Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: Simson L. Garfinkel's T. 7. <si...@ac...> - 2006-11-10 21:24:24
|
___ Sent with SnapperMail www.snappermail.com ...... Original Message ....... On Fri, 10 Nov 2006 09:39:28 -0800 "Colby Gutierrez-Kraybill" <co...@ge...> wrote: > >On Nov 10, 2006, at 8:50 AM, DePriest, Jason R. wrote: > >> >> I am only assuming this is RAID-5 since "the other two drives" were >> mentioned as being discarded. >> > >It could be from a RAID-3, and if it's the parity drive from that set, >then the chance of getting anything useful off of it is 0%. If it's >one of the other disks from the RAID-3, then chances are about 50% >in the best case (see data block size vs actionable data below). Who uses RAID-3? Most controllers don't even support it... > >> >> Is it possible for me to get anything useful out of this single drive? >> > >Yes. > >> Brian's book claims that I might have luck with a simple keyword >> search, but has anyone had any experience to back it up? >> > >Not directly, no. > >If you're lucky, and it really is from a RAID-5 set, and the block >size was set to something large, like say 64KB, and the information >you're looking for was plain text, then the chances are better that >you'll find enough data intact to pass along. If the blocks are >smaller, then chances are slimmer. It depends on what size >of data block is actionable for the court case. If it's under >4KB (which is the usual default block size) then I'd say the >33/67 break down is close enough. If larger, then the the 33% >chance must shrink. > > >> I probably cannot discuss what I am looking for per the litigation, >> but a simple keyword search would be useful and possibly even >> adequate. >> > >Huzzah! > >> Pulling numbers out of the air, I told the person sending me the drive >> that there is only a 33% chance that useful information is on this >> drive and a 67% chance that there is nothing on there. >> >> That was just based on RAID-5 taking 3 disks... in retrospect, I >> realize that those numbers aren't right since RAID-5 can survive while >> a disk is being replaced. >> > >It can only survive if there are at least two remaining members (out >of three) >because the data on the missing disk can be recovered based on the data >and parity information from the other two. Having just one disk doesn't >help at all. > >> So, I don't know what I am really asking for except for other people's >> experiences and advice on this type of investigation. >> > >Not much help really. Mostly trying to set expectations. > >- Colby > > >------------------------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org > |
