Notifications
Clear all

Imaging RAID arrays

11 Posts
5 Users
0 Likes
1,616 Views
(@pfkoss)
Posts: 18
Active Member
Topic starter
 

Looking for information on imaging RAID arrays. Anyone out there with good info on tools , either hardware or software that can help in these cases.

Thanks

Phil Kossler
Electronic Data Recovery

 
Posted : 23/11/2004 2:03 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Hi there,

What tool(s) do you currently use?

I am aware that Linux can do it, but never tried it myself. I am not too sure whether any of the forensic flavours (Helix, Knoppix, PSK) will handle RAIDs?

Try this link for info: http://linas.org/linux/Software-RAID/Software-RAID.html

EnCase FE will do it. I use EnCase FE and have acquired both software and hardware configurations in the past. There is more than one way to acquire a RAID using EnCase.

Take a look here: http://www.guidancesoftware.com/support/articles/HowToImageRAIDs.ppt

Andy

 
Posted : 23/11/2004 3:01 pm
(@pfkoss)
Posts: 18
Active Member
Topic starter
 

I'm mainly a FTK user but also use the tools from NTI , getting encase soon. I looked over the flash that encase has on their site concerning the RAID drives.

Questions.

Do you do "normal" bitstream images of the drives, connect the working copies and let encase work from there or do you need to run encase against the drives and original raid controller?

As I understood it, raid controllers can vary in how they handle the drives, even within the same raid level,(0,1,3,5)
does encase understand various controller methods or am I wrong and all raid controllers work the same ?

Thanks!

 
Posted : 23/11/2004 5:07 pm
(@armresl)
Posts: 1011
Noble Member
 

If you plan on giving these images to other people/counsel make sure that you write down the size. Encase needs this information to reconstruct the arrays.

 
Posted : 23/11/2004 6:06 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Encase can acquire RAID's in a couple of different ways.

Via the network method the RAID can be acquired in it's native environment. This is generally the easiest method, but you're only acquiring the logical volumes, not the entire physical disk.

Acquire the individual drives seperately. This requires that you know what type of RAID is used. You can then rebuild the array from within Encase. You can even rebuild a RAID 5 array for instance with a missing or corrupt disk. You will not be able to rebuild some of the more exotic RAID types seperately.

Software RAIDs and Dynamic Disk configurations can also be acquired, but you will have to know the type of RAID involved. In the case of Dynamic Disks the configuration information is stored on the disk itself. For other software raids the disk configuration is stored on the drive containing the OS. Encase has a command "scan disk configuration" which will detect the configuration.

The configuration can be set up manually, if the automatic method doesn't work.

 
Posted : 23/11/2004 8:38 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

It depends if you are looking at a software RAID or a hardware one.

There are three basic types of RAID implementations: internal hardware, external hardware, and software.

One method for acquiring a software RAID is to acquire each drive individually. As there are several configurations for RAID sets, the user has flexibility in mounting different types of RAID volumes.

If this fails the hardware RAID can be imaged in EnCase DOS using the suspects machine.

The software RAID can be imaged with EnCase and then mounted. The correct method for acquiring a software RAID is to acquire each drive individually, and use EnCase to 'Edit Disk Configuration'.

Andy

Ahhhhh….. As I posted I saw that Greg has answered this post with a better explanation 🙂

 
Posted : 23/11/2004 9:01 pm
(@pfkoss)
Posts: 18
Active Member
Topic starter
 

Thanks to all,

I had pretty much come to the same conculsion but I wanted some confirmation. One more question… How does encase handle write blocking when imaging logical across the network, (or does it), and if not doesn't that kill us legally?

P

 
Posted : 24/11/2004 3:09 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Imaging across a Network with EnCase can be done in two ways.

Using EnCase software alone, you must use the EnCase NIC/DOS disk, thus writing blocking in software (DOS) the suspect drive, and acting as a server. You are of course restricted to a 16 bit environment, and transfers are slow.

However investing in the Fastbloc device allows you to write block in hardware and utilise the Windows 32 bit environment to acquire directly to a network device (server/NAS, etc). Acquisitions are much quicker. This is the method I practice, and works very well, I use a Gigabit network, and the transfer speeds are very fast. I have made comparison experiments using EnCase DOS, Fastbloc, Linux DD & Net cat – across a LAN, and locally.

This is actually the subject of my dissertation, ‘best practice for acquisition of data across a network, compared to local acquisitions’. Whether or not its a good one or not, I don't yet know……I'll be looking for victims… erm volunteers to take part in a questionnaire soon.

Write blocking works fine and integrity using these methods is not an issue.

Andy

 
Posted : 24/11/2004 6:51 pm
turtlecove
(@turtlecove)
Posts: 34
Eminent Member
 

> I have made comparison experiments using EnCase DOS, Fastbloc, Linux DD & Net cat – across a LAN, and locally

And what have you found?
How did those different methods compare?

 
Posted : 24/11/2004 7:21 pm
(@pfkoss)
Posts: 18
Active Member
Topic starter
 

If I have a server/pc that has a RAID array, The way I see it I have two options for imaging .

Option 1

Leave the drives in in their native environment , mount the drive across the network and make the image. In this case, I don't see how I am writeblocking since the machine will be running and have access to its drives.

Option 2
remove the drives, make the images (with writeblocking) and load those images into encase.

Am I missing something on option 1 or is that it ?

Phil

 
Posted : 24/11/2004 7:33 pm
Page 1 / 2
Share: