8/8/2019 RAID Rebuilding - Dickerman
1/49
8/8/2019 RAID Rebuilding - Dickerman
2/49
Objectives
Brief introduction to RAID technology and the issues you needto be aware of to properly perform the acquisition and
rebuilding of data stored on a RAID array, for subsequentanalysis.
What is a RAID?
Hardware vs. Software RAID
RAID Attributes
RAID Levels
8/8/2019 RAID Rebuilding - Dickerman
3/49
Objectives (cont.)
RAID rebuilding 101
Rebuilding Tools
RAID Reconstructor
X-Ways Forensics/WinHex (Specialist or Forensic license)
Encase
SMART
8/8/2019 RAID Rebuilding - Dickerman
4/49
What is RAID?
Redundant Array of
Inexpensive/Independent Disks Multiple disks functioning as one for:
Fault Tolerance (Data Protection) Increased Performance
Increased Capacity
8/8/2019 RAID Rebuilding - Dickerman
5/49
Hardware RAID
Hardware RAID is controlled by a RAID
controller. The OS is typically unaware that it is
writing/reading to/from multiple disks.
8/8/2019 RAID Rebuilding - Dickerman
6/49
Hardware RAID
What the forensic examiner sees (physically).
8/8/2019 RAID Rebuilding - Dickerman
7/49
Hardware RAID
What the OS seesa 273GB primary disk andtwo 2,235 GB Disks
8/8/2019 RAID Rebuilding - Dickerman
8/49
Hardware RAID
The physical drives that are actually present3-136GBarray disks and 1-136Gb hot spare, plus 14 400GB
IDE disks in an Apple X-Serve RAID (not shown in screenshot).
8/8/2019 RAID Rebuilding - Dickerman
9/49
Hardware RAID
What your imaging tool might see
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depictthe RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary dependingon the version of your imaging tool and the controller drivers incorporated into your bootable disk.
8/8/2019 RAID Rebuilding - Dickerman
10/49
Hardware RAID
What your imaging tool might see
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depictthe RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary dependingon the version of your imaging tool and the controller drivers incorporated into your bootable disk.
8/8/2019 RAID Rebuilding - Dickerman
11/49
Hardware RAID
What your imaging tool might see
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depictthe RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary dependingon the version of your imaging tool and the controller drivers incorporated into your bootable disk.
8/8/2019 RAID Rebuilding - Dickerman
12/49
Hardware RAID
What your imaging tool might see
* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depictthe RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary dependingon the version of your imaging tool and the controller drivers incorporated into your bootable disk.
8/8/2019 RAID Rebuilding - Dickerman
13/49
Software RAID
Software RAID is controlled by the OS or
software running in the OS. On a PC, the bootable system drive is not part of the
Software RAID, but usually contains the information
required to load/access the software RAID. Many multi-drive external storage devices are actually
Linux software RAIDs behind the scenes, where the
device has a Linux OS on its firmware that controlsdisk read/write operations to the multiple disks.
8/8/2019 RAID Rebuilding - Dickerman
14/49
Software RAID
Notice the X: drive is a 4471 GB Windows Server 2003striped volume made up of two 2235 GB physicaldiskswhich are actually each made up of 7 400GB IDEdisks set up as RAID 5 hardware RAID volumes. (a softwareRAID 0 striped across two hardware RAID 5 volumes = RAID 50.)
8/8/2019 RAID Rebuilding - Dickerman
15/49
RAID Attributes
Disk Order
Stripe Size RAID Header
Parity Dedicated vs. Distributed
Parity Type/Rotation Parity Delay
8/8/2019 RAID Rebuilding - Dickerman
16/49
RAID Attributes
Disk Order
The order of the disks that make up the array This may seem like a very simple one, but
when pulling individual drives from a RAID, it
is easy to get them out of order or mislabelthe image names for each disk image.
Always double check yourself, especiallywhen putting the disks back into the server to
ensure they are in the correct order.
8/8/2019 RAID Rebuilding - Dickerman
17/49
RAID Attributes
Stripe Size
How much data is written to each diskbefore moving to the next disk to write the
next block of data. Typical stripe sizes:
8,16, 32, 64, and 128 kilobytes per stripe
you may occasionally see other sizes
8/8/2019 RAID Rebuilding - Dickerman
18/49
RAID Attributes
RAID Header
Static block of data at the beginning of each arraydisk.
May be identical (or nearly identical), making you
initially think its a mirror Usually has a byte that identifies the disk # for the
array, which gives you your Disk Order
Header size and disk # usually found by performing acomparison of the disks.
Compaq/HP servers usually = 1088 sector header
size
8/8/2019 RAID Rebuilding - Dickerman
19/49
RAID Attributes
Parity
Rebuilding information created by XORing togetherbytes from each disk containing RAID data, the resultof which gets stored as a parity value on the paritydisk.
The drive on which this calculated parity data isstored will depend on the type of Parity Rotationused.
Parity Rotation described in more detail later in presentation
RAID4 = Dedicated parity disk
RAID5 = Distributed parity disk
8/8/2019 RAID Rebuilding - Dickerman
20/49
RAID Levels
RAID 0 (Striping)
RAID 1 (Mirroring/Duplexing)
RAID 5 (Striping w/ Distributed Parity)
Multi-RAID levels
RAID 1+0 (a stripe of mirrors) RAID 0+1 (a mirror or stripes)
RAID 1+5, 5+1, 0+5, 5+0, etc.
Other non-RAID multi-disk setups: Disk Spanning
JBOD (Just a Bunch Of Disks)
8/8/2019 RAID Rebuilding - Dickerman
21/49
RAID 0
No fault tolerance
Single disk failure = array failure Fastest performance
Capacity of array = total capacity ofindividual disks combined
Items needed for rebuilding: Disk Order
Stripe Size
RAID header size** Not all RAIDs have a RAID header
8/8/2019 RAID Rebuilding - Dickerman
22/49
RAID 1
Fault tolerance (via data replication)
Increased read performance, same writeperformance as writing to single disk
50% of disk capacity used for dataredundancy
Items needed for rebuilding: Typically no rebuilding necessary
unless RAID header exists*
* Not all RAIDs have a RAID header
8/8/2019 RAID Rebuilding - Dickerman
23/49
RAID 5
Fault tolerance (via parity data)
Increased read and write performance 1/Nth reduction in disk capacity, used for
parity, where N = # of array disks. Minimum of 3 array disks needed for any
RAID level with parity
8/8/2019 RAID Rebuilding - Dickerman
24/49
RAID 5
Rebuilding components:
Disk order Stripe size
RAID header size*
Parity rotation
Parity delay**
* Not all RAIDs have a RAID header** Only used in Backward Delayed Parity
R
8/8/2019 RAID Rebuilding - Dickerman
25/49
RAID 5
Parity Rotation
Backward Delayed Parity (Compaq/HP)*
* Example shown using a parity rotation delayof 4, meaning parity stays on its current diskfor 4 stripes, then moves for the next 4 stripesand so on.
RAID 5
8/8/2019 RAID Rebuilding - Dickerman
26/49
RAID 5
Parity Rotation
Backward Dynamic Parity (AMI) Probably the most common type
RAID 5
8/8/2019 RAID Rebuilding - Dickerman
27/49
RAID 5
Other Parity Rotations
Backward Parity (Adaptec)
Forward Parity
RAID R b ildi 101
8/8/2019 RAID Rebuilding - Dickerman
28/49
RAID Rebuilding 101
The goal in RAID rebuilding it to put back together thedata that has been spread out across multiple disks andmay include parity information, depending on the RAID
level. This is done by re-pasting the striped data back together
into one disk/image and removing the parity as you go.
Individual RAID 5 disks/imagesRAID 5 rebuilt intosingle diskDisk 0 Disk 1 Disk 2 Disk 3 Disk 4
Stripe1 T H I S Parity
Stripe2 A S Parity W
Stripe3 R A Parity A
Stripe4 ! Parity I D !
Disk 0
THIS WAS A RAID!!
RAID R b ildi 101
8/8/2019 RAID Rebuilding - Dickerman
29/49
RAID Rebuilding 101
The more you document about the RAIDonsite, the less you have to manually try to
figure out later! Boot RAID server into RAID Controller BIOS
configuration utility during Power On Self Test
(POST)
View array configuration and write down the
RAID level, disk order, stripe size, disk &array configuration, controller type, etc!!!
RAID R b ildi 101
8/8/2019 RAID Rebuilding - Dickerman
30/49
RAID Rebuilding 101
RAID Reb ilding 101
8/8/2019 RAID Rebuilding - Dickerman
31/49
RAID Rebuilding 101
RAID Rebuilding 101
8/8/2019 RAID Rebuilding - Dickerman
32/49
RAID Rebuilding 101
Any of the information you are unable to determineonsite during the imaging of the RAID disks will have tobe either manually determined or possibly via some
guesswork. Manual interpretation of the striped data on RAID disks
is not difficult if you have an in-depth understanding of
how data structures are laid out on a non-RAID disk,including:
MBR and Partition Table
Boot Sectors/Records
FAT tables, Root Dirs, etc.
MFT records, INDX entries, etc.
Unfortunately, it is not possible to cover manual datainterpretation in this one hour presentation.
RAID Rebuilding Tools
8/8/2019 RAID Rebuilding - Dickerman
33/49
RAID Rebuilding Tools
RAID Reconstructor (Runtime Software)http://www.runtime.org/raid.htm
X-Ways Forensics/WinHex (X-Ways SoftwareTechnology AG)
http://www.x-ways.net/forensics/index-m.html
Encase (Guidance Software)http://www.guidancesoftware.com/products/ef_index.aspx
SMART (ASRData)
http://www.asrdata2.com/
***There are a few other RAID rebuilding tools out there but as ofthe writing of this presentation, the above tools were the only
ones I had available to include.
RAID Reconstructor
http://www.runtime.org/raid.htmhttp://www.x-ways.net/forensics/index-m.htmlhttp://www.guidancesoftware.com/products/ef_index.aspxhttp://www.asrdata2.com/http://www.asrdata2.com/http://www.guidancesoftware.com/products/ef_index.aspxhttp://www.x-ways.net/forensics/index-m.htmlhttp://www.runtime.org/raid.htm8/8/2019 RAID Rebuilding - Dickerman
34/49
RAID Reconstructor
Step #1 chose RAID type, number of drives,add drives images (in correct order), select block
size and parity rotation.
RAID Reconstructor
8/8/2019 RAID Rebuilding - Dickerman
35/49
RAID Reconstructor
Step #2 analyze data to attempt to determinecorrect RAID parameters.
RAID Reconstructor
8/8/2019 RAID Rebuilding - Dickerman
36/49
RAID Reconstructor
Step #3 - write out a new rebuilt single imagefrom the multiple images.
RAID Reconstructor
8/8/2019 RAID Rebuilding - Dickerman
37/49
RAID Reconstructor
Pros
Tests numerous combinations of RAID parameters to tryand Guess settings using entropy testing. Useful when
you dont know the parameters. Works with up to 14 RAID disks for RAID 5.
Will rebuild RAID 5, from parity, with one missingdisk/image.
Cons
Can only do a 2-disk RAID 0
Doesnt do Backward Delayed Parity RAIDs
Requires you to actually rebuild a new image before youcan check to see if you actually have the correct settings.Only after the rebuild can you open the new image in yourforensic tools.
Does not recognize .e01 or other image formats, mustconvert images to raw bit.
X-Ways Forensics/WinHex
8/8/2019 RAID Rebuilding - Dickerman
38/49
X-Ways Forensics/WinHex
Step #1 Open each individual disk image and InterpretImage File as Disk from the Specialist menu.
X-Ways Forensics/WinHex
8/8/2019 RAID Rebuilding - Dickerman
39/49
X-Ways Forensics/WinHex
Step #2 Select Assemble RAID system from theSpecialist menu. Open each disk component in thecorrect order, enter the header size, select the parity
rotation type and stripe size and click OK.
X-Ways Forensics/WinHex
8/8/2019 RAID Rebuilding - Dickerman
40/49
X-Ways Forensics/WinHex
If you entered the correct RAID parameters, the RAIDvolume is virtually reconstructed, allowing you to mapout the file system.
X-Ways Forensics/WinHex
8/8/2019 RAID Rebuilding - Dickerman
41/49
X-Ways Forensics/WinHex
Pros
Performs a virtual rebuild in RAM to allow you to seethe results right away. File system mapping errors
indicate if you have the wrong parameters. Works with up to 10 RAID disks for RAID 5 or RAID 0.
Will rebuild RAID 5, from parity, with one missing
disk/image. The only tool that does Backward Delayed Parity
(Compaq/HP).
Reads .e01 or raw bit images. Cons
Does not use entropy or do any guesswork for you.
EnCase (Software RAID)
8/8/2019 RAID Rebuilding - Dickerman
42/49
EnCase (Software RAID)
EnCase (Software RAID)
8/8/2019 RAID Rebuilding - Dickerman
43/49
EnCase (Software RAID)
EnCase (Hardware RAID)
8/8/2019 RAID Rebuilding - Dickerman
44/49
EnCase (Hardware RAID)
EnCase
8/8/2019 RAID Rebuilding - Dickerman
45/49
EnCase
Pros
Can be used to virtually reconstruct WindowsSoftware RAIDs and some hardware RAIDs.
Reads .e01 and raw bit images.
Can rebuild RAID 5, from parity, with a missingimage.
Cons Only rebuilds Right or Left handed stripe RAIDS.
(Not sure what Parity rotation types these refer to, but
they are not in line with the correct industryterminology used by other vendors.)
Lacks features for RAID headers and Delayed Parity.
SMART
8/8/2019 RAID Rebuilding - Dickerman
46/49
SMART
23
1
4
SMART
8/8/2019 RAID Rebuilding - Dickerman
47/49
SMART
12
3
1
2
4
3
SMART
8/8/2019 RAID Rebuilding - Dickerman
48/49
SMART
Pros Can be used to virtually reconstruct RAIDs. The only tool that does RAID4.
Allows removal of RAID header when importing images(prior to RAID rebuilding steps). Reads .e01 and raw bit images. Guesses using entropy to try to determine settings for
you. Cons
Only rebuilds Right Symmetric or Left Symmetric parityRAID5 (no Backward Dynamic or Backward Delayed).
Relies on Linux OS it is running on for driver support (i.e.MD raid driver). Device detection may be more complexand require more user interaction or configuration. Linuxdrivers are not available for all controller cards.
Requires Linux knowledge/familiarity.
The End
8/8/2019 RAID Rebuilding - Dickerman
49/49
e d
Questions???
Concerns???
Confusion???
Top Related