Re: [sleuthkit-users] recombine raid images with loopback?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Jessop,

The way you're describing your image operation
(imaging each disk individually) will likely not work.
 I've tried it in the wild and it just doesn't work
(unless you're prepared to manually piece together the
data, depending on the RAID config, BTW, I've tried
that too with varying levels of success...not fun).  I
haven't done much acquisition lately, but I believe
the best way to go about it is to boot the to be
imaged system with a Linux distro packaged for
acquisition, such as Helix or perhaps Farmerdude's CD.
 Essentially what's needed is an acquisition of the
RAID as a device, i.e., grabbing an image of the data
spanned across the drives in one image, 2nd i.e., as
if the RAID is just a big drive.  Obviously, speed of
success will be dependent on whether or not your
particular Linux boot CD distro has the a suitable
RAID driver and can 'see' the RAID.  You can force the
issue by manually adding a device and installing
drivers.  I've seen this done, but couldn't begin to
accurately describe the process in detail.  The bottom
line is a need to image the 'RAID', not the drives.  I
hope this can get you started.

Dave Gilbert

--- J B <je...@ad...> wrote:

> Suppose you have a raid of 8 9GIG disks.
> You have imaged each disk using dd so that you have
> diskimg0 ... diskimg7
> 
> What's the best way to mount this group of images in
> software so that you
> can then operate on it using TSK?  I assume it
> involves mounting a loopback
> device..
> 
> it's seems like you'd want to use /dev/loopX in
> raiddev per disk
> 
> but I'm not sure that:
> mount -ro /evidence/diskimg0 /whocareswhere -t
> whatevertype -o 
> loop=/dev/loop0, blocksize= (CHUNKSIZE?)
> would be appropriate.  Seems like you're mounting
> the image unneccesarily 
> leaving the mounted stub at /whocareswhere when all
> you really want is to 
> tie loop0 to the image...
> 
> raiddev /dev/md0
>         raid-level      linear
>         nr-raid-disks   2
>         chunk-size      32
>         persistent-superblock 1
>         device          /dev/loop0
>         raid-disk       0
>         device          /dev/loop1
>         raid-disk       1
> 
> 
> Just curious,
> 
> -Jessop
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do
> you grep through log files
> for problems?  Stop!  Download the new AJAX search
> engine that makes
> searching your log files as easy as surfing the 
> web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 