Running head: RAID ANALYSIS 1

Assignment 6: RAID Analysis

Livia Nguyen

CFR105

Professor: Frank Griffits

June 16, 2017

RAID ANALYSIS 2

Abstract

The document first describes the similarity and difference of RAID Level 0 to RAID Level 5.

There will be many things that forensic examiner need to be careful with when performing

analysis on RAID volume and disk spanning. The primary objective of this document is to

provide guidance on things that need to be done or things not to do during an acquisition on

RAID volume and disk spanning. There will be mention on some of the command and tools that

can be used for this acquisition. Overall document talks about the analysis considerations for

RAID and Spanned volumes.

RAID ANALYSIS 3

RAID Volume and Disk Spanning Analysis Consideration

There are multiple levels of RAID and a system can have one or multiple RAID on the

same systems. RAID Level 0 must have a minimum of 2 disks, but it has no redundancy and

therefore it was not being used for any critical system. RAID Level 1 must have a minimum of 3

disks and it mirror the data for redundancy. When data are being written on one of the disks in

RAID 1, it will also be written on the other disk, so both of the disk will have exact same

allocated data. RAID Level 2 is considered a rare case as it uses error-correcting code to fix

corrupted data when it is being read from the disks. RAID Level 3 data is being broken into bite-

sized striped across the data disks. It contains a parity disk that will essentially be used to store

the duplicate data for data recovery purposes, in an event where the primary disk fails. Level 3 is

similar to level 0, but the striping size is into byte instead of block in level 0. RAID Level 4 are

similar to Level 3, but this time the data is being stripped into block-sized chunk like level 0

instead of byte-sized. RAID Level 5 are similar to Level 4, but there is no dedicated parity disk

like Level 3 and 4. Every disk in Level 5 RAID contains both data and the parity value, instead

of having a dedicated parity disk to store the parity value.

Since there are many types of RAID hardware being implemented onto a system, there

will be multiple way to work on each of the RAID levels and a system that contains multiple

RAID. The best way to perform analysis on the RAID volume, is to acquire the final RAID

volume as if it has been just a normal single disk, and uses the typical file system, such as NTFS

or FAT32 or partition analysis tools. Since a suspect device can contain multiple RAID Level,

which make it harder to perform analysis that is the reason why, it is recommended that the
RAID ANALYSIS 4

forensic examiner performs analysis on it as a single drive, instead of doing multiple analysis on

each of the RAID disks.

To prepare for Hardware RAID disk acquisition, forensic examiner needs to have a

bootable Linux stick, and it could be either a CD or USB that contain a bootable Linux,

preferably Kali because it is designed for forensic acquisition and contain a lot of forensic

acquisition tools on the system. It also needed to have drivers for the RAID controller, that will

allow the examiner to figure out what RAID volume is being used on the system. The dd

command can be used in the command prompt to acquire the final RAID volume, and create an

image of it. However, the RAID volume is very large, that is why it is recommended that the

storage drive is large to have enough disk space to store the image.

Since different bootable Linux CDs require different drivers for the different RAID

controller, so it is important to document this information to make sure that it is supported. If

while doing an on-site acquisition, and the examiner realizes that they do not have to supported

drives for the RAID controllers, it should be taken back to the lab for further acquisition instead

of continue with the acquisition, with the chance of modifying the data in the process. As

always, the disk might no use all sectors and the unused sectors could contain hidden data that

could be an important evidence in the case. Forensic examiner must go through each of

the disks individually to acquire those data after analysis on the RAID volume. Forensic

examiner must know the layout of the disk, it makes it easier to identify the unused sectors of the

disk. Both the individual disk and RAID volume can be searched, if the examiner knows the

keywords to look for it.

RAID ANALYSIS 5

Software RAID is relatively similar to the Hardware RAID, and the best way to perform

acquisition for it is to create an image of the RAID volume, which will be easier for the examiner

to use normal file system tool for further acquisition. There are analysis tools that allow the

examiner to merge individual disks together unlike hardware RAID do not have the ability to

perform this task. Always have a hardware write lockers to prevent accidentally overwriting the

data and modify the data in the process. When the forensic examiner boot Linux kernel from the

Linux bootable device, it will automatically create a device for each of the RAID partitions that

it contains. Edit the / etc/raidtab file are needed to view the RAID setup and partition. The

examiner now can be mounted the read-only or imaged using the dd command for acquisition.

Forensic tools, such as EnCase can import the disks from a Windows RAID volume and allow

the examiner to perform analysis on it as a single volume. This is a preferable method of

acquisition on software RAID because the examiner will able to access data that might be hidden

in the individual disks. Forensic Examiner also needs to be really careful when using Linux or

third-party tools, because it could have errors or produce an accurate information.

Disk Spanning is when multiple disks can appear to be just one large disk. Many software

RAID actually proves disk spinning, even though it does not offer any redundancy or

performance benefits for it. Disk Spanning give the user the ability to create a larger storage

system, and some version of disk spanning allow them to add a new disk and increase the size of

the file systems. There are two different types of disk spanning in Linux, which is Linux MD and

Linux LVM. To perform analysis on MD volume, the best method is to acquire the volume as a

single drive and uses the standard analysis tools for acquisition. Forensic examiner must be

careful when placing the disk in the correct order and location, because if it was place in

different order or a different location, then the superblock will be rewritten in the process.
RAID ANALYSIS 6

Bootable Linux CDs or USB can be used to acquire the MD volumes image and avoid

modification. It is hardly any chances to recreate the MD volume using a raw image, the best

way to get to the data is by restoring the images to a blank disk and extract the data from the

disks.

The second method of disk spanning is the Linux LVM, and it is a more advanced

architecture than the MD spanning. To perform analysis LVM volume, the examiner has the

option to boot a Linux OS from a CD/USB, or they can remove the disk from the suspect system

and place it on a trusted Linux system for acquisition. Before perform analysis on the disk, it is

important to make sure that automatically mount configuring is off because it could cause

modification in the process. The vgscan command will scan for any logical volume on the

devices and create a directory to store the file. The forensic examiner can now use the vgscan -

a command to activate the volume, that will allow them to use the dd command to create their

image. Based on expert Brian Carrier experience, he has never had a problem with using vgscan

and vgchange commands and confirm that using these two commands does not cause the MD5

value of the disks to change, which make the evidence more liable.
RAID ANALYSIS 7

References

Carrier, B. (2011). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.

Rouse, M. (n.d.). What is RAID (redundant array of independent disks)? - Definition from

WhatIs.com. Retrieved June 16, 2017, from

http://searchstorage.techtarget.com/definition/RAID

Lawrence, T. (2011, January 07). Linux Logical Volume Manager (LVM) on Software RAID.

Retrieved June 16, 2017, from http://aplawrence.com/Linux/lvm.html