jess LAND
       www.jessland.net		        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Forensics > Areas > Disks and Filesystems > RAID Forensics Section Map

RAID Arrays

Content Leader: Jess Garcia - Last Updated: March 10, 2007

RAID Acquisitions & Working with RAID Images

RAID Arrays can be acquired in two different ways:

  • As individual disks
  • As a whole disk, using the RAID Interface

If acquired as individual disks, the Forensics tools used will need to be able to reconstruct the whole Array from the individual images (most commercial forensic suites can do this, and pyFlag's iowrapper can provide a wrapper for the tools that don't -- See References below).

References

  • RAID Reconstruction And the search for the Aardvark - Dr. Michael Cohen - LCA 2005 Security Miniconf
    This presentation explains how to access RAID Arrays, acquired as individual disk images, as if they were standard dd images through the use of the pyFlag's iowrapper utility and technique known as library hooking. The advantage is that it is no longer needed to acquire the RAID Array as a whole; individual disk images can be acquired independently, making it possible to parallelize the acquisition of multiple disks or the use of high-performance acquisition tools (such as LogiCube).

RAID Recovery

Tools

References


Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.