Large dataset analysis and recovery has been an interest of mine for some time. The server room is vastly important in today’s business enviroments and is increasingly part of any investigation involving business, including small businesses. Unfortunately, computer forensics is slow to catch up to this trend and has all but neglected designing tools to approach large datasets and has instead continued its trend to focus on the home user machines. While I understand this is where the bang for the buck is in the industry, it does leave a gaping hole that needs to be filled. Thus my interest ;-)
RAID is one such subset of my interest in this area. Encase and X-Ways have RAID reconstruction functionality, but it is very limited. They seem to have designed their algorythms for this functionality as an afterthought or stub, again a bang for the buck issue. The problem with RAID is that it is not standardized. Sure there is a loose definition of each type of RAID, RAID 0-6 and such; however, there is not implementation standard. For example, a RAID5 from Compaq looks nothing like a RAID5 from Adaptec. For example, configuration information information is stored in different locations/sizes and parity rotatation is implemented differently. It is not just the direction of rotation either but the iteration of rotation. In short it is just a mess.
So I am working on a program to deal with this. Actually, I started it some time ago and I have now come back to it. I will release the program on sourceforge when I feel it is at least to alpha quality and properly documented. It should handle every structured RAID from 0 – 5, regardless of rotation direction, number of disks, rotation iteration, blocksize, or parity level. Next I will move on to a program that evalutes component disks and deduces likely configurations.
j