Reconstructing RAID...
 
Notifications
Clear all

Reconstructing RAID using Linux

6 Posts
3 Users
0 Likes
2,878 Views
pajkow
(@pajkow)
Posts: 81
Estimable Member
Topic starter
 

Hi All

I need a bit of advise

I have 5xE01 images

Set of those disks comprises of various RAID arrays Stripe, Mirror, Simple.

(I know that the easiest thing would be to use EnCase; add E01, rebuilt RAID via analyse disk config there - but this is not the case).

So I have converted them into flat RAW images in FTK imager and now I want to do the following

Using Linux Virtual Box (Preferably KALI) MOUNT THEM AND RECONSTRUCT RAID, ONCE THIS IS DONE - TO CREATE ONE FLAT DD/RAW IMAGE OF THE ENTIRE RAID.

So my questions are as follows

- HOW TO MOUNT FLAT IMAGE WITHOUT SPECIFYING FILE SYSTEM on Kali?

- HOW TO RECONSTRUCT RAID if all successfully mounted ON KALI OR ANY OTHER SIMILAR LINUX PLATFORM?

This is mostly to prove the concept and see it if is possible.

Any suggestions?

 
Posted : 26/05/2016 9:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

DMDE
https://dmde.com/

Has an easy to use "raid reconstructor" provision, at least in the Windows GUI version, but very possibly this same feature is in the Linux command line version (I am not at all familiar with this version).

But maybe you want to try pyflag (or just check the docs and tutorials and do it manually)
http//pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html

jaclaz

 
Posted : 26/05/2016 10:01 pm
pajkow
(@pajkow)
Posts: 81
Estimable Member
Topic starter
 

Thank you.

However I need to use freeware. I just installed DMDE and it may work but it is commercial tool.

Can this be done in Linux at all?

 
Posted : 26/05/2016 10:44 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

If you definitely know the settings you can do it just using mdadm commands in linux. But, you'd have to know the settings first.

As an alternative, the demo version of R-Studio from R-TT (which has a linux version) can be used to build a virtual array of just about any type. You'd need to buy a $79 license to copy individual files out, but I'm pretty sure you can create an image of the full array even in the demo version. Let me know if you need any help. I recover failed RAID arrays all the time in my data recovery work.

 
Posted : 26/05/2016 11:35 pm
pajkow
(@pajkow)
Posts: 81
Estimable Member
Topic starter
 

Ok DD images some how mounted to KALI but need to be transversed/processed to rebuilt RAID

Disk /dev/loop0 80 GiB, 85899345920 bytes, 167772160 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0xbc171db6

Device Boot Start End Sectors Size Id Type
/dev/loop0p1 63 2047 1985 992.5K 42 SFS
/dev/loop0p2 * 2048 206847 204800 100M 42 SFS
/dev/loop0p3 206848 63324159 63117312 30.1G 42 SFS
/dev/loop0p4 63324160 167770111 104445952 49.8G 42 SFS

Disk /dev/loop1 80 GiB, 85899345920 bytes, 167772160 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x02c70e8e

Device Boot Start End Sectors Size Id Type
/dev/loop1p1 63 167770111 167770049 80G 42 SFS

Disk /dev/loop2 80 GiB, 85899345920 bytes, 167772160 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x02c70e81

Device Boot Start End Sectors Size Id Type
/dev/loop2p1 63 167770111 167770049 80G 42 SFS

Disk /dev/loop3 80 GiB, 85899345920 bytes, 167772160 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type gpt
Disk identifier E5586C62-2DB2-4FD8-A42A-118BB805B08D

—- ignore this one —– below it is not RAID.

Device Start End Sectors Size Type
/dev/loop3p1 34 262177 262144 128M Microsoft reserved
/dev/loop3p2 264192 104282111 104017920 49.6G Microsoft basic data
/dev/loop3p3 104282112 147288063 43005952 20.5G Microsoft basic data
/dev/loop3p4 147288064 167768063 20480000 9.8G Microsoft basic data

—- ignore this one —– above it is not RAID.

Disk /dev/loop4 80 GiB, 85899345920 bytes, 167772160 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x02c70e80

Device Boot Start End Sectors Size Id Type
/dev/loop4p1 63 167770111 167770049 80G 42 SFS

SFS is RAID, I can analyse LDM Database using ldmdump.exe in Windows so there must be a way to apply the same in Linux to look into it and reconstruct RAID - has anyone done it ?

 
Posted : 27/05/2016 3:52 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

However I need to use freeware. I just installed DMDE and it may work but it is commercial tool.

No it is not, there is a Freeware version (not Open Source) also
https://dmde.com/editions.html

Can this be done in Linux at all?

The (given) Pyflag *is* Linux and more than that it explainss HOW to "guess" the configuration
http//pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.html
and once you have the configuration data Linux already has the tools needed (mdadm as stated by JaredDM), see

https://raid.wiki.kernel.org/index.php/RAID_setup
https://raid.wiki.kernel.org/index.php/RAID_Recovery
https://raid.wiki.kernel.org/index.php/Recovering_a_failed_software_RAID

jaclaz

 
Posted : 27/05/2016 5:21 pm
Share: