RAID 5 forensics: Automated assembly and imaging

TaskForce is equipped with configuration autodetection module that makes assembling and imaging a RAID 5 array with an unknown configuration fast and easy.

Autodetection of RAID 5 configuration

1. Connect the drives that make up the RAID array to the TaskForce unit to ports in Source mode.
2. Click the RAID icon in the left-side Task Menu.

3. In Select source device panel, tick the drives that make up the RAID array and click Continue.

To assemble a RAID from images instead of drives or to use a combination of drives and images, browse and select images in the FILE subsection of the Select source device menu.

Next, you are redirected to the RAID configuration screen. It consists of three parts:
- the selected devices (and/or image files) are shown in the top RAID configuration part.
- the RAID Partitions viewer below it, provides a preview of partitions and files within them, once RAID has been successfully assembled.
- the Autodetection module in the right-hand part of the screen immediately starts running and produces an output of RAID configuration suggestions.

Autodetection module reads data from all the selected devices and/or images to detect these RAID parameters:

• Order of drives/images
• RAID type
• Start LBA
• Block size
• Block order

Should the configuration be known, these parameters can also be set manually by the operator.

The time required for configuration detection can vary from a few seconds to a few hours depending on the numbers of drives involved, RAID volume and type, and how metadata is distributed on the drives in the RAID. In certain cases, Autodetection may produce several configuration suggestions, which can be applied one by one to find the exact match. TaskForce's Autodetection is based on heuristics algorithms that help speed up the variant check.

4. Click the Apply button to apply the configuration suggested by the Autodetection module.

If the suggested configuration matches the RAID native configuration, partitions of the RAID will be displayed and a preview of data within the partition will be enabled.

Imaging selected partitions of RAID 5

1. Click GO TO IMAGE button in the left bottom corner of the screen to adjust the imaging settings and define the target for the image.

2. Select the target for the imaging session. Both a local server and a target device in Storage mode can be used for imaging of a RAID array.

3. Click + CREATE FILE button and fill out the image details in the Create image file window and click Create.

4. In the Settings page, click the Change button and then click the settings of an imaging pass.

5. In Edit imaging pass window, you can select the individual partitions to be imaged if selective imaging is required and click Save.

6. Click the START button to launch the imaging session.

TaskForce will be imaging RAID 5 array or its partitions as configured in the imaging settings.

At the end of the imaging session, TaskForce will produce an Imaging completed report with all the details of the source drives, the RAID configuration, the target, the partition, the timestamps, etc.