RAID With Parity: Reassembly and Image Acquisition
Hi there!
Welcome back to Plug, Image, Repeat, the monthly newsletter where we share practical tips and tricks to improve your experience in digital forensics. We’re glad you’re here.??
Our previous issues covered the primary RAID types. In this one, we will explore how to acquire data from RAIDs with redundancy. We will focus on the concept of parity, which is a crucial aspect of redundancy.
There are four classic types of RAIDs that use parity drives or blocks: RAID 3, RAID 4, RAID 5, and RAID 6.
1?? What is parity?
Parity is additional information that is calculated and stored along with the user's data before it is written to the disk. Parity is used to ensure the accuracy of the stored data and can also be used to reconstruct missing data if some of the data becomes unreadable, for example, due to a drive failure.??
??Here is a comparison:
2??Block order, symmetric, and asymmetric
Block order and parity placement are crucial parameters in RAID configurations like RAID 5 and RAID 6.
The Block order parameter defines the layout (or pattern), in which RAID logical blocks (“stripes”) are distributed among the devices in the array. It is the sequence of writing data and parity blocks across the RAID members and depends on:
For RAID 5, the Block order parameter can be:
Left and right arrays refer to how parity blocks are allocated among the disks in a RAID configuration. Whereas synchronicity and asynchronicity describe the order in which data blocks are processed within the RAID system.
Unlike RAID 5, RAID 6 uses not one, but two types of parity blocks. The Parity block order parameter defines, which parity block type comes first and which follows:
In addition to standard RAID types, you may encounter enhanced ones.
4??Enhanced RAID Types
RAID configurations, such as RAID 5E, RAID 5EE, and RAID 6E, include an 'E' to stand for Enhanced, indicating that they include spare blocks in the array. These types are uncommon and not supported by all RAID controllers. For this reason, we provide just a brief explanation of their configuration.
Since we've covered the basics of RAID configurations, let's try to retrieve our data. ?
5??Acquiring Data from RAID 3 and RAID 4
RAID 3 and RAID 4 are not widely used. To recover data from these two types we recommend using UFS Explorer software.?
Please note:?
It also enables the independent creation of various RAID configurations, including RAID 0, 1, 1E, 5, 6, 50, and 60, and the adjustment of their parameters such as parity distribution and stripe size.?
If you are dealing with RAID 4, you can also use DiskInternals RAID Recovery.
Here's how it appears in the interface. ??
6??Acquiring Data from RAID 5
RAID 5 is one of the most common RAID implementations. During our preparation for this issue, we came across several quotes from the Discord Digital Forensic server dedicated to problems with reassembling RAID 5.?
“Hello gang, is there a tool that could help me find the order of a RAID 5? Thank you”
“Hi guys! Searching for help here. I am working on a case when I'll have to retrieve data on 3 corrupted disks mounted in RAID 5.“
“Hello everyone, Has anyone already performed data recovery on a Simplivity RAID (pre-HPE acquisition) ? In our case, we have a RAID 5 (5x1,92To SAS SSD) + 1 SAS SSD for the OS where we found a corrupted Omnistack VM.”
Atola TaskForce's automatic RAID type detection module is its main advantage when working with RAID 5. This module uses heuristic algorithms to seamlessly identify the appropriate device order, block size, and block order from millions of possible configurations. There are no additional steps required by the user.
Currently Atola TaskForce 2 imagers reassemble and image RAID 5 with:?
When the Autodetection module parses the data on the drives to identify the RAID configuration and encounters errors, error tags are displayed next to the respective RAID member. Despite the errors on drives, TaskForce 2 is able to mount the partitions for preview.
Even if one drive is missing, Atola TaskForce can assemble RAID 5. Simply Add missing device button and the device will do the rest.?
7?? Acquiring Data From RAID 6
If you are dealing with RAID 6, Atola TaskForce also comes in handy. You can automatically detect all parameters of a RAID 6 array, preview its contents, and then create its full physical image or perform logical imaging of only selected partitions, folders, and files.
Currently, Atola TaskForce 2 reassembles and images RAID 6 with:?
RAID 6 uses two parity blocks, allowing Atola TaskForce to automatically reassemble and image an array even if two of its members are damaged or missing.
?See how it works:
That's all! Now that you understand how RAID with parity works in practice, it's time to practice what you've learned.
Happy investigating!??
Previous episodes:
Thank you for joining us for this edition of Plug, Image, Repeat! Make sure you never miss an issue by clicking the "Subscribe"?? button in the upper right corner of the page. For more articles and insights, visit our website. If you have any questions, please ask us or send them using the comments section below.