Académique Documents
Professionnel Documents
Culture Documents
• Redundant Array of
Inexpensive/Independent Disks
• Multiple disks functioning as one for:
– Fault Tolerance (Data Protection)
– Increased Performance
– Increased Capacity
Hardware RAID
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depict
the RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary depending
on the version of your imaging tool and the controller drivers incorporated into your bootable disk.
Hardware RAID
• What your imaging tool might see…
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depict
the RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary depending
on the version of your imaging tool and the controller drivers incorporated into your bootable disk.
Hardware RAID
• What your imaging tool might see…
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depict
the RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary depending
on the version of your imaging tool and the controller drivers incorporated into your bootable disk.
Hardware RAID
• What your imaging tool might see…
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depict
the RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary depending
on the version of your imaging tool and the controller drivers incorporated into your bootable disk.
Software RAID
• Disk Order
• Stripe Size
• RAID Header
• Parity
– Dedicated vs. Distributed
– Parity Type/Rotation
– Parity Delay
RAID Attributes
• Disk Order
– The order of the disks that make up the array
– This may seem like a very simple one, but
when pulling individual drives from a RAID, it
is easy to get them out of order or mislabel
the image names for each disk image.
– Always double check yourself, especially
when putting the disks back into the server to
ensure they are in the correct order.
RAID Attributes
• Stripe Size
• How much data is written to each disk
before moving to the next disk to write the
next block of data.
• Typical stripe sizes:
– 8,16, 32, 64, and 128 kilobytes per stripe
– you may occasionally see other sizes
RAID Attributes
• RAID Header
– Static block of data at the beginning of each array
disk.
– May be identical (or nearly identical), making you
initially think it’s a “mirror”
– Usually has a byte that identifies the disk # for the
array, which gives you your “Disk Order”
– Header size and disk # usually found by performing a
comparison of the disks.
– Compaq/HP servers usually = 1088 sector header
size
RAID Attributes
• Parity
– Rebuilding information created by XOR’ing together
bytes from each disk containing RAID data, the result
of which gets stored as a parity value on the “parity
disk”.
– The drive on which this calculated parity data is
stored will depend on the type of “Parity Rotation”
used.
• Parity Rotation described in more detail later in presentation
– RAID4 = Dedicated parity disk
– RAID5 = Distributed parity disk
RAID Levels
• RAID 0 (Striping)
• RAID 1 (Mirroring/Duplexing)
• RAID 5 (Striping w/ Distributed Parity)
• Multi-RAID levels
– RAID 1+0 (a stripe of mirrors)
– RAID 0+1 (a mirror or stripes)
– RAID 1+5, 5+1, 0+5, 5+0, etc.
• Other non-RAID multi-disk setups:
– Disk Spanning
– JBOD (Just a Bunch Of Disks)
RAID 0
• No fault tolerance
– Single disk failure = array failure
• Fastest performance
• Capacity of array = total capacity of
individual disks combined
• Items needed for rebuilding:
– Disk Order
– Stripe Size
– RAID header size*
* Not all RAIDs have a RAID header
RAID 1
• Rebuilding components:
– Disk order
– Stripe size
– RAID header size*
– Parity rotation
– Parity delay**
• Parity Rotation
– Backward Delayed Parity (Compaq/HP)*
• Parity Rotation
– Backward Dynamic Parity (AMI)
• Probably the most common type
RAID 5
– Forward Parity
RAID Rebuilding 101
• The “goal” in RAID rebuilding it to put back together the
data that has been spread out across multiple disks and
may include parity information, depending on the RAID
level.
• This is done by re-pasting the striped data back together
into one disk/image and removing the parity as you go.
***There are a few other RAID rebuilding tools out there but as of
the writing of this presentation, the above tools were the only
ones I had available to include.
RAID Reconstructor
• Step #1 – chose RAID type, number of drives,
add drives images (in correct order), select block
size and parity rotation.
RAID Reconstructor
• Step #2 – analyze data to attempt to determine
correct RAID parameters.
RAID Reconstructor
• Step #3 - write out a new “rebuilt” single image
from the multiple images.
RAID Reconstructor
• Pros
– Tests numerous combinations of RAID parameters to try
and “Guess” settings using entropy testing. Useful when
you don’t know the parameters.
– Works with up to 14 RAID disks for RAID 5.
– Will rebuild RAID 5, from parity, with one missing
disk/image.
• Cons
– Can only do a 2-disk RAID 0
– Doesn’t do Backward Delayed Parity RAIDs
– Requires you to actually “rebuild” a new image before you
can check to see if you actually have the correct settings.
Only after the rebuild can you open the new image in your
forensic tools.
– Does not recognize .e01 or other image formats, must
convert images to raw bit.
X-Ways Forensics/WinHex
• Step #1 – Open each individual disk image and “Interpret
Image File as Disk” from the Specialist menu.
X-Ways Forensics/WinHex
• Step #2 – Select “Assemble RAID system” from the
Specialist menu. Open each disk component in the
correct order, enter the header size, select the parity
rotation type and stripe size and click OK.
X-Ways Forensics/WinHex
• If you entered the correct RAID parameters, the RAID
volume is “virtually” reconstructed, allowing you to map
out the file system.
X-Ways Forensics/WinHex
• Pros
– Performs a “virtual” rebuild in RAM to allow you to see
the results right away. File system mapping errors
indicate if you have the wrong parameters.
– Works with up to 10 RAID disks for RAID 5 or RAID 0.
– Will rebuild RAID 5, from parity, with one missing
disk/image.
– The only tool that does Backward Delayed Parity
(Compaq/HP).
– Reads .e01 or raw bit images.
• Cons
– Does not use entropy or do any “guesswork” for you.
EnCase (Software RAID)
EnCase (Software RAID)
EnCase (Hardware RAID)
EnCase
• Pros
– Can be used to “virtually” reconstruct Windows
Software RAIDs and some hardware RAIDs.
– Reads .e01 and raw bit images.
– Can rebuild RAID 5, from parity, with a missing
image.
• Cons
– Only rebuilds “Right or Left handed stripe” RAIDS.
(Not sure what Parity rotation types these refer to, but
they are not in line with the correct industry
terminology used by other vendors.)
– Lacks features for RAID headers and Delayed Parity.
SMART
3 2
4
SMART
1 4
2
3
1 3
2
SMART
• Pros
– Can be used to “virtually” reconstruct RAIDs.
– The only tool that does RAID4.
– Allows removal of RAID header when importing images
(prior to RAID rebuilding steps).
– Reads .e01 and raw bit images.
– “Guesses” using entropy to try to determine settings for
you.
• Cons
– Only rebuilds Right Symmetric or Left Symmetric parity
RAID5 (no Backward Dynamic or Backward Delayed).
– Relies on Linux OS it is running on for driver support (i.e.
MD raid driver). Device detection may be more complex
and require more user interaction or configuration. Linux
drivers are not available for all controller cards.
– Requires Linux knowledge/familiarity.
The End
Questions???
Concerns???
Confusion???