Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Let me try that again...Raid 0 (striped, no parity), not raid 1 (mirroring) :)

ROBERT C. CIPRIANI
1LT, SC, FLARNG
XO, A/146TH SIG BN
"VOICE OF COMMAND"
H:(813) 333-2676
W:(727) 329-2000 x74264

"Whenever you do a thing, act as if all the world were watching." - Thomas Jefferson 

----- Original Message -----
From: Colby Gutierrez-Kraybill <co...@ge...>
Date: Friday, November 10, 2006 12:39 pm
Subject: Re: [sleuthkit-users] Examining RAID-5 with only 1 drive

> 
> On Nov 10, 2006, at 8:50 AM, DePriest, Jason R. wrote:
> 
> >
> > I am only assuming this is RAID-5 since "the other two drives" were
> > mentioned as being discarded.
> >
> 
> It could be from a RAID-3, and if it's the parity drive from that set,
> then the chance of getting anything useful off of it is 0%.  If it's
> one of the other disks from the RAID-3, then chances are about 50%
> in the best case (see data block size vs actionable data below).
> 
> >
> > Is it possible for me to get anything useful out of this single 
> drive?>
> 
> Yes.
> 
> > Brian's book claims that I might have luck with a simple keyword
> > search, but has anyone had any experience to back it up?
> >
> 
> Not directly, no.
> 
> If you're lucky, and it really is from a RAID-5 set, and the block
> size was set to something large, like say 64KB, and the information
> you're looking for was plain text, then the chances are better that
> you'll find enough data intact to pass along.  If the blocks are
> smaller, then chances are slimmer.  It depends on what size
> of data block is actionable for the court case.  If it's under
> 4KB (which is the usual default block size) then I'd say the
> 33/67 break down is close enough.  If larger, then the the 33%
> chance must shrink.
> 
> 
> > I probably cannot discuss what I am looking for per the litigation,
> > but a simple keyword search would be useful and possibly even
> > adequate.
> >
> 
> Huzzah!
> 
> > Pulling numbers out of the air, I told the person sending me the 
> drive> that there is only a 33% chance that useful information is 
> on this
> > drive and a 67% chance that there is nothing on there.
> >
> > That was just based on RAID-5 taking 3 disks... in retrospect, I
> > realize that those numbers aren't right since RAID-5 can survive 
> while> a disk is being replaced.
> >
> 
> It can only survive if there are at least two remaining members 
> (out  
> of three)
> because the data on the missing disk can be recovered based on the 
> dataand parity information from the other two.  Having just one 
> disk doesn't
> help at all.
> 
> > So, I don't know what I am really asking for except for other 
> people's> experiences and advice on this type of investigation.
> >
> 
> Not much help really.  Mostly trying to set expectations.
> 
> - Colby
> 
> 
> -------------------------------------------------------------------
> ------
> Using Tomcat but need to do more? Need to support web services, 
> security?Get stuff done quickly with pre-integrated technology to 
> make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache 
> Geronimohttp://sel.as-
> us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>