94 RAID Recovery

FileSystemForensics

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

RAID Reconstruction

RAID Reconstruction

Multiple RAID LevelsAdditional RAID Configurations- Combination of two RAID levels

- More robust and fault tolerant set-up

RAID 0, then RAID 1 (RAID 0+1)- Mirror of Stripes

- Divide disks into two sets

- Turn each set into RAID 0- Then mirror the two arrays (RAID 1)

RAID 0 RAID 0

copy

RAID

1

Multiple RAID LevelsAdditional RAID Configurations- Combination of two RAID levels

- More robust and fault tolerant set-up

RAID 1, then RAID 0 (RAID 1+0)- Stripe of Mirrors

- Divide disks into sets of two

- Turn each pair into a RAID 1 set

- Stripe across all RAID 1 sets (RAID 0)

copy

copy

copy

RAID

1

RAID 0 RAID 0

Imaging RAID ArraysGoal - RAID Rebuilding- Reconstruct logical volume from

physical RAID drives- With or without missing disks

- Paste striped data into single disk image and remove parity.

- Determine as much as possible before leaving site!

- Boot RAID Server into RAID Controller BIOS during POST

View array configuration & record:- RAID level, - Disk order, - Stripe size, - Disk and array configuration, - Controller type, etc.Manual interpretation of striped data is not difficult - Partition layout concepts are same:- MBR and Partition Table- Boot Sectors/Records- FAT Tables, Root Directories, etc.- MFT Records, INDX Entries, etc.

Imaging RAID ArraysMirrored (RAID 1)- Image same as single drive

- Use normal imaging tools and techniques on each drive

- Hardware and software RAIDs handled same

Imaging RAID ArraysStriped RAID Arrays- Data is striped evenly across all

drives- No complete file system sits on each

drive- Cannot be handled the same as a

single drive- Image each physical drive separately- Must rebuild RAID to be useful to

investigation

- Preferred method is to image logical volumes- Instead of physical disk drives

Imaging tool must see logical RAID- May need special driver for RAID

Controller- Target drive must be large enough

for entire RAID logical volume- Rebuilding data can be done by

duplicating hardware- Disks, Controller, Firmware

Timothy Henry

00:00

Timothy Henry

00:17

Timothy Henry

Timothy Henry

01:14

Timothy Henry

02:06

Timothy Henry

03:44

Timothy Henry

04:12

Label drives as they are pulled from the array casing.

Double-check to ensure correct order when returning the drives.

RAID RebuildingDisk Order- Original order of physical disks in RAID

- RAID Header

Strip Size- How much data is written to each drive

before moving to the next

Parity- Dedicated versus Distributed

- Parity/Type and Rotation

- Parity Delay

RAID Header

Static Block of Data at the beginning of each array disk.

Byte to identify Disk Number in Disk Order.

Header size and Disk # usually found by performing comparison of disks.

Every RAID implementation does not have a header.

Typical Strip Sizes:8 kB; 16 kB; 32 kB;

64 kB; 128 kB; 256 kB; per strip

Dedicated Parity DiskRAID 2 & RAID 4

Distributed Parity RAID 3, RAID 5 & RAID 6

Disk 1 Disk 2 Disk 3 Disk 4

RAID RebuildingRAID 0- Disk Order & Strip Size- RAID Header Size (optional)

RAID 1- No rebuilding necessary - unless RAID 0+1 or RAID 1+0

RAID 5- Disk Order & Strip Size- RAID Header Size (optional)- Parity Rotation- Parity Delay

Q R S TM N O PI J K LE F G HA B C D

Data to store:A B C D E F G H I J K L M N O P Q R S T

RAID 0

Disk 1 Disk 2




E ED DC CB BA A


RAID 1





M N O P4P3 J K LI P2 G HE F P1 DA B C P0


RAID 5 (minimum 3 disks)

No Parity DelayBackward Dynamic





M N OP4

P3J K LIP2G H

E FP1DA B CP0



No Parity DelayForward Dynamic





M N OP4P3J K LI P2G H

E F P1DA B C P0



Parity DelayBackward Dynamic

Timothy Henry

Timothy Henry

05:22

Timothy Henry

08:51

Timothy Henry

Timothy Henry

10:11

Timothy Henry

10:27

Timothy Henry

11:49

Timothy Henry

12:10

Timothy Henry

13:25

Timothy Henry

Documents

94 RAID Recovery