±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

RAID 5

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

ClarkK
Member
 

RAID 5

Post Posted: Apr 11, 19 17:14

What is the best way to image a server with RAID 5 config? Or if best way is not possible, other options?  
 
  

mcman
Senior Member
 

Re: RAID 5

Post Posted: Apr 11, 19 17:20

Personally, I hate rebuilding RAIDs so I always vote for logical acquisitions while it's mounted but that would depend on your case and the amount of data you need to grab.

Grabbing each drive and rebuilding back in the lab is fine, I just prefer the logical if/when possible.  
 
  

ClarkK
Member
 

Re: RAID 5

Post Posted: Apr 11, 19 18:36

I guess that's sort of my question...how do you rebuild a RAID 5 from outside of the server? Never have had to in the past. Obviously a logical would seem to be much easier. What tool(s) do you use to rebuild, how long does it take, etc?  
 
  

minime2k9
Senior Member
 

Re: RAID 5

Post Posted: Apr 11, 19 19:34

X-Ways Forensics does a good job of rebuilding RAID systems and then lets you create an image file of the rebuilt RAID to stop you having to rebuild it in the future.  
 
  

athulin
Senior Member
 

Re: RAID 5

Post Posted: Apr 12, 19 05:24

- ClarkK
What is the best way to image a server with RAID 5 config? Or if best way is not possible, other options?


Define 'best'. What attributes are you hoping to maximize?

In general you have no choice: the server is usually business critical, and taking it off line for more that the bare minimum of time is going to lead to economic damage.

If you don't have that problem:

I would start with an image of the data stream produced by the RAID device. Not the individual disks, but the 'emulated' disk, as far as one is present. This is, usually, the image the RAID unit exhibits to its host system or any surrounding system, and that should be the starting point. (Just as the 'disk' an ATA device exhibits to its host usually is less than what it keeps 'inside', so to speak.)

If you image indvidual disks, you are faced with the technical possibility that your rebuild may not be the same as the RAID's rebuild, so to speak. If you have the time, by all means ... but one of the things you do in this situation probably have to be to compare the 'logical image' (I don't like that term) with an image rebuilt from the individual drive images. If there are discrepancies anywhere, you have to evaluate them.

That is, basically, you have to validate that your rebuild methodology actually does produce the same result as the RAID system itself.
If you know the RAID well (as is often the case for standard soft RAID systems), you can reduce the need for this -- and if the RAID implementation is the same, possibly eliminate it altogether.

But in the general case, where you may have a proprietary, HW-based RAID that you don't know a thing about, it seems foolish to go directly for the more difficult option, as this will -- in all situations I can think of -- be on the critical path of the job, and so add delays.  
 
  

Bunnysniper
Senior Member
 

Re: RAID 5

Post Posted: Apr 12, 19 11:11

- ClarkK
What is the best way to image a server with RAID 5 config?


The "best" way....? Hmmm. Rebuilding a RAID5 from physical discs can be a real pain, so I prefer taking images of the running operating system with FTK Imager. Assuming it is a hardware RAID, the 2nd possibility is to boot from USB/ DVD and start the copy from there.

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

ClarkK
Member
 

Re: RAID 5

Post Posted: Apr 12, 19 11:16

Well, I suppose best in the case would be defined as least messiest. Sounds like imaging online would be just that. If a rebuild of individual drives has to occur then it would seem to me that you don't know if you did in fact get everything. Our scenario would be that the servers reside somewhere else and the drives are shipped in to us. That seems to make things a little trickier.  
 

Page 1 of 3
Page 1, 2, 3  Next