Thursday, December 2, 2010

How to Acquire RAIDs (EnCase)

Hardware RAID acquired as one volume

A hardware raid is a group of hard drives connected to a physical RAID controller that is integrated into the motherboard, or as an add-on card. The RAID controller translates the information from multiple drives into one large physical drive. Because of the large number of variations that the RAID controller can have, it is easiest to acquire the RAID as one large physical disk instead of acquiring the drives separately and trying to piece them together in EnCase. To acquire the RAID as one large volume requires that you acquire that RAID in its native environment, as seen by the RAID controller:

  1. 1.Open the case of the suspect computer and document the RAID setup. Leave the cover open because you will need access to the hard drives later on.
  2. 2.Download and create a Network boot disk (Because it contains many popular SCSI drivers and also supports parallel port and network crossover acquisitions)
  3. 3.Unplug the power and data connectors to each hard drive (Noting where they were connected because we will need to reconnect later)
  4. 4.Boot the suspect computer and configure the BIOS to boot to floppy only.
  5. 5.Save the settings and power down the computer
  6. 6.Reconnect the hard drives in the same way that they were connected in Step 4.
  7. 7.If performing a DOS Drive to Drive acquisition, Connect your partitioned and FAT-32 formatted storage drive to a spare hard drive connector on the suspect computer. If there are no more connectors, you may use one from the CD-ROM drive, or connect it to an add-on IDE controller card and insert the controller card into a free PCI slot on the motherboard.
  8. 8.Now insert your boot floppy and boot the computer using it. If you are working with a SCSI RAID array, choose the options to Auto Detect and load the SCSI drivers using the network boot disk. If you intend to perform a network crossover acquisition, allow the computer to detect and load drivers for the network card.
  9. 9.Launch EnCase® for DOS. Remember, the BIOS sees the RAID as one drive, so you will only see one large physical drive in EnCase.
  10. 10.Acquire the RAID array as you would acquire a single IDE hard drive. 
  11. When the acquisition is finished, the RAID array will appear as one physical disk in EnCase.

Hardware RAID acquired as multiple disks

Sometimes acquiring the disk configuration as one drive is not possible or impractical due to time constraints. When you reconstruct a Hardware RAID array that has been acquired as separate drives, it is referred to as editing disk configuration in EnCase. To edit disk configuration, several items of information are required:
  • *Stripe size
  • *Start sector
  • *Length per physical disk
  • *Right or Left handed stripe
  • *What order the physical disks are in
Usually you can collect this information from the BIOS of the controller card.

To acquire and build a hardware disk configuration:

  1. 1.Open the case of the suspect computer and document the RAID setup. Leave the cover open because you will need access to the hard drives for the next step
  2. 2.Acquire each disk in the RAID.
  3. 3.Add the evidence files from all of the RAID disks to one case.
  4. 4.Switch to the Devices tab. (Select VIEW -> Cases -> DEVICES)
  5. 5.Right-click on any of the evidence file rows and select Edit Disk Configuration... from the contextual menu

    Right-click for pop-up menu, left-click for command

  6. 6.You will then see the "Disk Configuration" dialog box

    Disk Configuration settings

  7. 7.Right click in the empty Component Devices window and choose New

    Adding / Editing a disk element in the RAID

  8. 8.Highlight the first disk and enter the start sector and element size.
  9. 9.Click OK
  10. 10.Repeat steps 5-7 for each disk in the RAID, making sure that they are added in correct numerical order.
  11. 11.Next, select the type of RAID in the Disk Configuration List Box
  12. 12.Set the Stripe Size, Choose if the image is of a physical disk, and choose if it is a right-handed stripe set and Click OK

    Choosing the RAID Array parameters

  13. 13.You will now see the newly created RAID device in the devices view

    New RAID device

  14. 14.When you go to the Cases/Entries view and expand the RAID array, you will see the folder structure of the RAID array

    The rebuilt RAID

Software RAID

Software RAIDs are simply a series of hard drives controlled by the operating system (as opposed to a RAID controller card) to be written to and read from as a RAID. The BIOS of the host computer, therefore, sees the drives as separate drives, because it is the OS, not the BIOS, that is making the RAID. They are separate drives, and seen as separate drives, so you have to acquire them as separate drives. It is important to note that the OS cannot reside on the software RAID, so it will reside on a separate disk. The disk that contains the OS also contains the registry, which contains the necessary information to rebuild the RAID, so always make sure that you acquire this disk as well.

  1. 1.Open the case of the suspect computer and document the RAID setup. Leave the cover open because you will need access to the hard drives for the next step
  2. 2.Acquire each disk in the RAID (including the non-RAID disk that contains the OS files).
  3. 3.Add all of the evidence files into one case.

    Case with all drives added

  4. 4.Note that in the Cases/Entries view, the members that make up the software RAID have the RAID/Dynamic Disk icon instead of the physical disk icon.
  5. 5.Right click on the hard drive contains the OS files and choose Scan Disk Configuration.
  6. 6.EnCase will locate the appropriate information needed and rebuild the RAID

    Software RAID added to case

Additional Methods to acquire RAIDs

Dave Shaver of the US Army Computer Crime Investigative Unit has provided a presentation on how to acquire the following types of RAIDs:
  • *Intel-Based Hardware RAID (Dead)
  • *Intel-Based Hardware RAID (Live)
  • *Linux Software RAID (Live)
  • *Linux Software RAID (Dead)
  • *Windows Software RAID (Live)
  • *Windows Software RAID (Dead)
  • *Unix Non-Intel RAID (Live)
You can download the presentation here.

Refer:Guidance Software


  1. Do take a look at FTK which comes with remote imaging or F-Response as options for imaging Servers.


  2. This comment has been removed by the author.

  3. Hello Sir, This is a great article. The presentation download link for additional methods and the images seems to be down. Would really appreciate if you could update the link and images.
    I am a cyber security student and an absolute beginner in this field. Professional like you are an inspiration for us.