From some past experiences, working with RAID has not been to successful. One of the problems was recreating the hardware to match the original system since the RAID would automatically try to detect that even if we were able to get an image. I'm sure more people have had success than I have with it. I only had experience with a few and the clients didn't want the expnse of going all out with only a chance of success. I was a able to get a bitstream copy using snapback and a dat-40 but we never tried to restore it to see what happened, but it's worth a shot if all else fails. Apparently, Encase can so servers now, but I haven't tried it yet. -----Original Message----- From: Paul Timmins [mailto:paulat_private] Sent: Wednesday, November 06, 2002 7:41 AM To: Dave Ryan Cc: forensicsat_private Subject: Re: Dealing with RAID and SCA Drives Indeed. Unless it's a RAID 1 mirror, you usually only have a portion of the data on the mirror if you only have one drive. With a RAID 5, you have every other sector (or the top and bottom half, I don't know the allocation strategy most use) on however many drives (Most commonly people do RAID 5 on 3 drives, 2 are data drives and 1 is parity, but I'm currently doing RAID 5 on 5 drives at home, and 9 at work) and with the parity drive(s), you have what amounts to a sector to sector difference that given the parity and one of the drives, you can rebuild the data from. Given only one drive in an array (other than raid 1) you're pretty screwed. Try running strings on it, or using other similar tools. If it's raid 1, they may have replaced the first sector with the RAID controller configuration. Most controllers store a copy of their config in NVRAM, and a copy on each of the member drives of the array, so it can tell if there's an inconsistency. If you're dealing with a RAID 1 mirror, check a few sectors above the first and see if your partition table was shifted upwards by the RAID controller config sector. Other than that, I'll defer to someone who's actually recovered forensic data from something like this. -Paul On Tue, 2002-11-05 at 07:54, Dave Ryan wrote: > Hi, > > Pretty new to the forensic scene, but here it goes: > > I'm having problems with SCA disks and RAID. When mounting the disk in > an SCA slot on one of my servers, I then attempt to access the device > (located at sdb* - dmesg is recognising it). Because I can't access this > device, I cannot image it. > > On running fdisk -l i receive the error message: > > No Valid Partition Table Found > > This is a fujitsu drive, in a dell Poweredge 1550 (my temporary forensic > system). I am using the SCA bays and not connecting it to a normal SCSI > 3 card (although I do have one and have purchased SCA->SCSI convertors, > but have been unsuccessful in getting those to work - single drive off > the cable, no daisy chain issue). > > Am I correct in assuming this is due to it being part of the mirror and > freebsd is not finding the partition type sector where it would assume > to find it? (or am I totally wrong). > > Does anyone have any suggestions on how to get around this? Or can > someone point out where I am going wrong. Also if anyone has any > suggestions on the SCA->SCSI convertor issue (I've read it is > unsupported, do I need a single connector SCSI cable?). Any references > people have on dealing with RAID situations would be greatly > appreciated. > > Thanks in advance, > Dave. > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 19:14:54 PST