Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: Colby Gutierrez-K. <co...@ge...> - 2006-11-10 17:39:35
|
On Nov 10, 2006, at 8:50 AM, DePriest, Jason R. wrote: > > I am only assuming this is RAID-5 since "the other two drives" were > mentioned as being discarded. > It could be from a RAID-3, and if it's the parity drive from that set, then the chance of getting anything useful off of it is 0%. If it's one of the other disks from the RAID-3, then chances are about 50% in the best case (see data block size vs actionable data below). > > Is it possible for me to get anything useful out of this single drive? > Yes. > Brian's book claims that I might have luck with a simple keyword > search, but has anyone had any experience to back it up? > Not directly, no. If you're lucky, and it really is from a RAID-5 set, and the block size was set to something large, like say 64KB, and the information you're looking for was plain text, then the chances are better that you'll find enough data intact to pass along. If the blocks are smaller, then chances are slimmer. It depends on what size of data block is actionable for the court case. If it's under 4KB (which is the usual default block size) then I'd say the 33/67 break down is close enough. If larger, then the the 33% chance must shrink. > I probably cannot discuss what I am looking for per the litigation, > but a simple keyword search would be useful and possibly even > adequate. > Huzzah! > Pulling numbers out of the air, I told the person sending me the drive > that there is only a 33% chance that useful information is on this > drive and a 67% chance that there is nothing on there. > > That was just based on RAID-5 taking 3 disks... in retrospect, I > realize that those numbers aren't right since RAID-5 can survive while > a disk is being replaced. > It can only survive if there are at least two remaining members (out of three) because the data on the missing disk can be recovered based on the data and parity information from the other two. Having just one disk doesn't help at all. > So, I don't know what I am really asking for except for other people's > experiences and advice on this type of investigation. > Not much help really. Mostly trying to set expectations. - Colby |
