[sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: DePriest, J. R. <jrd...@gm...> - 2006-11-10 16:50:31
|
This upcoming Monday, I am going to have to assist in an investigation involving a single drive from a RAID system. The drive was pulled two years ago and neither the original system nor the other drives exist any more. This investigation involves litigation so I have to make sure I use due diligence. I am only assuming this is RAID-5 since "the other two drives" were mentioned as being discarded. And since both the system and whatever controller was being used is gone, I can't know for sure. Is it possible for me to get anything useful out of this single drive? Brian's book claims that I might have luck with a simple keyword search, but has anyone had any experience to back it up? I probably cannot discuss what I am looking for per the litigation, but a simple keyword search would be useful and possibly even adequate. Pulling numbers out of the air, I told the person sending me the drive that there is only a 33% chance that useful information is on this drive and a 67% chance that there is nothing on there. That was just based on RAID-5 taking 3 disks... in retrospect, I realize that those numbers aren't right since RAID-5 can survive while a disk is being replaced. So, I don't know what I am really asking for except for other people's experiences and advice on this type of investigation. -- + + + NO CARRIER |
