Notifications
Clear all

Split RAID

6 Posts
6 Users
0 Likes
477 Views
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Hi everybody,

Does anyone know if it is possible to acquire 5 disks in a HW RAID5 into two hard drives by using EnCase? The problem is that the total volume data constist of 400GB and I don't have such big external hard drives, so I will have to use two 300GB disks (I don't have the time to buy a big disk since I must make the acquisition today). Can I leave three disks in the RAID, make the acquisition, and then acquire the two remaining disks?

Thanks!

 
Posted : 27/03/2006 4:15 pm
(@farmerdude)
Posts: 242
Estimable Member
 

I don't use EnCase so I cannot help you specifically with that program. However, I would use 'dd' or similar and acquire each disk individually to my destination drives. This way I get both RAID and non-RAID data and I can dump the images to however my destination allows (such as in your case, two drives 300GB each). You could compress on the fly or not, depending upon your limitations. So use your tool to acquire each drive, not the RAID array.

regards,

farmerdude

 
Posted : 27/03/2006 8:12 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

You can acquire each drive seperately and rebuild the array within Encase. It is however, generally preferred to acquired the array in it's native environment using the boot disks and doing either over a network connection, or to your hard drives installed locally on the server. Many Encase users are utilizing Linen (encase for linux) for RAID acquisitions. It functions simlarly to the dos acquisition tool, but allows for much faster acquisitions, particularly if you format your storage drives ext2 or ext3.

There can be problems rebuilding arrays, and it requires that you know details about the RAID (stripe size, etc.).

 
Posted : 28/03/2006 2:53 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

Also, when using the method Greg descibes, with 'best compression' (if you kind of know the RAID isn't full) chances are those 400GB's will fit on your 300GB drive. It will take a while to image though.

Andy

 
Posted : 04/04/2006 10:50 pm
silkroad
(@silkroad)
Posts: 11
Active Member
 

X-ways Forensics can rebulid RAID also.

 
Posted : 16/11/2006 5:37 pm
(@armresl)
Posts: 1011
Noble Member
 

I would mirror (oh no bad computer joke) what Greg has said.

Many times we get cases where a RAID was acquired and the person doesn't know the specifications for the RAID. In several of these cases you can guess, and within a few tries get the size right, but why chance it.

Farmerdude is right, acquire each drive individually and give yourself the freedom to put it back together however you want.

Compression sounds like your friend in this case, although it would take forever and it sounds like you have really limited access to the drives. Will the company not let you go out and get a 500GB drive and then go to the job site?

One more thing that I have talked with people about in the past is an IT person telling you that you can copy the drives and they come back hours later and the job is not done because you just can't hurry things up anymore than they are. Anyway, they call "time" and need the drives back. Be sure you go on the long end of telling them how much time it will take and make sure ALL parties involved understand this. I've run into people who need the drives back and tell me to cancel the verification part which just isn't something that we will do.

Best of luck to you, hope everything works out.

p.s. Fry's www.outpost.com usually has some incredible sales on Fridays and running through Sunday.

 
Posted : 17/11/2006 6:02 am
Share: