Documente Academic
Documente Profesional
Documente Cultură
Livia Nguyen
CFR105
Abstract
The document first describes the similarity and difference of RAID Level 0 to RAID Level 5.
There will be many things that forensic examiner need to be careful with when performing
analysis on RAID volume and disk spanning. The primary objective of this document is to
provide guidance on things that need to be done or things not to do during an acquisition on
RAID volume and disk spanning. There will be mention on some of the command and tools that
can be used for this acquisition. Overall document talks about the analysis considerations for
There are multiple levels of RAID and a system can have one or multiple RAID on the
same systems. RAID Level 0 must have a minimum of 2 disks, but it has no redundancy and
therefore it was not being used for any critical system. RAID Level 1 must have a minimum of 3
disks and it mirror the data for redundancy. When data are being written on one of the disks in
RAID 1, it will also be written on the other disk, so both of the disk will have exact same
allocated data. RAID Level 2 is considered a rare case as it uses error-correcting code to fix
corrupted data when it is being read from the disks. RAID Level 3 data is being broken into bite-
sized striped across the data disks. It contains a parity disk that will essentially be used to store
the duplicate data for data recovery purposes, in an event where the primary disk fails. Level 3 is
similar to level 0, but the striping size is into byte instead of block in level 0. RAID Level 4 are
similar to Level 3, but this time the data is being stripped into block-sized chunk like level 0
instead of byte-sized. RAID Level 5 are similar to Level 4, but there is no dedicated parity disk
like Level 3 and 4. Every disk in Level 5 RAID contains both data and the parity value, instead
Since there are many types of RAID hardware being implemented onto a system, there
will be multiple way to work on each of the RAID levels and a system that contains multiple
RAID. The best way to perform analysis on the RAID volume, is to acquire the final RAID
volume as if it has been just a normal single disk, and uses the typical file system, such as NTFS
or FAT32 or partition analysis tools. Since a suspect device can contain multiple RAID Level,
which make it harder to perform analysis that is the reason why, it is recommended that the
RAID ANALYSIS 4
forensic examiner performs analysis on it as a single drive, instead of doing multiple analysis on
To prepare for Hardware RAID disk acquisition, forensic examiner needs to have a
bootable Linux stick, and it could be either a CD or USB that contain a bootable Linux,
preferably Kali because it is designed for forensic acquisition and contain a lot of forensic
acquisition tools on the system. It also needed to have drivers for the RAID controller, that will
allow the examiner to figure out what RAID volume is being used on the system. The dd
command can be used in the command prompt to acquire the final RAID volume, and create an
image of it. However, the RAID volume is very large, that is why it is recommended that the
storage drive is large to have enough disk space to store the image.
Since different bootable Linux CDs require different drivers for the different RAID
while doing an on-site acquisition, and the examiner realizes that they do not have to supported
drives for the RAID controllers, it should be taken back to the lab for further acquisition instead
of continue with the acquisition, with the chance of modifying the data in the process. As
always, the disk might no use all sectors and the unused sectors could contain hidden data that
could be an important evidence in the case. Forensic examiner must go through each of
the disks individually to acquire those data after analysis on the RAID volume. Forensic
examiner must know the layout of the disk, it makes it easier to identify the unused sectors of the
disk. Both the individual disk and RAID volume can be searched, if the examiner knows the
Software RAID is relatively similar to the Hardware RAID, and the best way to perform
acquisition for it is to create an image of the RAID volume, which will be easier for the examiner
to use normal file system tool for further acquisition. There are analysis tools that allow the
examiner to merge individual disks together unlike hardware RAID do not have the ability to
perform this task. Always have a hardware write lockers to prevent accidentally overwriting the
data and modify the data in the process. When the forensic examiner boot Linux kernel from the
Linux bootable device, it will automatically create a device for each of the RAID partitions that
it contains. Edit the / etc/raidtab file are needed to view the RAID setup and partition. The
examiner now can be mounted the read-only or imaged using the dd command for acquisition.
Forensic tools, such as EnCase can import the disks from a Windows RAID volume and allow
acquisition on software RAID because the examiner will able to access data that might be hidden
in the individual disks. Forensic Examiner also needs to be really careful when using Linux or
Disk Spanning is when multiple disks can appear to be just one large disk. Many software
RAID actually proves disk spinning, even though it does not offer any redundancy or
performance benefits for it. Disk Spanning give the user the ability to create a larger storage
system, and some version of disk spanning allow them to add a new disk and increase the size of
the file systems. There are two different types of disk spanning in Linux, which is Linux MD and
Linux LVM. To perform analysis on MD volume, the best method is to acquire the volume as a
single drive and uses the standard analysis tools for acquisition. Forensic examiner must be
careful when placing the disk in the correct order and location, because if it was place in
different order or a different location, then the superblock will be rewritten in the process.
RAID ANALYSIS 6
Bootable Linux CDs or USB can be used to acquire the MD volumes image and avoid
modification. It is hardly any chances to recreate the MD volume using a raw image, the best
way to get to the data is by restoring the images to a blank disk and extract the data from the
disks.
The second method of disk spanning is the Linux LVM, and it is a more advanced
architecture than the MD spanning. To perform analysis LVM volume, the examiner has the
option to boot a Linux OS from a CD/USB, or they can remove the disk from the suspect system
and place it on a trusted Linux system for acquisition. Before perform analysis on the disk, it is
important to make sure that automatically mount configuring is off because it could cause
modification in the process. The vgscan command will scan for any logical volume on the
devices and create a directory to store the file. The forensic examiner can now use the vgscan -
a command to activate the volume, that will allow them to use the dd command to create their
image. Based on expert Brian Carrier experience, he has never had a problem with using vgscan
and vgchange commands and confirm that using these two commands does not cause the MD5
value of the disks to change, which make the evidence more liable.
RAID ANALYSIS 7
References
Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.
Rouse, M. (n.d.). What is RAID (redundant array of independent disks)? - Definition from
http://searchstorage.techtarget.com/definition/RAID
Lawrence, T. (2011, January 07). Linux Logical Volume Manager (LVM) on Software RAID.