Forensic RAID Support
To help with creating a forensic RAID image of an array with an unknown configuration, Atola TaskForce 2 is now equipped with a RAID assembly, configuration autodetection and imaging capability.
What is currently supported:
- RAID 0, 1, 5, 6, 10, JBOD
- Hardware RAID controllers: Adaptec, Areca, HP, Dell, LSI, Intel RST, IBM ServeRAID, other generic controllers
- Software RAID: mdadm
- Synology NAS RAID
- File systems: NTFS, ext4/3/2, XFS, Btrfs, exFAT, APFS, HFS/HFS+, FAT32/16
How it works
- Select sources that make up a RAID array (SATA/SAS/USB drives, raw, E01 or AFF4 image files).
- Wait a few minutes for a Possible configuration hint to pop up.
- Click Apply.
- Click Go to Image and acquire the whole array or partitions within.
Watch all RAID screencasts
- Autodetecting and imaging RAID 0
- RAID 5 imaging with a missing device
- Imaging RAID 5 array with errors
- Imaging RAID 10 with Atola TaskForce
- Imaging selected partitions of a RAID array
- Instant autodetection of an mdadm-created RAID
- RAID 6 Autodetection
- Imaging RAID 6 with errors
- Imaging RAID 6 with two missing members
Automated assembly of RAID with an unknown configuration
Autodetection module starts running immediately upon the selection of the RAID devices (or images).
- In Stage 1, it reads data on the drives to identify the RAID type which will narrow down the number of combinations for Stage 2.
- in Stage 2 goes through thousands and even millions of possible configurations to identify suitable ones.
If you know the configuration, you can enter it manually.
Autodetection uses heuristic algorithms to help avoid tedious manual work while searching for:
- RAID type
- device order
- block size
- block order
Maximum allowed number of RAID parameter combinations to check is 200,000,000. With 12 possible block (stripe) sizes ranging from 512 bytes to 1 MB, the current limit enables TaskForce 2 to check all possible RAID configurations for:
- 9 devices in RAID 5 array (17,418,240 variants)
- 10 devices in RAID 0 array (43,545,600 variants)
After you apply the suggested configuration with one click on a button, drives are arranged into the correct order, RAID type and other configurations are automatically applied, and file systems are searched for.
Moreover, when dealing with mdadm and Synology NAS RAIDs, TaskForce instantly identifies and reassembles such arrays.
Synology NAS RAID autodetection and imaging
Synology NAS (Network Attached Storage) is a wide-spread type of hardware for storing data on a network location.
TaskForce 2 supports it, including SHR/SHR2 RAID types.
The RAID module instantly detects configuration of a Synology NAS RAID array and shows its partitions, folders, and files.
Reassembling and imaging RAID 5 with a missing device
If you are reassembling RAID 5, and one of RAID 5 drives is missing or is heavily damaged, TaskForce 2 allows you to select all available drives (or images thereof) and click the Add missing device button underneath the list of drives and/or images.
TaskForce 2 uses the redundancy inherent to RAID 5 to identify the configuration and create a full image of the RAID even in the absence of one of the RAID's parts.
Imaging RAID 5 and RAID 6 with errors
When the Autodetection module parses the data on the drives to identify the RAID configuration and encounters errors, error tags are displayed next to the respective RAID member. Despite the errors on drives, TaskForce 2 is able to mount the partitions of the RAID for preview using data redundancy of RAID 5 or RAID 6.
During imaging, when an error is encountered, TaskForce 2 automatically reconstructs the missing data on the fly. It uses the data in the parity blocks on the remaining members of the RAID. This process is seamless, needs no involvement of the operator and allows recovering the full image.
Rebuilding and imaging RAID 6 with two missing devices
RAID 6 has extra redundancy due to the usage of two types of parity blocks (XOR parity and Reed-Solomon parity). Thanks to this feature, TaskForce 2 is able to automatically reassemble and image an RAID 6 array even if two of its members are damaged or missing.
Select RAID 6 as an RAID type and then click the Add missing device button twice to tell TaskForce that two devices in an array are missing. The system restarts the autodetection process from the beginning and takes the absence of two devices into account when checking variants of possible RAID configuration.
Once possible configuration is detected, click Apply and preview volumes, folders, and files of an reassembled array. Then proceed to physical or logical imaging.
RAID 10 autodetection and imaging
RAID 10 arrays combine mirroring and striping techniques. That is why these arrays have higher performance and better resiliency against data loss or corruption.
TaskForce 2 uses both of these advantages: it images data faster from a RAID 10 compared to other RAID types and rebuilds the image using the data redundancy in case of disk failure. TaskForce 2 can achieve 900 MB/s on a RAID 10 consisting of SSD drives and 400 MB/s on one made up of HDD drives.
After you have selected the drives that make up the RAID 10 array, the RAID configuration autodetection module identifies the RAID type. The final configuration is suggested after variant checks of other parameters.
When you apply the suggested configuration, TaskForce 2 shows the members of the RAID 10 in groups according to the pair of mirrors found in this array.
The found partitions and their contents are displayed in the Partition preview part of the screen. Browse through the folders to see if the contents of the RAID are potentially helpful in your investigation. Then proceed to imaging.
RAID partition preview
Any change in RAID configuration you perform manually or by applying the suggestion produced by the Autodetection prompts the bottom Partitions panel to refresh. If the configuration is correct, file systems are found and validated, you see partitions and their contents.
Instant configuration detection using RAID metadata
TaskForce 2 instantly identifies mdadm-created RAID arrays with great precision by detecting controller metadata. These types of arrays are mounted in a matter of seconds and do not require a manual selection or application.
TaskForce’s autodetection module is able to detect the Start LBA parameter for different types of mdadm RAID arrays.