Authors: Christian Zoubek, Sabine Seufert, Andreas Dewald
DFRWS EU 2016
RAIDs (Redundant Array of Independent Disks) are widely used in storage systems to prevent data loss in case of hardware defects on a hard disk and to improve I/O performance. In case the RAID controller fails or in the context of a forensic investigation, the content of the RAID has to be reconstructed from the single disks or rather from disk images. Due to the variety of RAID controllers and various implementation and configuration possibilities, different parameters that are necessary for reconstruction are often unknown. This might be the case because the original configuration just has not been documented or in the forensic case, the administrator might not be cooperating and not willing to reveal the configuration. Using the original RAID system in such cases is not an option, too, because the original evidence should not be altered. We present a novel approach to automatically detect all parameters to reassemble the logical RAID volume based on block level entropy measurement and generic heuristics. We also provide a performance-optimized open source implementation of our approach that is also able to afterwards reassemble the entire logical RAID volume and to further recover single missing disks using the redundancy information as present in RAID-5.