Re: [sleuthkit-users] recombine raid images with loopback?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Jessop and Dave,

RAID acquisitions and analysis are a different beast
than stand alone systems.  Identifying, acquiring, and
analyzing RAIDs require a bit of knowledge, a bit of
skill, and a bit of space.  I've been quite successful
in identifying, acquiring, and analyzing RAID arrays
using Linux and associated components and programs. 
This is something covered in advanced training courses
in detail - either my own or ASR Data's.

I've used both the SMART Linux Boot CD and THE
FARMER'S BOOT CD for this.  SMART for Linux, the
program, has a nice graphical RAID Reconstructor
utility to assist those who don't know the RAID
schematics for the system they're looking to analyze. 

I would recommend acquiring every disk individually, a
physical image.  Acquiring only the RAID array may
leave a lot of data behind.  I would make certain
whatever tool you use to acquire doesn't activate the
RAID array.

While you're there, at the system, get ALL the
information you need before leaving.  RAID level,
stripe size, parity, etc.  THIS is the information you
will NEED to build your software RAID array.  Hardware
RAID systems typically include this in the tools
available at boot time.  Software RAID systems contain
this information in the RAID superblock.  I dissected
the superblock for my advanced training class and
found it to provide the needed information for
reconstruction later.  Note that this superblock has
grown from the 2.4 kernel to the 2.6 kernel.  

I don't know if this helps or not, but I hope it does.
 You can use Linux to acquire and analyze RAID arrays.
 Physical disk images are what you want.  If you use
mdadm you don't need a RAIDTAB file, and I would
strongly recommend *not* defining '/etc/raidtab'.

regards,

farmerdude

--- Dave Gilbert <all...@ya...> wrote:

> Jessop,
> 
> The way you're describing your image operation
> (imaging each disk individually) will likely not
> work.
>  I've tried it in the wild and it just doesn't work
> (unless you're prepared to manually piece together
> the
> data, depending on the RAID config, BTW, I've tried
> that too with varying levels of success...not fun). 
> I
> haven't done much acquisition lately, but I believe
> the best way to go about it is to boot the to be
> imaged system with a Linux distro packaged for
> acquisition, such as Helix or perhaps Farmerdude's
> CD.
>  Essentially what's needed is an acquisition of the
> RAID as a device, i.e., grabbing an image of the
> data
> spanned across the drives in one image, 2nd i.e., as
> if the RAID is just a big drive.  Obviously, speed
> of
> success will be dependent on whether or not your
> particular Linux boot CD distro has the a suitable
> RAID driver and can 'see' the RAID.  You can force
> the
> issue by manually adding a device and installing
> drivers.  I've seen this done, but couldn't begin to
> accurately describe the process in detail.  The
> bottom
> line is a need to image the 'RAID', not the drives. 
> I
> hope this can get you started.
> 
> Dave Gilbert
> 
> --- J B <je...@ad...> wrote:
> 
> > Suppose you have a raid of 8 9GIG disks.
> > You have imaged each disk using dd so that you
> have
> > diskimg0 ... diskimg7
> > 
> > What's the best way to mount this group of images
> in
> > software so that you
> > can then operate on it using TSK?  I assume it
> > involves mounting a loopback
> > device..
> > 
> > it's seems like you'd want to use /dev/loopX in
> > raiddev per disk
> > 
> > but I'm not sure that:
> > mount -ro /evidence/diskimg0 /whocareswhere -t
> > whatevertype -o 
> > loop=/dev/loop0, blocksize= (CHUNKSIZE?)
> > would be appropriate.  Seems like you're mounting
> > the image unneccesarily 
> > leaving the mounted stub at /whocareswhere when
> all
> > you really want is to 
> > tie loop0 to the image...
> > 
> > raiddev /dev/md0
> >         raid-level      linear
> >         nr-raid-disks   2
> >         chunk-size      32
> >         persistent-superblock 1
> >         device          /dev/loop0
> >         raid-disk       0
> >         device          /dev/loop1
> >         raid-disk       1
> > 
> > 
> > Just curious,
> > 
> > -Jessop

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 