Redundant Array of Independent Disks (RAID)

RAID

RAID is a widespread item to encounter. Computer systems these days need many terabytes of storage, and even though we see drives provide 20+ TB of storage, there is still a strong need for RAID, as we still wish to provide redundancy and improved speeds. This is a benefit of RAID, as we can use many smaller disks and avoid having a single point of failure (which could be catastrophic). Also, those large drive sizes are expensive, so we can save money using several less expensive drives.

Some mainboards will support RAID, or you might need to add a new RAID controller card to your system to support RAID. There are different levels of RAID, so you should research the mainboard or the RAID controller card to understand what RAID levels are supported.

Partity

Partity is an important concept to understand with RAID. It is how RAID can provide the means to check for errors and correct data. To calculate the parity bit, all the bits that are 1 are added up.

If this results in an even number, we set the parity bit to 0.

If this results in an odd number, we set the parity bit to 1.

Based on this information, if some data is missing, we can use the parity bit to determine what it should be set as.

Examples:

byte parity

1011 0011 1

0110 1010 0

RAID 0

RAID 0 combines multiple hard drives into a single logical unit that improves performance. It does this by splitting or stripping data across all the drives in the array. This means all data is written and read from multiple drives in the array, increasing read/write speeds. The primary issue with RAID 0 is that it does not provide redundancy—if one drive fails, all data is lost!

RAID 1

RAID 1 is a storage technology that mirrors data across two drives. This means that each drive is a bit-for-bit copy of one another. The benefit of RAID 1 is that if a single drive fails, an exact copy of the data exists. However, RAID 1 does not provide any performance benefits, as data needs to be written to multiple drives and requires twice the storage capacity.

RAID 5

RAID 5 is another storage technology that combines multiple hard drives into a single logical unit. It provides both improved performance and data redundancy—the best of both worlds! It does this by striping data and parity information across all drives in the array. Recall that the parity information can be used to reconstruct data in case a drive fails. RAID 5 might have a slower performance rate than RAID 0 due to needing to calculate the parity bit. Also, RAID 5 requires at least 3 drives.

RAID 10

This combines RAID 0 and RAID 1!

RAID 50

This combines RAID 0 and RAID 5!

Investigations

When acquiring RAID, several items must be accounted for:

Size is the biggest concern - recall RAID can have MANY terabytes of data
- We need to determine the amount of storage required to complete the acquisition
What type of RAID is used
- This is important as each RAID level stores data differently, and we need to understand how it will be formatted.
Do we have the right acquisition tool, and can it handle RAID?
- Some tools might be unable to acquire RAID, so verification is essential.
Can the tool handle split data saves for each RAID disk?
- This will help with the size issue, as the image can be saved into smaller chunks.
Is the RAID system using antiquated hardware, and can we be confident in acquiring the data without issue?
- If the RAID system is using older hardware, it is recommended that you acquire the same hardware and perform test acquisitions until you can successfully acquire an image without issues.

RAID Acquisitions

Step 1: Acquire and investigate the complete RAID volume as a single volume
- Needs a big target device.
- Use device drivers such as those contained on Linux distributions
Step 2: Acquire individual disks and look for hidden data in possible areas that the RAID volume did not use.
- Keyword searches can also be performed on the individual disks.
Step 3: Preform the investigation on the forensic image(s) as you normally would.

Google Sites

Report abuse