Notifications
Clear all

RAID 5

20 Posts
10 Users
0 Likes
4,195 Views
(@clarkk)
Posts: 11
Active Member
Topic starter
 

What is the best way to image a server with RAID 5 config? Or if best way is not possible, other options?

 
Posted : 11/04/2019 5:14 pm
(@mcman)
Posts: 189
Estimable Member
 

Personally, I hate rebuilding RAIDs so I always vote for logical acquisitions while it's mounted but that would depend on your case and the amount of data you need to grab.

Grabbing each drive and rebuilding back in the lab is fine, I just prefer the logical if/when possible.

 
Posted : 11/04/2019 5:20 pm
(@clarkk)
Posts: 11
Active Member
Topic starter
 

I guess that's sort of my question…how do you rebuild a RAID 5 from outside of the server? Never have had to in the past. Obviously a logical would seem to be much easier. What tool(s) do you use to rebuild, how long does it take, etc?

 
Posted : 11/04/2019 6:36 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

X-Ways Forensics does a good job of rebuilding RAID systems and then lets you create an image file of the rebuilt RAID to stop you having to rebuild it in the future.

 
Posted : 11/04/2019 7:34 pm
(@athulin)
Posts: 1156
Noble Member
 

What is the best way to image a server with RAID 5 config? Or if best way is not possible, other options?

Define 'best'. What attributes are you hoping to maximize?

In general you have no choice the server is usually business critical, and taking it off line for more that the bare minimum of time is going to lead to economic damage.

If you don't have that problem

I would start with an image of the data stream produced by the RAID device. Not the individual disks, but the 'emulated' disk, as far as one is present. This is, usually, the image the RAID unit exhibits to its host system or any surrounding system, and that should be the starting point. (Just as the 'disk' an ATA device exhibits to its host usually is less than what it keeps 'inside', so to speak.)

If you image indvidual disks, you are faced with the technical possibility that your rebuild may not be the same as the RAID's rebuild, so to speak. If you have the time, by all means … but one of the things you do in this situation probably have to be to compare the 'logical image' (I don't like that term) with an image rebuilt from the individual drive images. If there are discrepancies anywhere, you have to evaluate them.

That is, basically, you have to validate that your rebuild methodology actually does produce the same result as the RAID system itself.
If you know the RAID well (as is often the case for standard soft RAID systems), you can reduce the need for this – and if the RAID implementation is the same, possibly eliminate it altogether.

But in the general case, where you may have a proprietary, HW-based RAID that you don't know a thing about, it seems foolish to go directly for the more difficult option, as this will – in all situations I can think of – be on the critical path of the job, and so add delays.

 
Posted : 12/04/2019 5:24 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

What is the best way to image a server with RAID 5 config?

The "best" way….? Hmmm. Rebuilding a RAID5 from physical discs can be a real pain, so I prefer taking images of the running operating system with FTK Imager. Assuming it is a hardware RAID, the 2nd possibility is to boot from USB/ DVD and start the copy from there.

regards,
Robin

 
Posted : 12/04/2019 11:11 am
(@clarkk)
Posts: 11
Active Member
Topic starter
 

Well, I suppose best in the case would be defined as least messiest. Sounds like imaging online would be just that. If a rebuild of individual drives has to occur then it would seem to me that you don't know if you did in fact get everything. Our scenario would be that the servers reside somewhere else and the drives are shipped in to us. That seems to make things a little trickier.

 
Posted : 12/04/2019 11:16 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If a rebuild of individual drives has to occur then it would seem to me that you don't know if you did in fact get everything.

No, it is slightly different.

If you have the images of all the (single) physical disk drives you have *everything* and you can always re-build the whole array as it was (but this rebuild may take some time/effort).

If you image the disk array (as "exposed" by the RAID hardware/software) you have the thing as the server/os/whatever could see it, but not necessarily *everything* (it may depend also on the specific RAID hardware/software).

The note by athulin is more about the possibility (IMHO rare but not impossible in theory) that when you rebuild the array what is exposed is not exactly the same as what was exposed on the original machine.

Not necessarily the fastest/easiest but imaging BOTH the array as exposed AND the single drives would allow you to have the "as exposed" image to analyze and - in case of need - the possibility to rebuild from the single disks, and surely complies with *evrything* saving you from any possible critics.

It really depends on the nature of investigation and other "external" factors (that only you can know), as an example you (your organization) may have a policy that imposes 11 forensic copies of disks without exception for RAID arrays.

jaclaz

I

 
Posted : 12/04/2019 12:10 pm
(@clarkk)
Posts: 11
Active Member
Topic starter
 

I see. Well in our instance, the most likely scenario is that they would want to send us the individual disks. So we would not have the RAID controller. In this example, what tool(s) could be used to rebuild?

 
Posted : 12/04/2019 1:10 pm
(@dcs1094)
Posts: 146
Estimable Member
 

You could do a live boot with WinFE boot disk and image via FTK Imager or X-Ways. Alternatively, you could use X-Ways to reconstruct the image files, if you have just been given the physical disks. I've also used UFS Explorer RAID Recovery in the past to assist with the identification/structure of the RAID and also reconstruction of the emulated drive. I had to do this when I was just given the physical HDD's with little to no information. They were stacked together and had been in storage.

 
Posted : 12/04/2019 4:17 pm
Page 1 / 2
Share: