6
RAID Acquisition Computer Forensics COEN 152/252

RAID Acquisition Computer Forensics COEN 152/252

Embed Size (px)

Citation preview

Page 1: RAID Acquisition Computer Forensics COEN 152/252

RAID Acquisition

Computer Forensics

COEN 152/252

Page 2: RAID Acquisition Computer Forensics COEN 152/252

RAID Levels

RAID 0: Just a Bunch Of Disks (JBOD) RAID 1: Mirrored RAID 5: Redundancy through parity

distributed parity

Page 3: RAID Acquisition Computer Forensics COEN 152/252

RAID

Hardware RAIDTwo types:

Special controller that plugs into one of the buses

Device that plugs into normal disk controller such as ATA, SCSI, Firewire, …

Computer sees a single volume

Page 4: RAID Acquisition Computer Forensics COEN 152/252

RAID

Hardware RAID acquisitionStep 1: Acquire and investigate complete

RAID volume as a single volume Needs big target device. Use device drivers such as those contained on

Linux distributionsStep 2: Acquire individual disks and look for

hidden data in possible areas that the RAID volume did not use.

Keyword searches can also be performed on the individual disks.

Page 5: RAID Acquisition Computer Forensics COEN 152/252

RAID

Software RAIDOS sees individual disksBut sees them together as

a single volume.CPU calculates parity info.

Page 6: RAID Acquisition Computer Forensics COEN 152/252

RAID

Software RAIDEasiest: Acquire entire volumeEncase, ProDiscover can import disks from a

Windows RAID volume and analyze them as a single volume.

Allows access to data that is hidden on individual disks.