Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Reconstruct a hardware RAID from the raw images of each HD

from [Matthew Galgoci] Network Security [Permanent Link]
Subject: RE: Reconstruct a hardware RAID from the raw images of each HD
Date: Mon, 20 Jun 2005 12:40:49 -0400 
Date: Sun, 19 Jun 2005 12:59:03 +0200
From: Joel A. Folkerts <jfolkert@hiwaay.net>
To: forensics@securityfocus.com
Subject: RE: Reconstruct a hardware RAID from the raw images of each HD

One pricey solution is EnCase -- Starting with EnCase 4, it has the ability
to reconstruct a hardware RAID 5. Good luck!

-Joel


That is going to depend highly on the "on disk" metadata format that is used
by the "hardware" raid in question.

I have not used EnCase before, so I don't really know what raid metadata 
formats that EnCase knows about.

Here is a wild and crazy idea that just might work:

Depending on what kind of raid images you are dealing with, one solution might
be to use the linux dm-raid tool that recognizes a number of propriatery raid
metadata formats. http://people.redhat.com/~heinzm/sw/dmraid/readme

You would probably have to set up a loop device for each metadata image, and 
then futz with devicemapper and dm-raid to get the array assembled from the 
loop block devices. 

Mind you this is speculation on my part - I've never tried using dm-raid with
loop images taken from a hardware array. You will almost certainly have to
roll up your sleeves and hack some code.

Buyer beware, etc etc.....

-- 
Matthew Galgoci
GIS Production Operations
Red Hat, Inc
919.754.3700 x44155
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Carving deleted messages from PST file remains, Andrew Sheldon
Next by Date:  RE: Reconstruct a hardware RAID from the raw images of each HD, Greg Kelley
Previous by Thread:  RE: Reconstruct a hardware RAID from the raw images of each HD, Joel A. Folkerts
Next by Thread:  Re: Reconstruct a hardware RAID from the raw images of each HD, Serge de Souza
Indexes:  [Date] [Thread] [Top] [All Lists]