RAID Rebuilding - Dickerman

8/8/2019 RAID Rebuilding - Dickerman

1/49


2/49

Objectives

Brief introduction to RAID technology and the issues you needto be aware of to properly perform the acquisition and

rebuilding of data stored on a RAID array, for subsequentanalysis.

What is a RAID?

Hardware vs. Software RAID

RAID Attributes

RAID Levels


3/49

Objectives (cont.)

RAID rebuilding 101

Rebuilding Tools

RAID Reconstructor

X-Ways Forensics/WinHex (Specialist or Forensic license)

Encase

SMART


4/49

What is RAID?

Redundant Array of

Inexpensive/Independent Disks Multiple disks functioning as one for:

Fault Tolerance (Data Protection) Increased Performance

Increased Capacity


5/49

Hardware RAID

Hardware RAID is controlled by a RAID

controller. The OS is typically unaware that it is

writing/reading to/from multiple disks.


6/49

Hardware RAID

What the forensic examiner sees (physically).


7/49

Hardware RAID

What the OS seesa 273GB primary disk andtwo 2,235 GB Disks


8/49

Hardware RAID

The physical drives that are actually present3-136GBarray disks and 1-136Gb hot spare, plus 14 400GB

IDE disks in an Apple X-Serve RAID (not shown in screenshot).


9/49

Hardware RAID

What your imaging tool might see

* The above screenshot is for the sole purpose of demonstrating examples of RAID volume detection and does not necessarily depictthe RAID volume detection capabilities of all versions of the above shown tool. The disks and volumes detected will vary dependingon the version of your imaging tool and the controller drivers incorporated into your bootable disk.


10/49

Hardware RAID




11/49

Hardware RAID




12/49

Hardware RAID




13/49

Software RAID

Software RAID is controlled by the OS or

software running in the OS. On a PC, the bootable system drive is not part of the

Software RAID, but usually contains the information

required to load/access the software RAID. Many multi-drive external storage devices are actually

Linux software RAIDs behind the scenes, where the

device has a Linux OS on its firmware that controlsdisk read/write operations to the multiple disks.


14/49

Software RAID

Notice the X: drive is a 4471 GB Windows Server 2003striped volume made up of two 2235 GB physicaldiskswhich are actually each made up of 7 400GB IDEdisks set up as RAID 5 hardware RAID volumes. (a softwareRAID 0 striped across two hardware RAID 5 volumes = RAID 50.)


15/49

RAID Attributes

Disk Order

Stripe Size RAID Header

Parity Dedicated vs. Distributed

Parity Type/Rotation Parity Delay


16/49

RAID Attributes

Disk Order

The order of the disks that make up the array This may seem like a very simple one, but

when pulling individual drives from a RAID, it

is easy to get them out of order or mislabelthe image names for each disk image.

Always double check yourself, especiallywhen putting the disks back into the server to

ensure they are in the correct order.


17/49

RAID Attributes

Stripe Size

How much data is written to each diskbefore moving to the next disk to write the

next block of data. Typical stripe sizes:

8,16, 32, 64, and 128 kilobytes per stripe

you may occasionally see other sizes


18/49

RAID Attributes

RAID Header

Static block of data at the beginning of each arraydisk.

May be identical (or nearly identical), making you

initially think its a mirror Usually has a byte that identifies the disk # for the

array, which gives you your Disk Order

Header size and disk # usually found by performing acomparison of the disks.

Compaq/HP servers usually = 1088 sector header

size


19/49

RAID Attributes

Parity

Rebuilding information created by XORing togetherbytes from each disk containing RAID data, the resultof which gets stored as a parity value on the paritydisk.

The drive on which this calculated parity data isstored will depend on the type of Parity Rotationused.

Parity Rotation described in more detail later in presentation

RAID4 = Dedicated parity disk

RAID5 = Distributed parity disk


20/49

RAID Levels

RAID 0 (Striping)

RAID 1 (Mirroring/Duplexing)

RAID 5 (Striping w/ Distributed Parity)

Multi-RAID levels

RAID 1+0 (a stripe of mirrors) RAID 0+1 (a mirror or stripes)

RAID 1+5, 5+1, 0+5, 5+0, etc.

Other non-RAID multi-disk setups: Disk Spanning

JBOD (Just a Bunch Of Disks)


21/49

RAID 0

No fault tolerance

Single disk failure = array failure Fastest performance

Capacity of array = total capacity ofindividual disks combined

Items needed for rebuilding: Disk Order

Stripe Size

RAID header size** Not all RAIDs have a RAID header


22/49

RAID 1

Fault tolerance (via data replication)

Increased read performance, same writeperformance as writing to single disk

50% of disk capacity used for dataredundancy

Items needed for rebuilding: Typically no rebuilding necessary

unless RAID header exists*

* Not all RAIDs have a RAID header


23/49

RAID 5

Fault tolerance (via parity data)

Increased read and write performance 1/Nth reduction in disk capacity, used for

parity, where N = # of array disks. Minimum of 3 array disks needed for any

RAID level with parity


24/49

RAID 5

Rebuilding components:

Disk order Stripe size

RAID header size*

Parity rotation

Parity delay**

* Not all RAIDs have a RAID header** Only used in Backward Delayed Parity

R


25/49

RAID 5

Parity Rotation

Backward Delayed Parity (Compaq/HP)*

* Example shown using a parity rotation delayof 4, meaning parity stays on its current diskfor 4 stripes, then moves for the next 4 stripesand so on.

RAID 5


26/49

RAID 5

Parity Rotation

Backward Dynamic Parity (AMI) Probably the most common type

RAID 5


27/49

RAID 5

Other Parity Rotations

Backward Parity (Adaptec)

Forward Parity

RAID R b ildi 101


28/49

RAID Rebuilding 101

The goal in RAID rebuilding it to put back together thedata that has been spread out across multiple disks andmay include parity information, depending on the RAID

level. This is done by re-pasting the striped data back together

into one disk/image and removing the parity as you go.

Individual RAID 5 disks/imagesRAID 5 rebuilt intosingle diskDisk 0 Disk 1 Disk 2 Disk 3 Disk 4

Stripe1 T H I S Parity

Stripe2 A S Parity W

Stripe3 R A Parity A

Stripe4 ! Parity I D !

Disk 0

THIS WAS A RAID!!

RAID R b ildi 101


29/49

RAID Rebuilding 101

The more you document about the RAIDonsite, the less you have to manually try to

figure out later! Boot RAID server into RAID Controller BIOS

configuration utility during Power On Self Test

(POST)

View array configuration and write down the

RAID level, disk order, stripe size, disk &array configuration, controller type, etc!!!

RAID R b ildi 101


30/49

RAID Rebuilding 101

RAID Reb ilding 101


31/49

RAID Rebuilding 101

RAID Rebuilding 101


32/49

RAID Rebuilding 101

Any of the information you are unable to determineonsite during the imaging of the RAID disks will have tobe either manually determined or possibly via some

guesswork. Manual interpretation of the striped data on RAID disks

is not difficult if you have an in-depth understanding of

how data structures are laid out on a non-RAID disk,including:

MBR and Partition Table

Boot Sectors/Records

FAT tables, Root Dirs, etc.

MFT records, INDX entries, etc.

Unfortunately, it is not possible to cover manual datainterpretation in this one hour presentation.

RAID Rebuilding Tools


33/49

RAID Rebuilding Tools

RAID Reconstructor (Runtime Software)http://www.runtime.org/raid.htm

X-Ways Forensics/WinHex (X-Ways SoftwareTechnology AG)

http://www.x-ways.net/forensics/index-m.html

Encase (Guidance Software)http://www.guidancesoftware.com/products/ef_index.aspx

SMART (ASRData)

http://www.asrdata2.com/

***There are a few other RAID rebuilding tools out there but as ofthe writing of this presentation, the above tools were the only

ones I had available to include.

RAID Reconstructor
http://www.runtime.org/raid.htmhttp://www.x-ways.net/forensics/index-m.htmlhttp://www.guidancesoftware.com/products/ef_index.aspxhttp://www.asrdata2.com/http://www.asrdata2.com/http://www.guidancesoftware.com/products/ef_index.aspxhttp://www.x-ways.net/forensics/index-m.htmlhttp://www.runtime.org/raid.htm


34/49

RAID Reconstructor

Step #1 chose RAID type, number of drives,add drives images (in correct order), select block

size and parity rotation.

RAID Reconstructor


35/49

RAID Reconstructor

Step #2 analyze data to attempt to determinecorrect RAID parameters.

RAID Reconstructor


36/49

RAID Reconstructor

Step #3 - write out a new rebuilt single imagefrom the multiple images.

RAID Reconstructor


37/49

RAID Reconstructor

Pros

Tests numerous combinations of RAID parameters to tryand Guess settings using entropy testing. Useful when

you dont know the parameters. Works with up to 14 RAID disks for RAID 5.

Will rebuild RAID 5, from parity, with one missingdisk/image.

Cons

Can only do a 2-disk RAID 0

Doesnt do Backward Delayed Parity RAIDs

Requires you to actually rebuild a new image before youcan check to see if you actually have the correct settings.Only after the rebuild can you open the new image in yourforensic tools.

Does not recognize .e01 or other image formats, mustconvert images to raw bit.

X-Ways Forensics/WinHex


38/49


Step #1 Open each individual disk image and InterpretImage File as Disk from the Specialist menu.



39/49


Step #2 Select Assemble RAID system from theSpecialist menu. Open each disk component in thecorrect order, enter the header size, select the parity

rotation type and stripe size and click OK.



40/49


If you entered the correct RAID parameters, the RAIDvolume is virtually reconstructed, allowing you to mapout the file system.



41/49


Pros

Performs a virtual rebuild in RAM to allow you to seethe results right away. File system mapping errors

indicate if you have the wrong parameters. Works with up to 10 RAID disks for RAID 5 or RAID 0.

Will rebuild RAID 5, from parity, with one missing

disk/image. The only tool that does Backward Delayed Parity

(Compaq/HP).

Reads .e01 or raw bit images. Cons

Does not use entropy or do any guesswork for you.

EnCase (Software RAID)


42/49




43/49


EnCase (Hardware RAID)


44/49

EnCase (Hardware RAID)

EnCase


45/49

EnCase

Pros

Can be used to virtually reconstruct WindowsSoftware RAIDs and some hardware RAIDs.

Reads .e01 and raw bit images.

Can rebuild RAID 5, from parity, with a missingimage.

Cons Only rebuilds Right or Left handed stripe RAIDS.

(Not sure what Parity rotation types these refer to, but

they are not in line with the correct industryterminology used by other vendors.)

Lacks features for RAID headers and Delayed Parity.

SMART


46/49

SMART

23

1

4

SMART


47/49

SMART

12

3

1

2

4

3

SMART


48/49

SMART

Pros Can be used to virtually reconstruct RAIDs. The only tool that does RAID4.

Allows removal of RAID header when importing images(prior to RAID rebuilding steps). Reads .e01 and raw bit images. Guesses using entropy to try to determine settings for

you. Cons

Only rebuilds Right Symmetric or Left Symmetric parityRAID5 (no Backward Dynamic or Backward Delayed).

Relies on Linux OS it is running on for driver support (i.e.MD raid driver). Device detection may be more complexand require more user interaction or configuration. Linuxdrivers are not available for all controller cards.

Requires Linux knowledge/familiarity.

The End


49/49

e d

Questions???

Concerns???

Confusion???

RAID Rebuilding - Dickerman

Documents

Transcript of RAID Rebuilding - Dickerman