Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

RAID Forensics

Time Machine

Masudur rahman

on 30 October 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of RAID Forensics

RAID Investigation
Redundant Array of Inexpensive
Character by character input dominated non-business computing for many years
Development of System

(or Independent) Disks.
RAID Forensics
Different ways of implementing RAID:
Hardware based RAID, which works along with a dedicated disk drive controller. The controller works with the multiple disks and present the array of the disks to the BIOS and the OS as a single drive.
Software based RAID controller uses the host system's resources including the CPU and memory.
Greater data reliability
Increased throughput for reading and writing.
Ability to distribute the information over different physical disks.
Reasonably inexpensive solution for data redundancy.
Data will be spread between different disks in a round-robin fashion.
There is no "redundancy" assured in such kind of RAIDs!
RAID 0 offers parallel writing; therefore faster performance.
Data will be written in "blocks"
Hardware Implemented RAID
Types of RAID
How the RAID will be reconstructed after imaging ?
If the full RAID volume is imaged onto a non-RAID host media, no additional processing will be required.
If the RAID is imaged through individual drives, additional steps will be required to verify and reconstruct the RAID.
For Hardware based RAID, a complete inventory of the RAID hardware, drive configuration, RAID controller setup should be taken in order to reconstruct the RAID physically (in theory).
RAID Reconstructor (from Runtime Software)
R-Studio can recognize all RAID parameters for RAID 5 and 6.
R-Studio allows you to create "virtual RAID"
Automatic RAID parameters detection.
Once a virtual RAID is mounted, R-Studio can recover data from the volume.
Works both in MAC and Windows platform.
R-Studio also allows you to use actual disk or images
Supports NTFS, NTFS5, FAT12/16/32, exFAT, HFS/HFS+ (Macintosh), Solaris and Ext2/Ext3/Ext4 FS (Linux) partitions.
Also provides some powerful utilities for data recovery.
Any Question?
Software Based RAID systems
Difference between the Hardware & Software RAID in regards to the Forensic Imaging.
Software RAID allows the individual drives to be accessed via the BIOS and the Operating System, while the Hardware RAID controller does allow to access the disks's "volume" only.
RAID Disk Imaging & Forensics
Initial steps for RAID disk imaging would have the basic steps for evidence collection, which includes identify and obtain a complete and accurate disk image, data must be verified.
Both Hardware and Software RAIDs will be accessible as normal Hard Disk.
this is something that never changes.
Therefore the only things which can exceed the speed of light are things with negative mass.
Einstein realized that matter and energy are interrelated and made the famous formula that expresses this relationship mathematically:
E = m x c
speed of light
Summery of today's session
How the RAID image can be different?
RAID 0/RAID 5 Image Hash
For RAID 1 - if the acquired images are based on data only, hash value would be the same for both of the disks. But if the acquired image is for the whole disk, hash value would be different as the RAID keeps some of it's own information on each disk.
Accuracy and completeness are two fundamental aspects of imaging RAID
RAID should provide a transparent view of the data; therefore should be accessible by any forensic tools (in theory)
An imaging tool should create a complete image of the target media.
But there can be a situation when the imaging tool would not be able to copy the full disk.
For Hardware RAID controller, imaging tool will have the access to the active volume only.
How to Reconstruct the RAID?
Aim for this session is to discuss about:
Masudur Rahman
Lecturer in Digital Forensics
Staffordshire University
Email: masudur.rahman@staffs.ac.uk
Access to the RAID Volumes
Important points about the RAIDs
In Hardware based RAID, only the RAID volume is visible to the OS and the BIOS
For software based RAID, the OS will have access to all the drives as well as the RAID volume.
Based on the type of RAID, imaging can be different. For example, an image of the Hardware RAID volume will be different from the image taken from the disks separately.
For both of these RAIDs, data will be spread across different disks.
If the drives are imaged separately, acquired hash would be different than if the image were acquired through the RAID controller (hardware).
Acquiring Complete Disk Image
Question Time!
Tools for RAID Reconstruction
Different types of RAID
RAID 1 offers the mirroring of the data
Excellent redundancy
Data will be divided into sequential blocks.
Each data blocks would be written into different disks.
Could be slow in writing but faster in reading the data.
Commonly used RAID
RAID 5 can be used to create an array that offers high read and write performance as well as excellent redundancy.
The redundancy will be created by using a parity block that will be distributed across all the devices within the RAID array.
RAID 5 can be reconstructed, in the event of a disk failure, by using parity information.
The total storage space would be slightly reduced because of using the parity information.
1/3 of the storage could be used for parity
This will be bit slow as additional processing involved for parity bit calculation
Latest RAID controllers supports PATA, SATA and SCSI drives.
Controller card present the RAID array as single drive to the BIOS and OS
Exceptional - for JBOD, the RAID controller present drives in the array as separate disks that the BIOS can see.
Early version of software based RAID tended to be slow due to the limitations of processing power. But this is not a big issue with recent computers.
Open source Operating Systems like Linux are offering non-proprietary implementation of RAID.
On the other hand, Operating Systems like Windows provide it's own implementation of RAID.
If hardware RAID is in place, the "RAID Volume" can be imaged by using a suitable tool. This will NOT be the accurate image of the disks present in that RAID array.
Individual disks can be imaged separately without considering the RAID controller, perhaps by removing the physical disks. Software RAID will also allow to acquire exact image of the disks.
What are the information you need to reconstruct RAID 5?
Disk order
Data Block size
Data Block Arrangements
Existence of fragmentation
Imaging of RAID Disks
If it was JBOD - how should you do the investigation?
If it was RAID 0 or RAID 5 - what are the information you should collect if creating image of individual disks?
What is HPA? How can it be used for JBOD? How the HPA could e a challenge for investigator?
How many disks (at least) should be there in RAID 5? How many disks you need for full data recovery?
How many disks (at least) should be there in RAID 6? How many disks you need for full data recovery in RAID 6?
What will happen if you do the "file carving" on individual RAID disk (instead of trying to reconstruct)?
How does RaidReconstructor Wrks?
How does it work?
Select the type of RAID
Select the total number of disks for this RAID
Add those disks (or images). You need to add sufficient number of disks to reconstruct the RAID.
You don't need to know the exact order.
After adding the disk, click on "Analyze"
While analyzing, if you don't know the "block size", please select all the options provided by this tool.
After analysing the images, you can recover the RAID. " Virtual Disk (this would be a .VIM file)" could be a good option where you can combine an image disk with an actual disk!
Able to reconstruct RAID 0 and RAID 5 (up to 14 drives)
Can Recover both hardware and software RAID
This tool can identify the RAID parameters automatically.
This tool accept the actual disk or DD image (no EnCase image)
Can create a copy of the reconstructed RAID in a virtual image (.vim), an image file (.img) or on a physical drive.
RAID Reconstructor is safe and read-only
R-Studio - Powerful RAID Re constructor
ReclaiMe - Free Tool for RAID Reconstruction
Simple to use
Support RAID 5, RAID 6, RAID 5E or RAID 10
Can reconstruct both Hardware and Software RAID
Can detect the RAID parameters
You can also try GateWayRaid Recovery - Another good tool for RAID reconstruction
Different types of RAIDs
Different ways of collecting the evidence from RAID disks
Different tools to reconstruct RAID disks ( or RAID images)
How the OS recognize RAID disks?
What happens if you replace a RAID drive?
Have you copied the
Or created an
Full transcript