Rebuilding Hardware Raid in EnCase 7/8

Recently I needed to rebuild a hardware RAID within EnCase from physical images of the component disks. Some years ago this was a common task which I did on a regular basis, and could achieve with my eyes closed.

Back then my principal analysis tool was EnCase 6 and the method of rebuilding a RAID was relatively straightforward, the required menus and options were in a logical enough location, but of course with the advent of EnCase 7 Guidance made every effort to hide functionality and generally make our lives more difficult.

More recently, I think I have probably only had to rebuild a hardware RAID probably four or five times in the last 3 years, each time I have spent significantly longer trying to remember where Guidance saw fit to hide the menu item than I did in assessing the RAID and rebuilding it. This time I have James Habben (@JamesHabben) to thank for reminding me where I needed to look within EnCase.

In any event, as one George W. Bush once said, "fool me once, shame on — shame on you. Fool me — you can't get fooled again”, so I have committed to documenting the required process for future googlers, and indeed myself in probably 12 months time.

A few points before I get into the process:
  • There are a number of ways to skin this cat, my intention in this post is just to cover the mechanics of rebuilding the RAID in EnCase 7/8. I will likely follow up with a post which covers one method to identify the RAID configuration if this is unknown, but it is out of scope for today.
  • Rebuilding a software RAID is much simpler, and much better documented. If you are dealing with a Windows software RAID then the following will get you on the right path to rebuilding it in EnCase:
  • The images I have to hand and therfor the process as demonstrated in the examples in this post are the simplest situation: a two disk RAID-0 with known stripe size. The process doesn't change dramatically for more complex RAID setups. 
  • And finally, X-Ways Forensics is significantly better/ easier for rebuilding RAIDs. It was 8 years ago, this hasn't changed, in fact X-Ways hasn't improved in this area to my knowledge just EnCase has somehow become worse at it.

Recreating the RAID in EnCase 7/8

Launch EnCase (7 or 8), create a new case, and add your physical images as evidence items via either 'Add Evidence File' for E01, Ex01, vmdk, or vhd or via 'Add Raw Image' for RAW/DD images, per the below screenshots:

EnCase 7 and EnCase 8 Adding Evidence Items

Technically you can perform this same set of actions on two or more physical devices connected to your analysis system with the 'Add Local Device' functionality too.

Once the images are added, you should be in the 'Evidence Tab' with the individual items visible, per the below screenshot. 

Component Disks added as Evidence items in EnCase

Within EnCase 7, the Super Top Secret menu item you require is located via pressing the down arrow in the far right hand corner of the Evidence Tab toolbar. This is the center of the three down arrows on the right hand side.

You know, the down arrow.

I for one don't understand why people find it so hard to find...

Selecting the down arrow presents you with the following menu, from which you need to select 'Create Disk Configuration...'

Create Disk Configuration... menu option

Unfortunately, word got back to guidance that a small group of 5-10 users had actually managed to locate and use the 'Create Disk Configuration...' functionality and as such they made changes to hide it again come the release of EnCase 8. The same menu item is now contained within the dropdown menu denoted with a cog.

EnCase 8

The remainder of the steps are consistent between 7 and 8, so screenshots will be limited to those of 7 as it is the less offensive of the two interfaces. We need to configure the RAID within the newly opened 'Disk Configuration' window:
Disk Configuration Window

Name the RAID
Enter a name for your RAID in the top left text entry box.

Select the RAID Type if known
Select the type of RAID you are rebuilding from the Disk Configuration list on the left of the window, these translate as follows:

Stripe = RAID0
Mirror = RAID1
RAID-5  - See below
Span = JBOD
Simple = JBOD, mab
RAID-5 Symmetric - See below
RAID-5 Solaris = Pass, one assumes Solaris employed a funky RAID-5 implementation
RAID-5 Asymmetric - See below
RAID-1E (https://en.wikipedia.org/wiki/Non-standard_RAID_levels#RAID_1E)

The various RAID-5 options relate to different implementations of RAID-5 the key difference is where the parity stripe is located in each pass. A helpful reference can be found here. Once upon a time a DR Engineer who specialised in damaged RAID Recovery taught me how to use the 'RCDC' signature within an NTFS journal, an excel spreadsheet and some basic deduction to determine exactly what RAID configuration and stripe size you are dealing with but to be honest once I have sussed out the stripe size I normally try RAID-5 first, then RAID-5 Symmetric and RAID-5 Asymmetric until it works.

In the event that I was unsure of the RAID configuration or disk order my process used to be to determine the stripe size using this method then use X-Ways to allow for expedient trial and error. These days RAID Reconstructor can do a lot of the hard work for you. I will likely cover RAID Reconstructor in a follow up post.

Add Component Devices

Order matters here, so if you happen to know the order the drives came out of the RAID device start there, otherwise RAID Reconstructor can help you figure it out.

Right click inside the 'Component Devices' area and select the first disk, if you have a known offset on the drive before the RAID starts you will need to change the Start Sector and Total Sectors to reflect this.

Adding Component Devices

The Total Sectors will automagically be populated with the total number of sectors in your image, however if you amend the Start sector you will need to reduce the Total Sectors value by the same amount or you will receive an error. Again, if you do not know whether there is an offset, RAID Reconstructor will be able to assist. Press OK to add the disk

Repeat this process for each of the disks (in order), you cannot reorder the disks once they have been added. You will need to delete them and re-add.

Note that if you have a RAID-5 (or another RAID config with redundancy) and you are missing a disk it is possible to add a Null Device. Simply Right Click, select New then check the 'Create Null Device' option. This will cause the image selection to grey out and pressing OK will add a Null Device:

Adding a Null Device

Stripe Size
Once you are happy with your added disks and order you can set the stripe size. Make sure to note that the size requested here is in KB, not sectors or bytes. If your config information (as provided by the system owner, found in RAID BIOS or via RAID Reconstructor) is not in KB then you will need to do a calculation to determine the appropriate value.

Once you are happy with your configuration, select 'OK'. A new evidence item, named per your chosen name will be added. In this case we have named our RAID 'Demo'.

Selecting that evidence item will cause EnCase to open it, and with any luck interpret the filesystem, parse the MFT etc.

In the event that you have made an error, you will likely find the device opens with nofile system It is time to go back to the evidence pane, select the checkbox for the RAID, use the same drop-down menu and select 'Edit Disk Configuration...':

Edit Disk Configuration Menu
You may need to repeat this process a few times if you are trying to guess a config. As previously mentioned, the process of brute forcing config in this way is somewhat easier in X-Ways so if you have a licence available maybe use that for your testing. Furthermore, much of the guesswork can be removed with the use of RAID Reconstructor.

Hopefully this post helps a few people find the right menu item when attempting to rebuild / de-RAID a hardware RAID within EnCase, or at the very least here's hoping I remember this post when I next forget how to do it!


Installing SIFT Workstation under Windows Subsystem for Linux


In a recent post I alluded to the fact that I had successfully installed SIFT Workstation under Windows Subsystem for Linux (WSL). A number of people have zeroed in on that and had queries about this setup (and its limitations) so I thought I would follow up with a brief how-to.

For the uninitiated, the SIFT Workstation is a fantastic tool for forensic investigators and incident responders, put together and maintained by a team at SANS and specifically Rob Lee (@RobLee). It is a collection of open source tools for forensic analysis and is available bundled as a virtual machine. In a lot of cases the most appropriate way to use it is exactly like that, as a VM.

There are three common ways in which SIFT is used, under various circumstances I have had reason to employ all three:
  1. On a Type 1 hypervisor. I have an instance running within ESXi which I SSH into for analysis.
  2. Installed as the base OS on physical hardware. On more than one occasion I have installed Ubuntu and then the SIFT Workstation onto an old laptop to use for analysis.
  3. Via a Type 2 hypervisor such as VMWare Workstation or VirtualBox. I assume this is the most common method that people use SIFT, and indeed SANS provide a preinstalled OVA which can be downloaded here.

All of the above solutions have their merits, but with the advent of WSL we have a new option for running the various Linux utilities bundled within SIFT. While researching this post I stumbled across the fact that the SIFT Manual Installation instructions in fact reference the use of SIFT under WSL but I hope to provide a little bit of additional detail and highlight a couple of gotchas.

If you haven't already installed WSL and Bash you will need to start there, however if not you have installed these you can jump to Installing SIFT .

Installing WSL

The SIFT installation process detailed later requires internet access and as such I will focus on the online method of installing WSL, with that said an offline method is detailed in my previous post 'Windows Subsystem for Linux and Forensic Analysis'.

First ensure you are running Windows 10 Anniversary Update or later (build 1607+) on a 64-bit system, if not you will need to upgrade to this version to have WSL available.

The quickest and easiest way to enable WSL is to use PowerShell. Open PowerShell as Administrator and run the command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Alternatively it can be enabled via the 'Windows Features' dialog. This can be accessed via Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off. Locate the check box for Windows Subsystem for Linux, per the below screenshot, and select it:

Next we need to install the distribution of choice, which for SIFT will want to be Ubuntu. This is available for download via the Microsoft store. Once installed, select launch and you will be prompted to create a UNIX user account. Once the account is created you are good to go.

Installing SIFT

The first point to note is that SIFT cannot be installed from the root account. Depending on how you have configured WSL this may be the default and only user account on your install. If that is the case then you will need to create a new user account, as below:

Create new user account
Launch Bash, either via launching the 'Ubuntu' app or alternatively you can launch it from the Windows Command Line using the 'bash'.

Create a new user account with:

useradd -m sansforensics

Create a password for the account:

passwd sansforensics

When prompted, enter and re-enter a new password for the account.

Add the user account to the sudo group

sudo usermod -aG sudo sansforensics

Switch user to the new account:

su - sansforensics

The following set of commands can then be executed to download, verify and install the sift-cli-linux installer:

Using sift-cli-linux to isntall SIFT

wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux

wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux.sha256.asc

gpg --keyserver pgp.mit.edu --recv-keys 22598A94

gpg --verify sift-cli-linux.sha256.asc

sha256sum -c sift-cli-linux.sha256.asc

Verify that the output contains 'sift-cli-linux: OK', you will receive an error regarding improperly formatted lines which can be ignored.

sudo mv sift-cli-linux /usr/local/bin/sift

chmod 755 /usr/local/bin/sift

Finally the sift installer can be executed to install the SIFT packages only, with the following command:

sudo sift install --mode=packages-only

This process will take a short while to complete but at the end it should indicate that is has completed with no errors.


Image Mounting
Image mounting can be problematic. Due to fuse driver issues, using ewfmount, mountwin or imageMounter.py will result in the following error: 
fuse: device not found, try 'modprobe fuse' first
Unable to create fuse channel.
An alternative solution is to mount the image in windows using a tool such as FTK imager, then to mount the corresponding volume using drvfs within WSL. In the below example FTK imager has been used to mount an E01 image both Physical and Logical:

The notable volume has been mounted as H, and this can be presented to WSL with the following commands:

sudo mkdir /mnt/h

sudo mount -t drvfs H: /mnt/h

I have not performed extensive testing to understand the full implications of the different mount methods however I have found that using the 'File System/ Read Only' option, per the below, can be more reliable albeit slower:

The above method will not be suitable to work with all tools or use cases. 

No GUI Support
The lack of an X Server prevents you from running graphical applications. This isn't a huge issue with SIFT as the overwhelming majority of the tools you will have installed SIFT for are command line. By default attempting to run an GUI application such as firefox will result in the following error:

But fortunately for us, installation of an X Server for Windows will allow you to run GUI applications from WSL. I have tested XMing and found it to be reasonably reliable. Once you download, install and run XMing within Windows configuring WSL to export the display to it is very easy, simply execute the following command:

export DISPLAY=:0

Now running Firefox will result in a new window being created within Windows. This functionality also has interesting implications as to evidence storage. Notably this allows for the installation of a browser where history and internet browsing artifacts will be within the WSL filesystem.