Indeed. Unless it's a RAID 1 mirror, you usually only have a portion of the data on the mirror if you only have one drive. With a RAID 5, you have every other sector (or the top and bottom half, I don't know the allocation strategy most use) on however many drives (Most commonly people do RAID 5 on 3 drives, 2 are data drives and 1 is parity, but I'm currently doing RAID 5 on 5 drives at home, and 9 at work) and with the parity drive(s), you have what amounts to a sector to sector difference that given the parity and one of the drives, you can rebuild the data from. Given only one drive in an array (other than raid 1) you're pretty screwed. Try running strings on it, or using other similar tools. If it's raid 1, they may have replaced the first sector with the RAID controller configuration. Most controllers store a copy of their config in NVRAM, and a copy on each of the member drives of the array, so it can tell if there's an inconsistency. If you're dealing with a RAID 1 mirror, check a few sectors above the first and see if your partition table was shifted upwards by the RAID controller config sector. Other than that, I'll defer to someone who's actually recovered forensic data from something like this. -Paul On Tue, 2002-11-05 at 07:54, Dave Ryan wrote: > Hi, > > Pretty new to the forensic scene, but here it goes: > > I'm having problems with SCA disks and RAID. When mounting the disk in > an SCA slot on one of my servers, I then attempt to access the device > (located at sdb* - dmesg is recognising it). Because I can't access this > device, I cannot image it. > > On running fdisk -l i receive the error message: > > No Valid Partition Table Found > > This is a fujitsu drive, in a dell Poweredge 1550 (my temporary forensic > system). I am using the SCA bays and not connecting it to a normal SCSI > 3 card (although I do have one and have purchased SCA->SCSI convertors, > but have been unsuccessful in getting those to work - single drive off > the cable, no daisy chain issue). > > Am I correct in assuming this is due to it being part of the mirror and > freebsd is not finding the partition type sector where it would assume > to find it? (or am I totally wrong). > > Does anyone have any suggestions on how to get around this? Or can > someone point out where I am going wrong. Also if anyone has any > suggestions on the SCA->SCSI convertor issue (I've read it is > unsupported, do I need a single connector SCSI cable?). Any references > people have on dealing with RAID situations would be greatly > appreciated. > > Thanks in advance, > Dave. > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 22:18:06 PST