With RAIDs landing on forensic examiners’ desks often being completely anonymous, finding the correct RAID configuration becomes a tedious manual job that can take hours and days to complete.
To make this process efficient and effortless, Atola developers equipped TaskForce forensic imager with a breakthrough configuration autodetection module.
This time-saving solution automates the configuration search and allows the operator to focus on the more urgent tasks that require human attention.
TaskForce Autodetection module
TaskForce’s RAID configuration autodetection process commences immediately upon selection of the RAID members, which can be any combination of devices and image files.
In Stage 1, the autodetection module reads data on the drives to determine the RAID type.
In Stage 2, the autodetection module uses heuristic algorithms to efficiently go through thousands of possible configurations to identify the suitable device order, block size and block order.
As soon as TaskForce detects a suitable configuration, click the Apply button.
The number of RAID parameter combinations to check is limited to 100,000,000. With 12 possible block (stripe) sizes – ranging from 512 bytes to 1 MB – the current limit allows TaskForce to check all possible RAID configurations for:
- 9 devices in a RAID 5 array (17,418,240 variants)
- 10 devices in a RAID 0 array (43,545,600 variants)
Any RAID configuration change the operator performs prompts the Partitions panel to refresh. In case the configuration is correct, file systems are found and validated, and the operator can see the folders and files within the found partitions.
Depending on the RAID type, volume, metadata distribution, TaskForce Autodetection module can produce configuration suggestions from 30 seconds up to a few hours for large 9+ RAID members. And the speed of this automatic combination search speeds up to the max what would otherwise be a tedious manual process.
There are also cases when the Autodetection module can come up with several configuration suggestions. The operator can apply these suggestions one by one to find the exact match.
mdadm-created RAID
Most RAID arrays are assembled using hardware controllers and NAS. Such RAID arrays require some time for TaskForce Autodetection to try out suitable configurations in search of the right one. As for software RAID arrays created with mdadm in Linux, Atola TaskForce can instantly identify such mdadm-created RAID arrays and their configuration by detecting controller metadata.
A partition displayed in the bottom part of the screen confirms that the applied configuration is correct.
This RAID’s Start LBA is different from 0. TaskForce’s Autodetection module can detect this parameter for different types of RAID arrays and mdadm versions.
Imaging mdadm-created RAID array
TaskForce’s user-friendly interface enables you to intuitively perform all the operations, without having to check each step with the Manual.
To proceed with imaging of the reassembled RAID, simply click the Go to image button at the bottom of the screen and select the target for your session.
Imaging session will start right after you press the Start button, running as fast as the target speed allows.
The imaging report will be generated automatically and will provide all the details of the imaging session.
Atola engineers continue working to support more RAID types and file systems in the upcoming releases to help examiners tackle most of the RAID cases they encounter and make these tricky cases as effortless and fast as possible.
- RAID imaging made easy with TaskForce - May 3, 2022
- Image. Anything. Fast.What makes TaskForce the ultimate forensic imager - February 9, 2022
- RAID configuration detection in Atola TaskForce - April 7, 2021