I've withheld responding since I haven't had any RAID-5 success in a forensic examination, but have been giving thought to the problem as I'd like to be able to solve the problem myself. I had one instance where I had a raid 5 lab setup, which I screwed up the examination of. I've learned a few things since then... The first thing I did wrong was in allowing the raid set to initialize, which immediately blows media integrity as the raid sync's up. It would be nice to have the ability to start the raid set read only, but I haven't determined if this is possible. (i.e. You can mount the logical raid drive as read only after the raid set has been initialized, but at this point the damage has been done.) I have spoken with a few Data Recovery company employees in the past and they described a raid de-striping process (original multiple raid disks to an alternate single large volume disk), so that you end up with one logical image instead of multiple disk images, which I think would be the safest bet for a forensic examination/recovery that maintains the integrity of the original media. I'd love to hear if anyone has actually developed any open raid de-striping software. William J Jewitt <jjewitt2001at_private> said: > I noticed no one seems to have answered you so far, > so I'll do my best: > A colleague and I conferred and believe that a > number of different mechanisms can duplicate the > drives, for instance, a Trinux CD and use of the dd > command to get a nice raw image. Of course, the SCSI > controller may not be supported. > Encase forensic software includes native support for > NT Striped Raid file systems. If someone has > experience with Encase's support for RAID then chime > in anytime. You may also want to include more details > if this does not answer your question. > > Regards, > J Jewitt > > > > --- Hunter Ely <hely1at_private> wrote: > > I have a server that was compromised. I've been > > doing lower level forensics > > on machines with single drives, but I don't know > > what I need to do to image > > a RAID array. I haven't seen the machine yet, so I > > can't give you any > > specifics about it. Can any of you guys give me an > > idea of what I need to > > do? Thanks. > > > ------------------------------------------------------ > > Hunter Ely > > Network Security Analyst, Office of Computing > > Services > > Louisiana State University > > http://hunter.lsu.edu > > > > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Mother's Day is May 12th! > http://shopping.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > -- William Salusky changeat_private cell: 925-250-6092 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 15 2002 - 06:09:05 PDT