We just presented our Paper “Generic RAID Reassembly using Block-Level Entropy” at the DFRWS EU 2016 digital forensics conference (http://www.dfrws.org/). The article is about a new approach that we developed for forensic RAID recovery. Our technique calculates block-wise entropy all over the disks and uses generic heuristics on those to detect all the relevant RAID parameters such as stripe size, stripe map, disk order, and RAID type, that are needed to reassemble the RAID and make the data accessible again for forensic investigations (or just for data recovery).
We developed an open source implementation of our approach that is freely available at https://www1.cs.fau.de/content/forensic-raid-recovery/. The tool is able to recover RAID 0, RAID 1 and RAID 5 volumes from the single disks or disk images.
It is also able to recover a missing or failed disk in case of RAID 5 systems from the RAID redundancy information.
RAIDs (Redundant Array of Independent Disks) are widely used in storage systems to prevent data loss in case of hardware defects on a hard disk and to improve I/O performance.
In case the RAID controller fails or in the context of a forensic investigation, the content of the RAID has to be reconstructed from the single disks or rather from disk images.
Due to the variety of RAID controllers and various implementation and configuration possibilities, different parameters that are necessary for reconstruction are often unknown.
This might be the case because the original configuration just has not been documented or in the forensic case, the administrator might not be cooperating and not willing to reveal the configuration.
Using the original RAID system in such cases is not an option, too, because the original evidence should not be altered.
We present a novel approach to automatically detect all parameters to reassemble the logical RAID volume based on block level entropy measurement and generic heuristics.
We also provide a performance-optimized open source implementation of our approach that is also able to afterwards reassemble the entire logical RAID volume and to further recover single missing disks using the redundancy information as present in RAID-5.
We put our presentation slides from the conference here:
The full paper is also publicly accessible here:
And again, the source code of our tool is available here: