“How do I reassemble a RAID if I know nothing about it?” or the Story behind TaskForce’s RAID Module

“I keep on telling my field techs to at least mark the order of the drives in a tower when they are pulling them out!” says our new acquaintance at one of the first post-pandemic offline events. These bunches of drives land on her desk without any data about the type of RAID or its controller. Forget the remaining critical parameters. 

“I am lucky if detectives mark the first drive in a server they need to be examined”. “It is hours of trials and errors when I try mounting a RAID.” “I had to image all of the drives and then play with 10 images for days to get the parameters right.” 

It is stories like these that made us think about solutions and realize that we had the perfect hardware for RAID reassembly and its subsequent forensic imaging. 

For starters, Atola TaskForce has 18 ports, and 16 of them can be used for SATA devices: 

  • 6 SATA ports
  • 6 SAS ports that can also be used for SATA devices
  • 4 USB ports, to which SATA devices can be connected in enclosures. 
  • In addition, you can use image files as remaining RAID members. 

To be able to connect all RAID members and manually enter their key parameters is already a great improvement to an examiner’s routine. But TaskForce does so much more!

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Autodetection of RAID configuration

“Imagine connecting members of a RAID with an unknown configuration to TaskForce, just make it scan the drives to identify the block size and RAID type,” suggested one of our key European customers who pointed out our uniquely suited hardware. It is from this customer and his colleagues who worked on an in-house RAID identification solution that we got key insights and inspiration for further research and development of an automated RAID configuration detection

A manual RAID configuration check often takes a prohibitive amount of time. To speed things up and eliminate any guesswork by the examiner, our team looked to automate the identification of all critical parameters including drive order, start LBA, parity symmetry. 

When it comes to the time required for configuration search, the number of array members remains the most influential factor. Thankfully, TaskForce’s server-grade CPU has the capacity to process millions of possible configurations of a RAID, and an array consisting of 2 – 6 drives takes only a minute to identify and reassemble. However, when you are dealing with a larger RAID, the time of configuration search grows exponentially due to the sheer number of possible variants. For instance: 

  • A RAID 5 consisting of 5 drives can have just under 6 thousand different configurations 
  • A RAID 5 consisting of 10 drives results in 132 million configurations to try out 

Now imagine doing this work manually! 

Expediting configuration search with heuristic algorithms

When configuration autodetection deals with potentially hundreds of millions of possible configurations, the process must be made smart and some configurations must be prioritized over others based on the information you are able to read from the drives. To create such sophisticated search algorithms and smarter ways of verifying the right configuration, Atola engineers dove deep into the specifics of file data distribution on RAID members. 

What gave us the edge when working on optimizing the configuration autodetection algorithms, was our decades-long expertise in hard drives, data distribution on them, and file system validation principles that we have developed over the years. 

How exactly does TaskForce find the right configuration?

Selecting the members in the RAID module instantly launches the autodetection process:

  • In Stage 1, it reads the initial 3 million sectors on the drives to detect block size and identify spare drives, mirrors, parity blocks. This stage helps deduce the RAID type and focus on other parameters during the following stage of autodetection.  
  • In Stage 2, TaskForce reads data from the drives again, and attempts combining the drives into the hypothetically acceptable configurations, mounting the RAID, and validating file systems on it. In the process, the autodetection module goes through thousands, sometimes millions of possible configuration variants. To speed up the search, our team developed heuristic algorithms that prioritize more probable variants.

TaskForce produces an output of acceptable configurations that resulted in successfully validated partitions. In most cases, there is one suitable configuration. Rarely, there can be a few and they are listed in the order of probability.

Of course, it is not only multiple ports and optimized algorithms that make TaskForce perfect for this task. It is also its almighty motherboard and CPU that are capable of managing thousands of complex calculations in a matter of seconds for this processor-consuming feature. 

Fast imaging of RAIDs or their partitions

The RAID partition preview helps identify which partitions are of interest for the investigation. Whether it is the whole RAID or its individual partitions that need to be acquired, the required scope of data is easy to select in the imaging settings.

The speed of imaging varies depending on the RAID type and block size of the RAID members as well as on the type and condition of the media. Any assembled RAID will be imaged by TaskForce faster than an individual drive, imaging of RAID 10 being particularly fast and achieving 1 GB/sec.

What if RAID members are missing or damaged?

Atola, having its background in data recovery, always keeps its eyes on the end goal: getting all data or as much as possible if the medium is damaged, missing or access is restricted. 

TaskForce retrieves data from every readable sector and rebuilds the complete image of a RAID that has any data redundancy: 

  • RAID 5 data will be imaged in its entirety even if one member is absent: the missing data will be rebuilt from the parity blocks. Data can be reconstructed even if multiple drives are in shaky condition as long as the bad sectors of one drive can be rebuilt from parity blocks of the other one.
  • RAID 1 and RAID 10 will be rebuilt completely if one set of mirrors is intact.
  • RAID 0 or JBOD have no redundancy, therefore the image can be acquired lest for the bad sectors, which will be mapped accordingly.

What happens if the drives from a RAID are not marked properly and got mixed with drives that are not a part of it?

Normally, TaskForce only needs a minute or two to identify all RAID parameters. In cases where there is a drive that is not a part of the RAID, the module will require more time:

  • For RAID 1 or 10, the RAID module will group the detected mirrors into corresponding groups, and the odd drive will be placed separately. The partitions will be mounted successfully.
  • For JBOD, the partitions will likely be identified and the order of the drives will be correct, with the odd drive placed at the end.
  • RAID 0 or 5 may not be reassembled: the data from the odd drive will be taken into consideration when the RAID module tries to combine the data from all the members. TaskForce’s autodetection module will try identifying the configuration from scratch each time you remove or add a drive. So try removing a drive that seems odd.

What has been accomplished and what lies ahead

In 2020 and 2021, Atola released a few firmware updates for TaskForce which included the support of the prevalent RAID types: 0, 1, 5, 10 and JBOD. The supported filesystems as of the end of 2021 include NTFS, ext4/3/2, XFS, exFAT, HFS/HFS+.

We continue adding more RAID types and file systems to cover the most frequently occurring arrays, and further improving the autodetection algorithm to help your RAID acquisitions take less time and effort! 

For more information about Atola and our products, visit our website atola.com 

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles