I agree that you need to acquire each disk individually. There is just too high a probability of missing something especially if the system is down before arriving on scene. For example what if one or more of the drives are setup as hot-swap? Also I see many servers that have multiple arrays on one controller. How can you be certain while on scene that you know you are getting "everything" without imaging each disk?
Additionally, there are so many controllers on the market that it would be difficult for me to assure myself that while looking through the RAID setup that I was certain that I knew everything about the setup. At least with all drives imaged I can go back and mount other possible arrays if something is missing. For example you go in and do a black bag capture of a server, it is late and you are under a time crunch and you miss that mirror but get the RAID 5 or 10. Who ever wants to be in the position of having to go back (if that is even an option). Just some possible scenarios.
I have succesfully rebouilt a number of RAIDs in Encase. I agree, it's not easy but doable. All you need is
info on the configuration of the controler
physical characterisics of the drives
the Encase manual
Good luck.
Guidance Software recommends this method. Every acquisition is different and without you knowing how or what I'm processing I don't see how you can tell me what the right and wrong way to do something is. If you want more information on why Guidance would recommend this I suggest you contact them. Without knowing the stripe size it's a guessing game until you find the correct number and get it rebuilt. If you didn't do the acquisition and the data from the controller hasn't been provided it's going to take a long time to figure out the correct info.
Anyone that owns Encase, and has the Version 6 manual, can look at page 7-42 where it talks about RAID. Here's what it says
If the investigator acquires the set in its native environment, the disk configuration can be acquired as one drive, the easiest option. The best method for performing such an acquisition would be to conduct a crossover network cable acquisition.
To acquire the set
1. Keep the disk configuration intact in its native environment.
2. Boot the subject computer with an Encase Network Boot Disk
3. Launch the Linen utility
4. Acquire the disk configuration as you would normally acquire a single hard drive depending on the means of acquisition. Parallel Port, crossover network cable, or "drive to drive," acquisition of a hardware disk configuration set is straightforward, as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native environment, Encase applications have the ability to edit the hardware set manually.
The next page then continues with
Sometimes acquiring the hardware disk configuration as one drive is not possible, or the method of assembly of a software drive is not possible, or the method of assembly of a software disk configuration seems incorrect.
It then goes on and explains how to edit the disk configuration in Encase.
Sounds like you need to call Guidance and tell them their methods are wrong….
I wouldn't normally post on an old threat with a new question, but there was mention of finding the superblock to recover RAID parameters in Linux.
With windows based system (in this case XP SP2) is there a way to do such a thing?
Specifically I know from BIOS that the hardware raid is enabled for Sata 1 and 2, with a 250 gb drive in each. I reviewed the motherboard manual, which stated that supported RAID included 0,1, 0+1, 5, and jbod. I performed the button pushing that allegedly brings up the RAID controller but only get an error message (the hard drives are removed).
I previewed the dismounted disks and found that the disk connected to Sata 1 had what appeared to be a MBR but no volume recognized by Encase (I didn't look at the partition table manually, I admit) and the second drive did not have an MBR…both appeared to have data on them.
I know I can use Linen to obtain a logical image (the subject of the current debate) but how can I discover the RAID parameters used from artifact?
Thanks.
Paul
An excellent presentation on RAID reconstruction can be found here
I used this technique for a case sucessfully re-assemblind a raid using X-Ways forensics.
Mike
Earn,
"Guidance Software recommends this method."
Okay. And on this forum other people have recommended a different method. No matter GS or the rest of the world, can you not see why it may be imperative to acquire each disk individually?
"Every acquisition is different and without you knowing how or what I'm processing I don't see how you can tell me what the right and wrong way to do something is. "
It is actually quite simple here. What is opposing counsel going to attack? Do you know which disks are member disks? Hot-swap disks? Now tagged as faulty but may contain good data that can be resurrected?
If you follow the recommendation of Guidance Software you may miss your only opportunity to get all the data. You may jeopardize your career. Are you willing to risk it? Will GS hire you or back you up when you miss data outside of the logical RAID array?
"If the investigator acquires the set in its native environment, the disk configuration can be acquired as one drive, the easiest option."
Never let it be said if it's in print it must be true. )
That is really bad. And it's in print. The _easiest_ option. Let's see … Well your honor, I read this manual - put out by Guidance Software - and in the manual I read the disk configuration can be acquired as one drive, and it also said it's the easiest option. Yes, I went with the easiest option. Because Guidance Software told me to. I didn't stop to think that the inclusion of "can" translated into another method, a more time consuming method. But your honor, I have my ENCE.
Ever stop to think it may be because the EnCase software doesn't have a good RAID reconstructor, Earn?
"Sounds like you need to call Guidance and tell them their methods are wrong…."
Not me. Seems likely a defense attorney will call you (or someone else following this recommendation by Guidance Software) to the carpet.
Regards,
farmerdude
Let's say there are 8 drives in a system. I would acquire each drive individually. By acquiring in this manner I am certain that I obtain all data, because I grab every member disk, as well as any former member disk or a disk that was never a member of the RAID.
Farmerdude,
Dont forget that there 'could' be some information stored in the system area of each of the hard drives.
Its just theoretical, however, at Disklabs, we are able to write to these areas, thus 'hide' data.
Just throwing in my two penneth worth.
Regards,
Simon
Simon,
Absolutely. I agree. I can't believe anyone would acquire only the logical RAID in forensics work. And I can't believe that Guidance Software actually recommends acquiring the logical RAID! I don't have the user manual referenced in this topic, but what I read was bad enough.
Cheers!
farmerdude
Just wanted to add my two cents…
I think how to acquire the RAID is really dictated by the circumstances.
If you have a hostile, tech-savvy environment, physical acquisition may be the way to go.
If on the other hand you have a friendly environment, perhaps one where you are investigating an employee’s misconduct as opposed to a corporate one, you may want to go for a logical acquisition, perhaps only seizing files and folders that the employee has access to.
Prioritization of sources of evidence, triage of files and data with regard to relevance, and resources available to you as an investigator will also play a role in determining how (and what) to seize.
You may quite simply not have the resources, time, or need to seize and process several terabytes of data from a RAID.
Privacy and other legal considerations may also play a role in what you seize and process.
Taking the RAID off line may not be an option if it is supporting other businesses. Shutting down a busy operation where uninvolved third parties are affected and liabilities may be large will need a lot of justifying. What if the RAID is being used by several companies to store process on-line sales to the tune of thousands of dollars a minute and you are only investigating one company?
Given a specific situation, you do the best you can to get what you need to convict (or exculpate). You also take good notes to justify your decisions to take or not take specific actions such as taking the RAID off-line and creating a physical image of the drives.
If you suspect that what you need will show up hidden in the system area then take a physical image. If you preview and find the files you need in the logical container, image the container or export the files/folders.
Anyway, just my two cents…
I would research the RAID controller and find out it's default parameters. Most of the time that will be your setup. If it's a Windows dynamic disk you can use Encase's "scan disk configuration" for a painless rebuild.