Re: Dealing with RAID and SCA Drives

From: Paul Timmins <paul(at)timmins.net>
Date: Wed Nov 06 2002 - 07:40:58 EST

Indeed. Unless it's a RAID 1 mirror, you usually only have a portion of the data on the mirror if you only have one drive. With a RAID 5, you have every other sector (or the top and bottom half, I don't know the allocation strategy most use) on however many drives (Most commonly people do RAID 5 on 3 drives, 2 are data drives and 1 is parity, but I'm currently doing RAID 5 on 5 drives at home, and 9 at work) and with the parity drive(s), you have what amounts to a sector to sector difference that given the parity and one of the drives, you can rebuild the data from.

Given only one drive in an array (other than raid 1) you're pretty screwed. Try running strings on it, or using other similar tools. If it's raid 1, they may have replaced the first sector with the RAID controller configuration. Most controllers store a copy of their config in NVRAM, and a copy on each of the member drives of the array, so it can tell if there's an inconsistency.
If you're dealing with a RAID 1 mirror, check a few sectors above the first and see if your partition table was shifted upwards by the RAID controller config sector.

Other than that, I'll defer to someone who's actually recovered forensic data from something like this.

-Paul

On Tue, 2002-11-05 at 07:54, Dave Ryan wrote:
> Hi,
>
> Pretty new to the forensic scene, but here it goes:

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Nov 6 11:59:17 2002