of a RAID 5?

The "essence" of a RAID 5 setup (that needs a minimum of 3 disks) is that with 2 disks you can rebuild the array without losing the data once you have replaced the failed drive.

Like parity data etc? Or there is no such data and no way to recover the data?

You need to understand the basic idea behind the setup, the simplest is by using an image, here

In the above case
1) IF disk 1 fails D1 can be recovered from P1-D2, D3 can be recovered from P2-D4, P3 can be re-calculated from D5+D6
2) IF disk 2 fails, D2 can be recovered from P1-D1, P2 can be re-calculated from D3+D4, D5 can be recovered from P3-D6
3) IF disk 3 fails, P1 can be re-calculated from D1+D2, D4 can be recovered from P2-D3, D6 can be recovered from P3-D5

Do check the calculator here
http//www.icc-usa.com/raid-calculator.html
where most common options are represented.

jaclaz

ReplyQuote
Posted : 31/05/2018 4:10 pm
aandroidtest
(@aandroidtest)
Junior Member

Thanks for the info. Helps a lot for my understanding!

ReplyQuote
Posted : 01/06/2018 8:38 am
jahearne
(@jahearne)
Junior Member

A way to tell if you have a RAID-5 is that one drive out of three, for example, will have an MBR or EFI, a volume of some kind, and it will be bigger than the capacity of one drive. It will be the size of sum of all drives minus one (n-1).

This is an oversimplification, but more times than not this happens In the case of an MBR, there will be two copies of the MBR (partition table), on the first drive and last drive of the array. The first drive with have the MBR pointing to a volume larger than one physical drive. In the case of a three drive array, the last drive will have the parity of the first two members of the array. (The first block of the last member of the array is almost always parity.) Since there is unallocated space between the partition table and the boot record (ex where NTFS starts) that is all zeros, the parity information will be a copy of the partition table, MBR, or a very close copy depending what kind of information is written on each block.

Again, very simplified and only one example of many many types of RAIDs, but it's one of the most popular scenarios that I've seen. Another method is to search at hexadecimal level for RAID metadata at the back of the drive. Look for keywords like LSI, Dell, RAID, etc. depending on the manufacture of the RAID controller card. Also, you might find a listing of serial numbers from each member of the array, which will provide you with the members and their order in the array.

Since you mentioned that there maybe no partition info on your drive, it might be the case that the RAID metadata is at the front of the drives and not at the back, therefore, you will have an offset. All members with have the same offset. The offset will usually be a certain number of blocks. A block can be 32kb, 64kb, 128kb, etc. (64kb = 128 sectors, 128kb = 256 sectors). An offset can be several megabytes in size as well. So if there is no partition table at sector zero, it might be at a certain offset. Search for 55 AA, which are the last bytes of an MBR.

Xways Forensics and WinHex Specialist is one of the best RAID tools out there, but you have to know what you're doing to make it work. RAID Reconstructor from RunTime Software works well in "guessing" what kind of RAID array you have. Also had very good results with UFS Explorer.

Hope this helps. Good luck,

ReplyQuote
Posted : 01/06/2018 8:54 pm
Share: