Rebuilding Hardware Raid in EnCase 7/8

Recently I needed to rebuild a hardware RAID within EnCase from physical images of the component disks. Some years ago this was a common task which I did on a regular basis, and could achieve with my eyes closed.

Back then my principal analysis tool was EnCase 6 and the method of rebuilding a RAID was relatively straightforward, the required menus and options were in a logical enough location, but of course with the advent of EnCase 7 Guidance made every effort to hide functionality and generally make our lives more difficult.

More recently, I think I have probably only had to rebuild a hardware RAID probably four or five times in the last 3 years, each time I have spent significantly longer trying to remember where Guidance saw fit to hide the menu item than I did in assessing the RAID and rebuilding it. This time I have James Habben (@JamesHabben) to thank for reminding me where I needed to look within EnCase.

In any event, as one George W. Bush once said, "fool me once, shame on — shame on you. Fool me — you can't get fooled again”, so I have committed to documenting the required process for future googlers, and indeed myself in probably 12 months time.

A few points before I get into the process:

  • There are a number of ways to skin this cat, my intention in this post is just to cover the mechanics of rebuilding the RAID in EnCase 7/8. I will likely follow up with a post which covers one method to identify the RAID configuration if this is unknown, but it is out of scope for today.
  • Rebuilding a software RAID is much simpler, and much better documented. If you are dealing with a Windows software RAID then the following will get you on the right path to rebuilding it in EnCase:
  • The images I have to hand and therfor the process as demonstrated in the examples in this post are the simplest situation: a two disk RAID-0 with known stripe size. The process doesn't change dramatically for more complex RAID setups.
  • And finally, X-Ways Forensics is significantly better/ easier for rebuilding RAIDs. It was 8 years ago, this hasn't changed, in fact X-Ways hasn't improved in this area to my knowledge just EnCase has somehow become worse at it.

Recreating the RAID in EnCase 7/8

Launch EnCase (7 or 8), create a new case, and add your physical images as evidence items via either 'Add Evidence File' for E01, Ex01, vmdk, or vhd or via 'Add Raw Image' for RAW/DD images, per the below screenshots:

Technically you can perform this same set of actions on two or more physical devices connected to your analysis system with the 'Add Local Device' functionality too.

Once the images are added, you should be in the 'Evidence Tab' with the individual items visible, per the below screenshot.

Within EnCase 7, the Super Top Secret menu item you require is located via pressing the down arrow in the far right hand corner of the Evidence Tab toolbar. This is the center of the three down arrows on the right hand side.

You know, the down arrow...

I for one don't understand why people find it so hard to find.

Selecting the down arrow presents you with the following menu, from which you need to select 'Create Disk Configuration...'

Unfortunately, word got back to guidance that a small group of 5-10 users had actually managed to locate and use the 'Create Disk Configuration...' functionality and as such they made changes to hide it again come the release of EnCase 8. The same menu item is now contained within the dropdown menu denoted with a cog.

The remainder of the steps are consistent between 7 and 8, so screenshots will be limited to those of 7 as it is the less offensive of the two interfaces. We need to configure the RAID within the newly opened 'Disk Configuration' window:

Name the RAID

Enter a name for your RAID in the top left text entry box.

Select the RAID Type if known
Select the type of RAID you are rebuilding from the Disk Configuration list on the left of the window, these translate as follows:

Stripe = RAID0
Mirror = RAID1
RAID-5 - See below
Span = JBOD
Simple = JBOD, mab
RAID-5 Symmetric - See below
RAID-5 Solaris = Pass, one assumes Solaris employed a funky RAID-5 implementation
RAID-5 Asymmetric - See below
RAID-1E (https://en.wikipedia.org/wiki/Non-standard_RAID_levels#RAID_1E)

The various RAID-5 options relate to different implementations of RAID-5 the key difference is where the parity stripe is located in each pass. A helpful reference can be found here. Once upon a time a DR Engineer who specialised in damaged RAID Recovery taught me how to use the 'RCDC' signature within an NTFS journal, an excel spreadsheet and some basic deduction to determine exactly what RAID configuration and stripe size you are dealing with but to be honest once I have sussed out the stripe size I normally try RAID-5 first, then RAID-5 Symmetric and RAID-5 Asymmetric until it works.

In the event that I was unsure of the RAID configuration or disk order my process used to be to determine the stripe size using this method then use X-Ways to allow for expedient trial and error. These days RAID Reconstructor can do a lot of the hard work for you. I will likely cover RAID Reconstructor in a follow up post.

Add Component Devices

Order matters here, so if you happen to know the order the drives came out of the RAID device start there, otherwise RAID Reconstructor can help you figure it out.

Right click inside the 'Component Devices' area and select the first disk, if you have a known offset on the drive before the RAID starts you will need to change the Start Sector and Total Sectors to reflect this.

The Total Sectors will automagically be populated with the total number of sectors in your image, however if you amend the Start sector you will need to reduce the Total Sectors value by the same amount or you will receive an error. Again, if you do not know whether there is an offset, RAID Reconstructor will be able to assist. Press OK to add the disk

Repeat this process for each of the disks (in order), you cannot reorder the disks once they have been added. You will need to delete them and re-add.

Note that if you have a RAID-5 (or another RAID config with redundancy) and you are missing a disk it is possible to add a Null Device. Simply Right Click, select New then check the 'Create Null Device' option. This will cause the image selection to grey out and pressing OK will add a Null Device:

Stripe Size

Once you are happy with your added disks and order you can set the stripe size. Make sure to note that the size requested here is in KB, not sectors or bytes. If your config information (as provided by the system owner, found in RAID BIOS or via RAID Reconstructor) is not in KB then you will need to do a calculation to determine the appropriate value.

Once you are happy with your configuration, select 'OK'. A new evidence item, named per your chosen name will be added. In this case we have named our RAID 'Demo'.

Selecting that evidence item will cause EnCase to open it, and with any luck interpret the filesystem, parse the MFT etc.

In the event that you have made an error, you will likely find the device opens with nofile system It is time to go back to the evidence pane, select the checkbox for the RAID, use the same drop-down menu and select 'Edit Disk Configuration...':

You may need to repeat this process a few times if you are trying to guess a config. As previously mentioned, the process of brute forcing config in this way is somewhat easier in X-Ways so if you have a licence available maybe use that for your testing. Furthermore, much of the guesswork can be removed with the use of RAID Reconstructor.

Hopefully this post helps a few people find the right menu item when attempting to rebuild / de-RAID a hardware RAID within EnCase, or at the very least here's hoping I remember this post when I next forget how to do it!