RAID Acquisition

Computer Forensics

COEN 152/252

RAID Levels

RAID 0: Just a Bunch Of Disks (JBOD) RAID 1: Mirrored RAID 5: Redundancy through parity

distributed parity

RAID

Hardware RAIDTwo types:

Special controller that plugs into one of the buses

Device that plugs into normal disk controller such as ATA, SCSI, Firewire, …

Computer sees a single volume

RAID

Hardware RAID acquisitionStep 1: Acquire and investigate complete

RAID volume as a single volume Needs big target device. Use device drivers such as those contained on

Linux distributionsStep 2: Acquire individual disks and look for

hidden data in possible areas that the RAID volume did not use.

Keyword searches can also be performed on the individual disks.

RAID

Software RAIDOS sees individual disksBut sees them together as

a single volume.CPU calculates parity info.

RAID

Software RAIDEasiest: Acquire entire volumeEncase, ProDiscover can import disks from a

Windows RAID volume and analyze them as a single volume.

Allows access to data that is hidden on individual disks.