Hi All,
I have some questions regarding using Encase on a Raid5. This is the 1st time I'm using Encase V4 to investigate a Raid5.
The raid has 3 harddisks, around 73GB each. I have mirrored the 3 harddisks onto another 3 harddisks. However the size of each
mirrored hdd is larger than 73GB.
Will the extra sectors be a problem when I build a virtual array in Encase?
Is there any other things to look out?
Thanks and regards
I believe you will need to specify an end sector if using the restored HDDs. You don't need to use those though, as EnCase can use the image files to rebuild the array. Either way you still would need to specify the correct drive order, start sectors, stripe size, and rotation (the end sector should only be needed if using the restored HDDs). Good Luck!
I suggest posting on the Encase forum to get a better answer.
When imaging an array it's always best to capture the entire array as "one chunk" for lack of a better term using LINEN or Dos boot cd. You said you mirrored the drives so I'm assuming you don't have an image they are just bit copies to new drives is this correct? Like stated in the other post if Encase can't automatically rebuild the RAID you have to enter in the information manually. The extra space on the drives will likely cause an issue. The RAID information is stored in the controller as well on each disk in case you lose a controller and need to rebuild with a new one. The difference in drive size will likely throw things off but you will need to try it to see.
What have you done so far to get the array rebuilt in Encase? I've had more luck lately using Win Hex to rebuild then I have with encase. Individual imaging of the drives in an array is the very last method that you want to use. It's next to impossible to get it working in Encase especially if you don't have the stripe size info. Below are some links that will help you rebuild. Also take a look at this product Ive never used it but heard good things about it http//
https://
https://
I must agree with Earn, X-Ways Forensics or RAID Reconstructor are my tools of choice when having to rebuild a RAID from the individual drive components. I even got X-Ways to rebuild a Mac array where there was a complete melt down of the RAID hardware (literally) using images of the individual drives.
Did you have any luck with the rebuild? I'm curious to know if the larger drives caused an issue. Let us know how it turns out !
Hi All,
I think other than the stripe size and order, you also need to know the exact sectors of the original harddisks. It will make the rebuilding easier.
I tried using an estimated guess of the sectors and after using the "Scan Disk Configuration". But the result is no good.
I'm trying to use "validate parity" to see if the rebuilt is better.
Regards
Hey!
Can u please send me the first 10 MB of each disk as an dd.image? Please make a 7zip archive with a large password and upload the file to rapidshare or other hosters.
My e-mail adress ff @ it-k.info
Maybe the raid has an header, maybe the parityblock does not begin at the last disk, etc.
René
I am coming in late on this topic, but I found something I disagree and feel important to question.
Reading "When imaging an array it's always best to capture the entire array as "one chunk"" leads me to believe the author suggests acquiring the logical RAID array, and not each physical disk that is a member of the RAID array. Am I correct in my interpretation, Earn?
If so, then I would disagree. When we go through RAID identification, acquisition, and analysis in my training I teach my students to acquire every member disk individually. Let's say there are 8 drives in a system. I would acquire each drive individually. By acquiring in this manner I am certain that I obtain all data, because I grab every member disk, as well as any former member disk or a disk that was never a member of the RAID. There may be drives in the system that are not part of the RAID. Or, there may be a drive that has data pertinent to the case that is stored outside of the RAID array (perhaps a former drive that has been included in the RAID, but the space used by the RAID is not equal to the entire drive space).
If you find the RAID superblock you will find the necessary information to rebuild the RAID array. In Linux using software RAID these are defined and easy to locate, and the fields are easy to parse. It is important to note that some RAID reconstruction utilities allow you to rebuild an array with incorrect parameters. This is because you are specifying to the tool the parameters, and it listens to you. Be careful and be certain. )
cheers!
farmerdude
You are capturing the logical container which is the recommended and preferred method suggested when using Encase. Without doing it this way it's close to impossible to reassemble in Encase especially if you didn't do the acquisition. I'm guessing you don't use Encase…..
This topic is discussed quite often on the Encase boards.
You are capturing the logical container which is the recommended and preferred method suggested when using Encase. Without doing it this way it's close to impossible to reassemble in Encase especially if you didn't do the acquisition. I'm guessing you don't use Encase…..
Earn,
Who recommends this? I mean, are you saying that someone has actually told you that acquiring only the logical RAID array is the forensic method?
What about any data outside of the RAID array that exists on either A) the drives that are members or B) drives that are not members, but in the same system?
For B, you hope the practitioner recognizes one or more drives are not members of the RAID array though they are in the same system.
But for A, what about data on any of the member disks that resides outside of the RAID? By your stated method, the practitioner will _miss_ this data.
Often drives are swapped about. A member drive may have pertinent data outside of the file system that is part of the array, but you will miss it by acquiring the logical array.
I cannot believe that Guidance Software has stated the recommended and preferred method is to acquire the array and not every individual disk in its entirety.
I do not use EnCase, but even if I did, I would still use best practices and acquire each disk individually. Using this method I have all data, within and outside of the array, and I block any challenge from opposing counsel.
Anyone else have any thoughts?
regards,
farmerdude