AcquiringHardwareRAIDcongurationdatafromdisksCybercrimeandForensicsProjectUniversiteitvanAmsterdamSystemandNetworkEngineering(MSc)SebastianCarlier([email protected])January,2014AbstractThis
report describes what kindof
hardwareRAIDcongurationdatacanbeobtainedfromasingleharddriveinaforensicallysoundmanner.
TheresearchteststheLSISAS1068Econtroller,
thePERCH200Adapterwith6GbpsSASControllerandthe3ware9650SE-24M8RAIDcontroller.
Thepurposeof thisresearch is to speed up the process of obtaining
data from a virtual drive by help-inginitsreassembly.Due to the
nature of hardware RAIDthe ndings are vendor specic. Theresults
showthat wecanobtaintheharddriveserial numbers of all
thedisksthatbelongtoanarrayandthecontrollersbrand.
ThisknowledgesatisestherequirementsofrebuildingaRAIDvolume,byattachingthecorrectdrivestoaspeciccontroller.Contents1
Introduction 42 The process of identifying data written to the disk
by the RAIDcontroller 62.1
Theprocessoflocatingdataanddataextraction . . . . . . . . . 62.2
Theprocessofanalysingthedata. . . . . . . . . . . . . . . . . . 73
Dataanalysis 83.1 SAS6/iRadapterwithLSISAS1068Econtroller. . . . .
. . . . 83.2 PERCH200Adapterwith6GbpsSASController . . . . . . . .
. 123.3 3ware9650SE-24M8RAIDcontroller. . . . . . . . . . . . . . .
. 154 Conclusions 205 Appendices 23HWRAIDforensics1 Introduction1
IntroductionSoftwareandhardwareRAIDsolutionsareapopularwayof
storingdataonservers. Theyprovide storage and/or hardware failure
redundancy, but canhinder forensicinvestigations if
physicallydisassembled(i.e. pulledfromtheserver).
Usually1datacannotberetrieveduntil
wendwhichdisksbelongedtothearrayasitisfragmentedandspreadoverthedisksthatformtheRAIDvolume[2].Withthis
knowledgetheforensics investigator cantakethefollowingap-proaches:
Manuallystudytheblocks of
eachdrivetodeterminehowthedataisfragmented.
Withthisknowledgeanalgorithmcanbeappliedtocopythefragmentsandreassemblethemonaseparatedevicecreatingadiskimage[1].
Thishowevercanbeatimeconsumingprocessrequiringexpe-rienceindataanalysisandagoodunderstandingofRAIDalgorithms.
AcquiretheRAIDcongurationandreassemblethevolumebyusingthesameRAIDalgorithmthatcreatedthearray.Thelatterapproachisusedinthisresearch.
HoweverhardwareRAIDal-gorithmsareproprietaryandvendorspecic.
Reverseengineeringthosealgo-rithms can be time consuming and does
not seem like a viable solution. Insteadto reassemble the RAID
volume we can use the same controller that created
thevolume,asthealgorithmresidesintheRAIDcontroller.
Toperformthistaskthe correct harddrives need to be obtained as well
as the brand of the
controller.WeworkonthepremisethataRAIDcontrollerrecognizesaRAIDvolumethatwasconguredonanotherRAIDcontrollerof
thesamemodel.
Further-moreitcanbeassumedthathardwareRAIDcongurationdataiswrittentoadisk.ThispaperfocusesonobtainingRAIDcongurationdatafromharddrivesthatbelongedtoaRAIDset,butforsomereasonwerepulledfromtheserver.Themaingoal
istondcongurationdatathatcanhelpidentifywhichcon-trollerwasusedandwhichdiskswerepartofanarray.TherstchallengewhentryingtoobtaindatafromaRAIDsetstemsfromhowRAIDworks.
If onewantstoobtaindatafromanarrayof disks, someconguration
information needs to be known to either reassemble the array
andcopythedataortocopythedatablocksfromthedisksinaspeciedorder(aspresentedtotheOSbyaRAIDcontroller).
Thispaperhelpstoachievetheformerapproach.HardwareRAIDsolutionsuseproprietaryalgorithmstocongureanarrayanddonotconformtoauniedstandard.
Thisposestheproblemofknowingon what controller the RAID array
should be reassembled. An array
assembledonadierentcontrollerwillusuallynotberecognized.It is
assumedthat thereader has basicknowledgeof RAID,
hexadecimalnumbersandLinuxtoolsusedforcomparingdata.1ThisisnottrueforRAID14HWRAIDforensics1
IntroductionScopeThescopeofthispaperincludes: The partly automated
process of collecting the conguration that a
RAIDcontrollersavesonadisk.
Forthepurposeofmappingthatcongurationlayouttoacontroller. The
partly automated forensics process of identifying (and obtaining)
theRAIDcongurationfoundonadisk.TheresearchiscarriedoutbytestingseveralRAIDcontrollermodels.
TheSAS 6/iR adapter[3] with LSI SAS 1068E controller[4], the PERC
H200 Adapterwith6GbpsSAScontroller[5] andthe3ware9650SE-24M8RAID[6]
controllerwereselectedfor thisproject. Theywerechosenfor several
reasons.
Firstlytheyareusuallyusedindierentservermodelswhichvaryinsizeandquality(from1unitto4rackunits).
Eachhasadierentcapacityfordisks(from2to24disks).
Moreovertwoofthecontrollersarefromthesamebrand,
althoughallofthemuseanLSIchip.
Foradetailedtechnicalspecicationoftheserverspleaserefertothefollowing:
DellR2002 DellR510with12x3.5SAS/SATAports3
SupermicroSuperchassiswith24x3.5SAS/SATAports4ResearchQuestionCanRAIDcongurationdatabeacquiredfromablockdevice?CantheacquireddatabeusefulforreassemblingaRAIDarray?Itiscrucial
tonotethatanydatathatmightbeconsideredasRAIDcon-gurationdatacanbecircumstantial,anddoesnotprovidecertaintyastoitsmeaning.
Howeveritcanstill beusedtohelpreassembleavirtual drive. IfaRAID
volume is recognized and a working partitioning scheme can be
observedonit5,thenthecongurationisproventobevalidbeyondreasonabledoubt.2http://www.dell.com/us/dfb/p/poweredge-r200/pd3http://www.dell.com/us/business/p/poweredge-r510/pd4http://www.supermicro.nl/products/chassis/4U/846/SC846BE16-R1K28.cfm5withmeaningfuldataonthosepartitions5HWRAIDforensics2
TheprocessofidentifyingdatawrittentothediskbytheRAIDcontroller2
TheprocessofidentifyingdatawrittentothediskbytheRAIDcontrollerThegoal
of theresearchistoidentifywhatdatathecontrollerleavesonthedisks.
Thiscanbebrokendownintothefollowingproblems.
Thatislocatingthecorrectdataandanalysingtheobtaineddata.2.1
TheprocessoflocatingdataanddataextractionTherst problemis
toidentifywherethecontroller writes thecongurationdata.
Wecanassumethatitiswrittenonthedisk, becausewhenthedisksare
connectedtoanother controller (of the same model) the
RAIDarrayisrecognized. To establish where the data is written we
apply the following steps:1.
ConnectthediskstoaSATAorSASportandzerooutallofthesectors.Thisisachievedbyperforming#
dd if=/dev/zero of=/dev/sdX, wheresdXisthediskwearetargeting.2.
Check for blocks that contain non zero values to ensure the success
of thepreviousstep. Thisstepisnottimelyfeasiblewithoutautomation.3.
Connect the drives to the RAID controller and boot into the RAID
BIOStosetuptheRAIDarray.4. Boot alive OSonthe server toensure that
the RAIDdiskhas beencreated.5.
ConnectthediskstoaSATA/SASportandcopyallsectorsthatcontainnon zero
values (including their oset). This step also requires
automation.Asmentionedthestepsabovearenotfeasiblewithoutacertainamountofautomation.
For this purpose we create a script5 that checks every block of
thediskstartingatsectorzero,ifanydataisfoundina512byteblockadumpofthatblockiscopiedtothehostmachinewiththesectornumber6.
Ifthenext512byteblockalsocontainsnon-zerovaluesitisappendedtothatle.
Thedumpscreatedinthisprocessarelaterusedforthenextstepofthisresearch.6countingfrom0fromthebeginningofthedisk6HWRAIDforensics2
TheprocessofidentifyingdatawrittentothediskbytheRAIDcontroller2.2
TheprocessofanalysingthedataThe problem that follows is identifying
what the data represents. This is done byrepeating the steps above
and adjusting the state of an array or its
conguration.Thefollowingchangesaremadeintheteststohelpinterpretthedata:
usingdierentdisksinthearray replacingadiskonapreviouslycreatedarray
creatingadierentlevelofRAID conguringahotsparetoaRAIDarrayThegoal
istoidentifywhichmodel of controllercreatedthearraywhichiscrucial
totheRAIDsvolumereassembly. Anothernecessaryobjectiveistoidentify
the disks that the array consisted of and their position. When this
dataispresentedtoaforensicsinvestigatorhecanobtainamodel
ofthecontrollerandidentifythecorrectdisksbytheserialnumberspresentontheircasings.7HWRAIDforensics3
Dataanalysis3 DataanalysisThis part of thepaper presents theresults
of thetests that werepreviouslydescribed. It shows what datawas
collectedandinterprets the datawherepossible. The data is presented
as hexadecimal dumps generated with hexdump.The commands used to
generate the output are also present for completion.
Thedirectoriesarenamedafterthesetupandthelesafterthesectornumberofthediskwherethedatawasfound.
Acertainunderstandingof
hexdump7isrequiredfromthereadertocomprehendtheoutput.
Duetothevolumeofthecollected data only the parts relevant to the
ndings are presented in this paper.All of the les generated by our
script can be obtained from ftp.scarlier.nl/raid_research/.3.1
SAS6/iRadapterwithLSISAS1068EcontrollerThe following RAID setups
were conducted on a SAS 6/iR adapter[3] equippedwith the LSI SAS
1068E controller[4] in a Dell r200 server. The RAID
controllersupports RAID0 and RAID1 setups8. The LSI Corp Cong
Utility For Dell
SAS6v6.22.03.00(2008.08.06)wasusedtocongurethedrives.
RAID0,2x80GBSATAHDDs RAID0,2x160GBSATAHDDs RAID1,2x80GBSATAHDDs
RAID1,2x160GBSATAHDDsDataStructureThescript5forcollectingthedatafromdisksgeneratedtheleslistedinthecodeblockbelow.ls
-l r200_raid0_80gb/port0/-rw-r--r-- 1 scarlier scarlier 7680 Feb 9
17:52 sector_156252335-rw-r--r-- 1 scarlier scarlier 512 Feb 9
17:52 sector_156301487ls -l r200_raid1_160gb/port0/-rw-r--r-- 1
scarlier scarlier 7680 Feb 10 04:18 sector_312532655-rw-r--r-- 1
scarlier scarlier 512 Feb 10 04:18
sector_312581807Thersttwolistedlesweregeneratedfroman80GBharddriveconnectedtoport
0andconguredinRAID0. Thelast 2les
weregeneratedfroma160GBdiskconnectedtoport0andconguredinRAID1.
Ineachsetupthecollecteddataislocatedatthesamesectoroset,countingfromtheendofthedisk.
Thisisapparentwhenwetakeintoaccountthetotal amountof
sectorsoneachdisk. Thedataalsospansthesameamountofsectors.
Thebyteosetwheretherstchunkofdataisfoundcanbecalculatedinthefollowingway:7http://manpages.debian.org/cgi-bin/man.cgi?query=hexdump8http://www.dell.com/learn/us/en/04/campaigns/dell-raid-controllers8HWRAIDforensics3
Dataanalysisoffset = (lastsectornumber datasectornumber)
sectorsize,where:lastsectornumber = sectorcount
19,datasectornumberisgeneratedbythescript5,sectorsizeis512bytesThe
above formulagives us the byte oset fromthe endof the disk.
Theosetsforourtestsarecalculatedbelow.
Thediskinformationwascollectedwithfdiskandisshownintheappendix5.Fora80GBdisk:lastsectornumber
= 312581808 1offset = (312581807 312532655) 512offset =
25165824bytesFora160GBdisk:lastsectornumber = 156301488 1offset =
(156301487 156252335) 512offset =
25165824bytesOsetinmegabytes:offset = 25165824bytes/(1024
1024)offset =
24megabytesFromtheabovewecanassumethattheosetis24Megabytesfromtheendofthediskandisconsistentforvaryingdisksizes10.Thesecondchunkofdataislocatedinthelastsectorofeachdisk.DataAnalysisThedataisinterpretedbycomparingthelesgeneratedbythescript.
Inthissection only the interpreted dierences are shown. The data
blocks shown belowaretakenfromdisksthatbelongtothesamearray.
Thebytesatoset0xA11translatetotheserialnumberofthediskfromwhichthedatawascollected.
Itis preceded by ATA and 5 spaces, this most likely refers to the
ATA
Standard[7].9sectorsarecountedfrom010ThisassumptionisalsoenforcedwhentestingthePERCH200Adapterwiththe6GbpsSASController)9HWRAIDforensics3
Dataanalysishexdump -n 36 -s 0xA00 -C
r200_raid0_80gb/port0/sector_156252335----00000a00 33 33 33 33 50
2f b0 b6 41 54 41 20 20 20 20 20 |3333P/..ATA |00000a10 20 57 44 2d
57 4d 41 56 33 43 30 38 39 37 35 38 | WD-WMAV3C089758|00000a20 06
50 b9 c2 |.P..|00000a24hexdump -n 36 -s 0xA00 -C
r200_raid0_80gb/port1/sector_156252335----00000a00 33 33 33 33 4a
6b 83 dc 41 54 41 20 20 20 20 20 |3333Jk..ATA |00000a10 20 57 44 2d
57 4d 41 56 33 41 38 38 38 35 36 33 | WD-WMAV3A888563|00000a20 f4
0d 6f 22 |..o"|00000a24hexdump -n 36 -s 0xA00 -C
r200_raid1_80gb/port0/sector_156252335----00000a00 33 33 33 33 08
b1 df 3d 41 54 41 20 20 20 20 20 |3333...=ATA |00000a10 20 57 44 2d
57 43 41 56 33 35 38 33 36 37 39 36 | WD-WCAV35836796|00000a20 c3
f3 fb 44 |...D|00000a24hexdump -n 36 -s 0xA00 -C
r200_raid1_80gb/port1/sector_156252335----00000a00 33 33 33 33 18
4d b7 65 41 54 41 20 20 20 20 20 |3333.M.eATA |00000a10 20 57 44 2d
57 43 41 56 33 37 31 33 34 31 34 33 | WD-WCAV37134143|00000a20 f0
18 4d 68
|..Mh|00000a24Theextractsbelowshowthatthebytesatoset0xA04and0xA20remainthesameforthesamediskthroughoutdierenttests.
Itisunknownwhatthisdatarepresentshoweverwecanassumethatitisrelatedtothedisk.
Moreoveritseemstobeuniquelyrelatedasitisdierentforthesamediskmodels.hexdump
-n 36 -C -s 0xA00
r200_raid0_160gb/port0/sector_312532655----00000a00 33 33 33 33 32
27 62 a5 41 54 41 20 20 20 20 20 |33332b.ATA |00000a10 20 57 44 2d
57 4d 41 56 32 45 41 38 34 37 37 31 | WD-WMAV2EA84771|00000a20 4d
ae 09 24 |M..$|00000a24hexdump -n 36 -C -s 0xA00
r200_raid1_160gb/port0/sector_312532655----00000a00 33 33 33 33 32
27 62 a5 41 54 41 20 20 20 20 20 |33332b.ATA |00000a10 20 57 44 2d
57 4d 41 56 32 45 41 38 34 37 37 31 | WD-WMAV2EA84771|00000a20 4d
ae 09 24
|M..$|00000a24Thedatablockbelowshowstheserialnumbersofthedisksfromthearray,atoset0x249and0x289.
Thosenumbersmatchtheserial numbersfromthecasings of the inserted
disks. The disks are listed in a reversed order, to
elaboratethediskfromport1islistedastherstandthediskfromport0islistedasthesecond.
Thedataatoset0x268and0x2A8istheSASaddress11of thedisk[8].
ItisderivedfromthecontrollersSASaddresswhichcanbefoundintheRAIDBIOSof
thecontroller. Itcanbeidentiedassuch,
bycomparingtheBIOSinformationwiththedatashownbelow.
LastlyitremainsthesamethrougheverytestonthesameRAIDcontroller.hexdump
-n 112 -s 0x240 -C
r200_raid0_80gb/port0/sector_156252335----00000240 41 54 41 20 20
20 20 20 20 57 44 2d 57 4d 41 56 |ATA WD-WMAV|00000250 33 41 38 38
38 35 36 33 f4 0d 6f 22 00 02 00 01 |3A888563..o"....|00000260 00
00 00 00 09 40 f8 af 50 02 6b 90 58 2e b6 01
|[email protected]...|00000270 ff ff ff ff ff ff ff ff 01 ff ff ff ff
ff ff ff |................|00000280 41 54 41 20 20 20 20 20 20 57
44 2d 57 4d 41 56 |ATA WD-WMAV|00000290 33 43 30 38 39 37 35 38 06
50 b9 c2 00 02 00 01 |3C089758.P......|000002a0 00 00 00 00 09 40
f8 af 50 02 6b 90 58 2e b6 00
|[email protected]...|000002b010HWRAIDforensics3 DataanalysisFigure1:
AscreenshotoftheRAIDadapterBIOSshowingtheSASaddress.Thedatablockbelowshowsthebrandof
thecontrollerrepeatedmultipletimesthroughout theconguration.
ThecontrollerisoriginallyproducedbyLSI, but re-brandedtoDell. It is
unkownwhat theBytes markedingreenmean,
howevertheyarealwayspresentafterthecompanyname. TheBytesmarked
inredcanbe identiedas
theSASaddressofthecontrollerinreversedorder.hexdump -C
r200_raid0_80gb/port0/sector_15625233500000000 31 90 71 57 7b 63 53
dd 44 65 6c 6c 20 20 20 20 |1.qW{cS.Dell |00000010 10 00 00 58 10
28 1f 0e 05 f1 f8 e3 19 c1 59 79 |...X.(........Yy|*00000640 44 65
6c 6c 20 20 20 20 10 00 00 58 10 28 1f 0e |Dell ...X.(..|00000650
05 f1 f8 e3 c8 78 e1 c1 00 00 ff ff 00 00 00 00
|.....x..........|*00000c00 ad 11 11 11 27 98 06 25 4c 53 49 4c 4f
47 49 43 |......%LSILOGIC|00000c10 20 20 20 20 20 20 20 20 00 b6 2e
58 90 6b 02 50 | ...X.k.P|00000c20 10 00 00 58 10 28 1f 0e ff ff ff
ff ff ff ff ff |...X.(..........|*00000e00 ee ee ee ee 90 2c 27 a7
44 65 6c 6c 20 20 20 20 |.....,.Dell |00000e10 10 00 00 58 10 28 1f
0e 05 f1 f8 e3 c8 78 e1 c1 |...X.(.......x..|*00001200 ff ff ff ff
00 00 00 00 44 65 6c 6c 20 20 20 20 |........Dell |00001210 10 00
00 58 10 28 1f 0e 05 f1 f8 e3 c8 78 e1 c1
|...X.(.......x..|Furtherdierenceswereobservedbetweendierentcongurationshoweverthey
do not seem relevant in achieving the ultimate goal of collecting
data fromthevirtualdrive.11http://en.wikipedia.org/wiki/Serial
attachedSCSI#Identicationandaddressing11HWRAIDforensics3
Dataanalysis3.2 PERCH200Adapterwith6GbpsSASControllerA RAID10
comprising of 4x80GB HDDs was setup on the PERC H200 adapterina
Dell r510 server. The RAIDcontroller supports RAID0, RAID1
andRAID10setups. TheLSI CorpCongUtilityForDell SASCtrl
v7.11.10.00(2011.06.02)wasusedtocongurethearray.
Toobservethechangesincong-urationoneofthediskswasremovedfromthearrayandreplaced.DataStructurePreliminarytestsshowedthatthecollecteddatabearsahighresemblancetothe
one from the LSI SAS 1068E controller. The size of the generated
les is thesame. Theosetfromtheendofthediskisthesame.
Inthefollowingtestthereplacementdiskisofaslightlydierentsizetoenforcethisassumption.
Theoutput of fdisk and smartctl found in the appendix5 shows the
technical detailsofthetwodierenttypesofuseddisks.
Therelevantpartsarethehighlighteddisk size dierence, sector count
and the sector numbers where the congurationdatastarts.
Theformulafoundintheprevioussection3.1givesthesameosetof24Megabytes.Forthe80GBMaxtordisk:lastsectornumber
= 156250000 1offset = (156249999 156200847) 512offset =
25165824bytesForthe80GBWesternDigitaldisk:lastsectornumber =
156301488 1offset = (156301487 156252335) 512offset =
25165824bytesOsetinmegabytes:offset = 25165824bytes/(1024
1024)offset =
24megabytesThelesholdingthecongurationdatafoundoneachdiskcanbeobtainedfrom
the following location ftp.scarlier.nl/raid_research/, all of the
disksholdthedataatthesameoset,regardlessofdisksizeorportnumber.DataAnalysisThedierencesinthecongurationdatafoundoneachdiskarehighlightedinthe
code block below. The parts highlighted in blue represent the
serial numberofthediskthedatawasfoundon.
Themeaningofthepartshighlightedinredis unknown however itis
likelytheyrelate to the disk,as theyremainthe sameforaspecicdisk.
Theremainderofthecongurationisidenticaloneachdisk.hexdump -C -s
0xA00 -n 36 r510test/port0/sector_15625233500000a00 33 33 33 33 67
8d ad e6 41 54 41 20 20 20 20 20 |3333g...ATA |00000a10 20 57 44 2d
57 4d 41 56 33 43 30 38 39 37 35 38 | WD-WMAV3C089758|00000a20 06
50 b9 c2 |.P..|----12HWRAIDforensics3 Dataanalysishexdump -C -s
0xA00 -n 36 r510test/port1/sector_15625233500000a00 33 33 33 33 3f
13 c2 6d 41 54 41 20 20 20 20 20 |3333?..mATA |00000a10 20 57 44 2d
57 43 41 56 33 35 38 33 36 37 39 36 | WD-WCAV35836796|00000a20 c3
f3 fb 44 |...D|----hexdump -C -s 0xA00 -n 36
r510test/port2/sector_15625233500000a00 33 33 33 33 7d c9 9e 8c 41
54 41 20 20 20 20 20 |3333}...ATA |00000a10 20 57 44 2d 57 4d 41 56
33 41 38 38 38 35 36 33 | WD-WMAV3A888563|00000a20 f4 0d 6f 22
|..o"|----hexdump -C -s 0xA00 -n 36
r510test/replacement_port3/sector_15620084700000a00 33 33 33 33 86
2c 1b 71 41 54 41 20 59 32 34 33 |3333.,.qATA Y243|00000a10 41 35
44 43 20 20 20 20 20 20 20 20 20 20 20 20 |A5DC |00000a20 9f fe 1a
f8
|....|Whenadiskisreplacedwecanobservesomechangesintheconguration.Most
of them are hard to identify, however the relevant part - the
serial numberof thenewdiskis humanreadable. Theserial number of
thediskthat waspulledissubstitutedbythenewonepaddedwithspaces.
Thismeansthatthecongurationwill
holdonlythedisksthatwerelastusedinthearray.
mostimportantlytheSerial
Numbersofpulleddisksareremovedonlyuponsubsti-tutionandrebuildingthearraywiththenewdisk.
Thereforeevenif
aRAIDarraywasphysicallydisassembledthedataonthepulleddiskprovesthatthecongurationcanstill
befound. Providedthat theRAIDarraywas not re-buildwithadierentdisk,
thiscongurationdatacanyieldarebuildof
thearraywhentheotherdisksareobtained.
Thechangescanbeobservedinthecodeblockbelow.
Thefulllistofchangescanbefoundintheappendix5.
Thechangesarehighlightedinredandtheserialnumbersinblue.hexdump -C
r510test/replacement_port3/sector_15620084700000240 41 54 41 20 59
32 34 33 41 35 44 43 20 20 20 20 |ATA Y243A5DC |00000250 20 20 20
20 20 20 20 20 9f fe 1a f8 00 02 00 04 | ........|*00000a00 33 33
33 33 86 2c 1b 71 41 54 41 20 59 32 34 33 |3333.,.qATA
Y243|00000a10 41 35 44 43 20 20 20 20 20 20 20 20 20 20 20 20 |A5DC
|00000a20 9f fe 1a f8 00 00 ff ff ff ff ff ff ff ff ff ff
|................|----hexdump -C
r510test/pulled_port3/sector_15625233500000240 41 54 41 20 20 20 20
20 20 57 44 2d 57 43 41 56 |ATA WD-WCAV|00000250 33 37 31 33 34 31
34 33 f0 18 4d 68 00 02 00 01 |37134143..Mh....|*00000a00 33 33 33
33 2f ef aa 35 41 54 41 20 20 20 20 20 |3333/..5ATA |00000a10 20 57
44 2d 57 43 41 56 33 37 31 33 34 31 34 33 |
WD-WCAV37134143|00000a20 f0 18 4d 68 00 00 ff ff ff ff ff ff ff ff
ff ff
|..Mh............|ThecongurationfoundonthedisksattachedtothiscontrollerissimilartotheonefoundontheSAS6/iRadapterwiththeLSISAS1068Econtroller.ThebrandofthecontrollerisfoundatthesameosetsaswellasthereversedSASaddressofthecontroller.
Thiscanhelpinidentifyingthecontrollerusedforcreatingthearray.hexdump
-C r510test/port0/sector_15625233500000000 31 90 71 58 f3 92 02 a3
44 65 6c 6c 20 20 20 20 |1.qX....Dell |00000010 10 00 00 72 10 28
1f 1e 02 ec 62 38 b8 74 7c 43 |...r.(....b8.t|C|*00000640 44 65 6c
6c 20 20 20 20 10 00 00 72 10 28 1f 1e |Dell ...r.(..|*00000c00 ad
11 11 11 76 bd 29 8f 4c 53 49 4c 4f 47 49 43
|....v.).LSILOGIC|00000c10 20 20 20 20 20 20 20 20 00 5b b7 55 b0
b2 42 58 | .[.U..BX|*00000e00 ff ff ff ff 00 00 00 00 44 65 6c 6c
20 20 20 20 |........Dell |00000e10 10 00 00 72 10 28 1f 1e 02 ec
62 38 55 0c 0d e9 |...r.(....b8U...|*00001200 ee ee ee ee 5c f5 a3
0d 44 65 6c 6c 20 20 20 20 |.... ...Dell |00001210 10 00 00 72 10
28 1f 1e 02 ec 62 38 55 0c 0d e9
|...r.(....b8U...|*13HWRAIDforensics3 DataanalysisFigure2:
AscreenshotoftheRAIDadapterBIOSshowingtheSASaddress.14HWRAIDforensics3
Dataanalysis3.3
3ware9650SE-24M8RAIDcontrollerThefollowingtestswereperformedona3ware9650SE-24M8RAIDcontroller:
RAID1,2x80GBSATAHDDs
RAID5,2x80GBSATAHDDsThecontrolleriscapableofRAID0, RAID1, RAID5,
RAID6, RAID10andRAID50, itstechnical
specicationscanbefoundonthemanufacturersweb-site12.Figure3:
ThecontrollersinformationfromtheBIOS.DataStructureThe code block
below shows the data structure of the conguration found on
an80GBHDDattachedtoport0inRAID1andan80GBHDDattachedtoport0inRAID5.supermicro_raid1_80gb/port0$
ls -l-rw-rw-r-- 1 scarlier scarlier 1536 Feb 12 04:53
sector_156291252-rw-rw-r-- 1 scarlier scarlier 1024 Feb 12 04:53
sector_156291256-rw-rw-r-- 1 scarlier scarlier 512 Feb 12 04:53
sector_156291268-rw-rw-r-- 1 scarlier scarlier 16896 Feb 12 04:53
sector_156291270-rw-rw-r-- 1 scarlier scarlier 1536 Feb 12 04:53
sector_156300468-rw-rw-r-- 1 scarlier scarlier 1024 Feb 12 04:53
sector_156300472-rw-rw-r-- 1 scarlier scarlier 512 Feb 12 04:53
sector_156300484-rw-rw-r-- 1 scarlier scarlier 16896 Feb 12 04:53
sector_156300486supermicro_raid5_80gb/port0$ ls -l-rw-rw-r-- 1
scarlier scarlier 1536 Feb 12 05:31 sector_156291252-rw-rw-r-- 1
scarlier scarlier 1024 Feb 12 05:31 sector_156291256-rw-rw-r-- 1
scarlier scarlier 512 Feb 12 05:31 sector_156291268-rw-rw-r-- 1
scarlier scarlier 17408 Feb 12 05:31 sector_156291270-rw-rw-r-- 1
scarlier scarlier 1536 Feb 12 05:31 sector_156300468-rw-rw-r-- 1
scarlier scarlier 1024 Feb 12 05:31 sector_156300472-rw-rw-r-- 1
scarlier scarlier 512 Feb 12 05:31 sector_156300484-rw-rw-r-- 1
scarlier scarlier 17408 Feb 12 05:31 sector_156300486Thelesof
thesamesizefoundonthesamediskareidentical. Theyareatadierentoset.
Thisisproveninthecodeblockbelow.
Sincethedataisrepeateditismostlikelydoneforredundancyorcompatibility.
Onlytwoles12http://store.lsi.com/index.cfm/Clearance/SATA-II-PCI-Express-with-RAID-6/9650SE-24M8/15HWRAIDforensics3
Dataanalysisaredierentwhencomparingdatafromdierentdisksthatbelongtothesamearray.
Thisisshownbelow.supermicro_raid1_80gb$ diff port0/sector_156291252
port1/sector_156291252Binary files port0/sector_156291252 and
port1/sector_156291252 differsupermicro_raid1_80gb$ diff
port0/sector_156291256 port1/sector_156291256supermicro_raid1_80gb$
diff port0/sector_156291268
port1/sector_156291268supermicro_raid1_80gb$ diff
port0/sector_156291270 port1/sector_156291270supermicro_raid1_80gb$
diff port0/sector_156300468 port1/sector_156300468Binary files
port0/sector_156300468 and port1/sector_156300468
differsupermicro_raid1_80gb$ diff port0/sector_156300472
port1/sector_156300472supermicro_raid1_80gb$ diff
port0/sector_156300484 port1/sector_156300484supermicro_raid1_80gb$
diff port0/sector_156300486
port1/sector_156300486Thosetwolesarehoweverthesamewhencomparedwitheachother.supermicro_raid1_80gb$
diff port0/sector_156291252
port0/sector_156300468supermicro_raid1_80gb$ diff
port1/sector_156291252 port1/sector_156300468The conguration data
is found at the same oset for both tests. More
testsshouldbeperformedtoensurewithahighercertaintythattheosetremainsthesameforvaryingdisksizesanddierentcongurations.
Forourteststhelocationofthedataremainsasshownbelow.offset =
(lastsectornumber datasectornumber)
sectorsizeFortherstchunkofdata:offset = (156301487 156291252)
512Bytesoffset = 5240320Bytesoffset =
5117.5KBytesForthesecond,repeatedchunkofdata:offset = (156301487
156300468) 512Bytesoffset = 521728Bytesoffset =
509.5KBytesLastlyfor the remainder of this sectionwe shall assume
that there are twosetsof datafoundoneachdisk,
withthedivisionshownbelow13. Thosesetsareidenticaltoeachother.
Eachofthemstarting5240320Bytesfromtheendofthediskandrepeated521728Bytesfromtheendofthedisk.
Eachofthemspansover52sectorsor26624Bytes(or26Kbytes).Itisprobablethattheinformationisrepeatedforredundancy.supermicro_raid5_80gb/port0
ls -l-rw-rw-r-- 1 scarlier scarlier 1536 Feb 12 05:31
sector_156291252-rw-rw-r-- 1 scarlier scarlier 1024 Feb 12 05:31
sector_156291256-rw-rw-r-- 1 scarlier scarlier 512 Feb 12 05:31
sector_156291268-rw-rw-r-- 1 scarlier scarlier 17408 Feb 12 05:31
sector_156291270-rw-rw-r-- 1 scarlier scarlier 1536 Feb 12 05:31
sector_156300468-rw-rw-r-- 1 scarlier scarlier 1024 Feb 12 05:31
sector_156300472-rw-rw-r-- 1 scarlier scarlier 512 Feb 12 05:31
sector_156300484-rw-rw-r-- 1 scarlier scarlier 17408 Feb 12 05:31
sector_156300486DataAnalisysSincethedataresidestwiceoneverydrivethefollowinganalysisappliestothedata
starting at 5240320 Bytes and 521728 Bytes from the end of the
disk. The138separatelesarearesultofthescriptusedtocollectthedata.
thesourcecanbefoundintheappendix16HWRAIDforensics3
Dataanalysisonlydierencebetweenthedatacollectedfromdisksthatbelongtothesamearrayishighlightedbelowinred.
Thebyteatoset0x1Acorrelateswiththeportnumberthediskisattachedto.
Thisistrueforall thetests.
Notmuchcanbesaidforthebyteat0x2apartfromthefactthatitincrementsby0x1astheportnumberincreases.
Thebytesmarkedinbluerepresentthebrandofthe controller (at 0x8) and
the serial numbers of all the disks that belong to
thearray(at0x23Eand0x253).hexdump -C
supermicro_raid1_80gb/port0/sector_15630046800000000 44 69 e4 b5 00
00 00 00 33 57 61 72 65 44 43 42 |Di......3WareDCB|00000010 00 00
00 00 01 00 00 00 06 90 00 4e 28 0a 0f 00 |...........N(...|hexdump
-C supermicro_raid1_80gb/port1/sector_15630046800000000 44 69 e5 b5
00 00 00 00 33 57 61 72 65 44 43 42 |Di......3WareDCB|00000010 00
00 00 00 01 00 00 00 06 90 01 4e 28 0a 0f 00
|...........N(...|hexdump -C
supermicro_raid1_80gb/port0/sector_15630046800000230 2a 00 00 00 a6
ca 00 00 65 20 20 20 20 20 57 44 |*.......e WD|00000240 2d 57 43 41
56 33 37 31 33 34 31 34 33 65 20 20 |-WCAV37134143e |00000250 20 20
20 57 44 2d 57 4d 41 56 33 41 38 38 38 35 | WD-WMAV3A8885|00000260
36 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|63..............|*00000510 00 00 00 00 00 00 00 00 2a 00 00 00 a6
ca 00 00 |........*.......|00000520 65 20 20 20 20 20 57 44 2d 57
43 41 56 33 37 31 |e WD-WCAV371|00000530 33 34 31 34 33 65 20 20 20
20 20 57 44 2d 57 4d |34143e WD-WM|00000540 41 56 33 41 38 38 38 35
36 33 00 00 00 00 00 00 |AV3A888563......|00000550 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 |................|*00000600The
data below shows a part of the conguration form a RAID 5 array
fromthe disk attached at port 0. It starts at sector 156291252. The
structure appearstobesimilartotheoneofRAID1.
herewecanalsondtheserialnumbersofeach used disk, however the serial
number of the congured hotspare disk is notpresent.hexdump -C
supermicro_raid5_80gb/port0/sector_15629125200000000 44 69 e4 b5 00
00 00 00 33 57 61 72 65 44 43 42 |Di......3WareDCB|*00000230 3f 00
00 00 0b 7d 00 00 63 20 20 20 20 20 57 44 |?....}..c WD|00000240 2d
57 43 41 56 33 35 38 33 36 37 39 36 65 20 20 |-WCAV35836796e
|00000250 20 20 20 57 44 2d 57 43 41 56 33 37 31 33 34 31 |
WD-WCAV371341|00000260 34 33 65 20 20 20 20 20 57 44 2d 57 4d 41 56
33 |43e WD-WMAV3|00000270 41 38 38 38 35 36 33 00 00 00 00 00 00 00
00 00 |A888563.........|00000280 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 |................|*00000510 00 00 00 00 00 00 00 00
3f 00 00 00 0b 7d 00 00 |........?....}..|00000520 63 20 20 20 20
20 57 44 2d 57 43 41 56 33 35 38 |c WD-WCAV358|00000530 33 36 37 39
36 65 20 20 20 20 20 57 44 2d 57 43 |36796e WD-WC|00000540 41 56 33
37 31 33 34 31 34 33 65 20 20 20 20 20 |AV37134143e |00000550 57 44
2d 57 4d 41 56 33 41 38 38 38 35 36 33 00
|WD-WMAV3A888563.|00000560 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 |................|*0000060017HWRAIDforensics3
DataanalysisFigure4:
ThecontrollersBIOSshowingtheSNofthediskattachedtoport0.Figure5:
ThecontrollersBIOSshowingtheSNofthediskattachedtoport1.At oset 0x1F
(starting at sector 156291256) we can nd the array name,
whichisavaluethatcanbesetintheBIOS.hexdump -C
supermicro_raid1_80gb/port0_afterreplacement/sector_15629125600000000
29 6e d0 85 02 00 00 00 03 40 00 00 22 22 a0 00
|)n.......@..""..|00000010 98 00 08 00 00 03 0e 01 00 01 00 03 11
15 00 46 |...............F|00000020 6f 72 65 6e 73 69 63 73 00 00
00 00 00 00 00 00 |orensics........|00000030 00 00 00 00 00 03 12
14 00 33 37 31 33 34 31 34 |.........3713414|00000040 33 30 30 30
32 30 33 30 30 31 46 45 43 00 03 15
|3000203001FEC...|18HWRAIDforensics3 DataanalysisFigure6:
ThearraynameoftheRAID1conguration.TherearevarioussmalldierencesbetweentheRAID1andRAID5congura-tiondata,
howeverduetothesamplesizeof thetests, illegibilityof thedataand no
apparent relation to the controller information presented they are
omit-tedfromthechapter.
Thedatafoundinthissectionisrelevantforbothlev-els of RAID. For
referenceandcompleteness
thedatacanbeobtainedfromftp.scarlier.nl/raid_research/.Lastly there
is one block of data that is shared between the RAID5
congurationandahotsparediskinslot3.
AhotsparewasonlyconguredfortheRAID5andisnotpresentintheRAID1conguration.cmp
-s supermicro_raid5_80gb/port0/sector_156300486
supermicro_raid5_80gb/port3_hotspare/sector_156300486 0x4200
0x4200hexdump -s 0x4200 -C
supermicro_raid5_80gb/port3_hotspare/sector_15630048600004200 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
|................|*00004380 00 00 00 00 c5 27 26 0f b6 4f 5a 83 f9
01 0f 85 |.....&..OZ.....|00004390 fc 01 83 c3 58 bf 79 28 e8
f8 e5 b9 00 00 0f 84 |....X.y(........|000043a0 ec 01 26 8b 5f 06
2e 89 1e db 58 26 8b 7f 06 26
|..&._.....X&...&|000043b0 80 7f 0c 02 75 09 26 80 7d
02 0f 0f 84 eb 01 26 |....u.&.}......&|000043c0 8b 47 09 83
e0 02 d1 e8 26 a3 36 28 26 a3 34 28
|.G......&.6(&.4(|000043d0 26 a3 78 28 26 8b 47 09 83 e0 10
c1 e8 04 26 a3 |&.x(&.G.......&.|000043e0 06 28 26 a3
08 28 26 8b 47 09 25 00 08 c1 e8 0b
|.(&..(&.G.%.....|000043f0 26 a3 02 28 26 a3 04 28 26 8a 47
0b f6 d0 24 06
|&..(&..(&.G...$.|00004400WebelievethatthisisdonetobindahotsparewithaRAIDarrayforthefollowingreasons:
ItispresentbothinRAID5scongurationandinthehotsparescong-uration.
Itisthebiggestseeminglyrandomchunkofdatasharedbetweenthem.
ItisentirelyabsentintheRAID1congurationwhichdoesnothaveahotspare.
Makingthisconguration512Bytesshorter.However this is an assumption
that requires further testing. It was not
testedfurtherduetothelackofvalueofthedatafound.
Thehotsparewastestedtosee if it includes the Serial Numbers of the
RAID5 array. Those were not
found.LastlyahotsparedoesnotactivelyparticipateinaRAIDuntil
anotherdiskfails14.14http://en.wikipedia.org/wiki/Hot_spare#Computer_usage19HWRAIDforensics4
Conclusions4 ConclusionsThissectionsummarizesthendingsof
theprojectandanswerstheresearchquestionsformulatedintheintroduction1.CanRAIDcongurationdatabeacquiredfromablockdevice?Yes,therawRAIDcongurationdatacanbeacquiredfromablockdeviceasitisstoredonthedisksonreadablesectors.
Ourresearchshowsthatthisdataseemsbestoredataxedoset15.
Thisisareasonableclaimconsideringthat a dierent controller of the
same model is required to correctly identify theRAIDconguration.
Theosetcanbedierentfordierentcontrollers:
TheSAS6/iRadapterwithLSISAS1068Econtrollerholdsthedata24Megabytesfromtheendofthedisks,
ThePERCH200Adapterwith6GbpsSASControllerholdsthedata24Megabytesfromtheendofthedisk,
The 3ware 9650SE-24M8 RAID controller holds identical data 5117.5
Kilo-bytesand509.5Kilobytesfromtheendofthedisk.In the case of the
rst two controllers the location of the data and its struc-ture is
identical. Therefore it is safe to assume that they use the same
algorithmtostoreandreadtheconguration,
alsoconsideringthatbothcomefromthesamecompanyandhavesimilarcapabilities.Furthermorethecongurationdataisstoredonall
of thedisks, andonlyonthosedisks, thatbelongtotheRAIDarray.
Thecongurationremainsonthedisksafterthedisksarephysicallyremoved.The
described process can help in data acquisition in a forensically
sound man-nerasitdoesnotmanipulatetheacquiredevidence. Itiscrucial
tonotethatthe above does not prove with certainty that the acquired
information will resultinasuccessfulRAIDdiskreassembly.
HoweveritgivestheinvestigatoraclueorguidelineastowhichdisksandwhatcontrollertousetoreassembleaRAIDdisk.
Ifthevirtualdiskis reassembledsuccessfullythenalgoalisreachedandin
turn it proves the hypothesis that the collected conguration data
was correct.Theprerequisitetoobtainingthecongurationdatais that
theforensicsinvestigatorneedstoknowatwhatosetthedataisstoredandthesizeofthedata.
As this paper shows the data structure of the conguration is vendor
spe-cic. In an ideal case a forensics investigator should document
the congurationstructure and location for as many controllers as
possible following the guidelinesofthispaper. Thisaddsinitial
overheadtoaforensicsinvestigation.
Howeverwhencongurationmappingsforeachcontrollerareknownthencollecteddatacanbecomparedtothosemappings.
Thisprocesscanbeautomated.CantheacquireddatabeusefulforreassemblingaRAIDarray?15forthecontrollersthatweretested20HWRAIDforensics4
ConclusionsAs mentionedbeforeaRAIDcontroller of thesamemodel
(andpossiblyother models that use the same rmware) will identify a
previously constructedRAIDvolume. The volume canbe reassembledif
all of the originallyuseddisks16arepresent. Therefore onlytwospecic
values
needtobeacquired,namelyauniqueidentierofeachuseddiskandtheRAIDcontrollerstype.From
each disk that was part of a RAID volume we can acquire the
followingdata: Serial Numbersof eachdiskthatbelongtoaRAIDvolume.
Thishelpsidentifywhichdiskstouseforreassembly.
Positionofthediskinanarray-providesinformationonwhichportthediskshouldbeconnectedto.
SASaddressofthecontroller-canhelpidentifythespeciccontrolleriftheforensicsinvestigatorholdsadatabaseofSASaddresses.
Brand of the controller - can help identify which model of
controller
shouldbeusedforreassembly.Furthermorebasedonthedatastructureof
theconguration,
theinvesti-gatorcanguesswhatcontrollershouldbeusedforreassembly,asthestructurediersgreatlywhenacontrollerof
adierentbrandisused. Inotherwordsitispossibletodeductthetypeof
controllerfromthelocationandstructureoftheconguration.
Thisapproachrequiresdocumentingthecongurationofmultiple dierent
models of controllers, which can initially add overhead to
dataacquisition.Lastlyalloftheacquireddatacanbeofcoursemanipulatedoroverwrittenbytheuserbeforetheseizureof
thedisks. ThishoweverdestroystheRAIDvolume resulting in loss of
data, therefore the user would need to anticipate theseizure.
Ifthishappensaforensicsinvestigatorwouldneedtousethemanualapproachmentionedintheintroduction1.FutureresearchSince
some RAIDcontrollers use internal memorywe propose
toresearchifthatdataisretainedandif
itcanbeacquireddirectlyfromthecontroller. Acomparisonof
suchdatatothecongurationdatafoundonthedisks
mightproofuseful.16BearinginmindRAIDredundancy21HWRAIDforensicsReferencesReferences[1]
RAIDReassembly-AforensicChallengeDrMichaelCohenhttp://pyflag.sourceforge.net/Documentation/articles/raid/reconstruction.htmlPublishedonAugust18,2005[2]
CommonRAIDDiskDataFormatSpecicationBillDawkinshttp://www.snia.org/sites/default/files/SNIA_DDF_Technical_Position_v2.0.pdfVersion2.0Revision19PublishedonMarch27,2009[3]
SASIRProductBriefhttp://www.lsi.com/downloads/Public/SAS%20ICs/SAS%20ICs%20Common%20Files/SCG_LSI_SAS_3Gbps_IR_PB_011408.pdfPublishedonJanuary14,2008[4]
LSISAS1068EProductBriefhttp://www.lsi.com/downloads/Public/SAS%20ICs/LSISAS1068E/SCG_LSISAS1068E_PB_040407.pdfPublishedonFebruary21,2006[5]
PERC H200 Adapter with 6Gbps SAS controller ProductBrief
http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=gen&sku=342-1597[6]
3ware 9650SE-24M8 RAID Controller Prod-uct Brief
http://store.lsi.com/index.cfm/Clearance/SATA-II-PCI-Express-with-RAID-6/9650SE-24M8/[7]
InformationTechnology-ATAttachmentPeterT.McLeanhttp://www.t10.org/t13/project/d1321r3-ATA-ATAPI-5.pdfRevision3PublishedonFebruary29,2000[8]
IntroductiontoSerialAttachedSCSIhttp://docs.oracle.com/cd/E19494-01/820-1260-15/appendixg.html#50548798_66057PublishedbySunMicrosystems,Inc.22HWRAIDforensics5
Appendices5 AppendicesPythonscriptforcollectingdatafromdisks#!
/home/ s c ar l i e r /bi n/pyimport os . path, sys, subprocess,
re, ar gpar s e#parsi ng i nput argumentspar s er = ar gpar s e.
ArgumentParser ( de s c r i pt i o n=The s c r i pt dumps a l
lnonzero bl ocks from a devi ce or f i l e )group = par s er.add
mut ual l y excl us i ve gr oup ( r e qui r e d=True )group . add
argument (d , di s k , hel p= s pe c f i c y bl ock devi ce to anal
yze )group . add argument (i , image , hel p= s pe c i f y di s k
image to anal yze )par s er. add argument (s, s e c t or , hel p= s
pe c i f y s t a r t i ng s e c t or ( s i z e i s s e t to 512
bytes ) ,DEFAULT=0 , type=i nt, de f aul t =0)par s er. add
argument (e, e r as e , act i on=count , hel p= e r as e data from
devi ce , de f aul t =0)par s er. add argument (r, r e t r i e v e
, act i on=count , hel p= r e t r i e v e data from devi ce , de f
aul t =0)ar gs = par s er.par s e ar gs( )#The f unt i on bel ow
saves t he devi ce name and checks i t s number of s ect or si f ar
gs.di s k:dev name = ar gs.di s khd i nf o = s ubpr oces s. check
output( [ hdparm , g , dev name ],uni ve r s al ne wl i ne s=True
)m= r e.s ear ch ( (?= byt e cnt or 104857600 > byt e
cnt:breakel se:devi ce.wr i t e ( empty104857600)s t a r t byt e
+=104857600print ( s t a r t byt e )23HWRAIDforensics5
Appendicesdevi ce.c l o s e( )i f ar gs.r e t r i e v e ==1:r e t r
i e v e r a i d( devname,ar gs.s e c t or )i f ar gs.e r as e ==1:z
e r o out ( devname,ar gs.s ect or ,byt e cnt )fdisk output for the
disks attached to the SAS 6/iR adapterwithLSISAS1068EcontrollerDisk
/dev/sdb: 80.0 GB, 80026361856 bytes255 heads, 63 sectors/track,
9729 cylinders, total 156301488 sectorsUnits = sectors of 1 * 512 =
512 bytesSector size (logical/physical): 512 bytes / 512
bytes----Disk /dev/sdb: 160.0 GB, 160041885696 bytes255 heads, 63
sectors/track, 19457 cylinders, total 312581808 sectorsUnits =
sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512
bytes / 512 bytesfdisk andsmartctl output for the disks attachedto
thePERCH200Adapterwith6GbpsSASControllercat
r510test/replacement_port3/smartctl.txtModel Family: Maxtor
DiamondMax Plus 9Device Model: Maxtor 6Y080M0Serial Number:
Y243A5DCFirmware Version: YAR51HW0User Capacity: 80,000,000,000
bytes [80.0 GB]Sector Size: 512 bytes logical/physicalcat
r510test/replacement_port3/fdisk.txtDisk /dev/sdb: 80.0 GB,
80000000000 bytes255 heads, 63 sectors/track, 9726 cylinders, total
156250000 sectorsUnits = sectors of 1 * 512 = 512 bytesSector size
(logical/physical): 512 bytes / 512 bytesI/O size
(minimum/optimal): 512 bytes / 512 bytesDisk identifier:
0x00000000r510test/replacement_port3$ ls -l-rw-r--r-- 1 scarlier
scarlier 7680 Feb 1 06:20 sector_156200847-rw-r--r-- 1 scarlier
scarlier 512 Feb 1 06:20 sector_156249999----cat
r510test/pulled_port3/smartctl.txtModel Family: Western Digital
Caviar Blue Serial ATADevice Model: WDC WD800AAJS-00L7A0Serial
Number: WD-WCAV37134143LU WWN Device Id: 5 0014ee 10268cc90Firmware
Version: 01.03E01User Capacity: 80,026,361,856 bytes [80.0
GB]Sector Size: 512 bytes logical/physicalcat
r510test/pulled_port3/fdisk.txtDisk /dev/sdc: 80.0 GB, 80026361856
bytes255 heads, 63 sectors/track, 9729 cylinders, total 156301488
sectorsUnits = sectors of 1 * 512 = 512 bytesSector size
(logical/physical): 512 bytes / 512 bytesI/O size
(minimum/optimal): 512 bytes / 512 bytesDisk identifier:
0x00000000r510test/pulled_port3$ ls -l-rw-r--r-- 1 scarlier
scarlier 7680 Feb 3 14:12 sector_156252335-rw-r--r-- 1 scarlier
scarlier 512 Feb 3 14:12 sector_156301487List of the les holdingthe
congurationdata foundoneachdiskonthe PERCH200Adapter with6Gbps
SASControllerr510test/port0$ ls -l-rw-r--r-- 1 scarlier scarlier
7680 Feb 3 15:08 sector_15625233524HWRAIDforensics5
Appendices-rw-r--r-- 1 scarlier scarlier 512 Feb 3 15:08
sector_156301487r510test/port1$ ls -l-rw-r--r-- 1 scarlier scarlier
7680 Feb 3 15:59 sector_156252335-rw-r--r-- 1 scarlier scarlier 512
Feb 3 15:59 sector_156301487r510test/port2$ ls -l-rw-r--r-- 1
scarlier scarlier 7680 Feb 3 16:48 sector_156252335-rw-r--r-- 1
scarlier scarlier 512 Feb 3 16:48
sector_156301487r510test/replacement_port3$ ls -l-rw-r--r-- 1
scarlier scarlier 7680 Feb 1 06:20 sector_156200847-rw-r--r-- 1
scarlier scarlier 512 Feb 1 06:20
sector_156249999ChangesinthecongurationafterdiskreplacementonthePERCH200Adapterwith6GbpsSASControllerhexdump
-C r510test/replacement_port3/sector_15620084700000000 31 90 71 58
5d 5f 78 43 44 65 6c 6c 20 20 20 20 |1.qX]_xCDell |00000010 10 00
00 72 10 28 1f 1e 02 ec 62 38 b8 74 7c 43
|...r.(....b8.t|C|00000020 30 31 2e 30 30 2e 30 30 00 00 00 11 02
ec 6c 94 |01.00.00......l.|*00000060 00 00 00 00 09 4f 6f 8f ff ff
ff ff ff ff ff ff |.....Oo.........|00000070 01 ff ff ff 00 00 80
00 00 00 00 00 09 4f af 8f |.............O..|*00000200 22 22 22 22
ce cc 09 62 00 04 00 0e ff ff ff ff |""""...b........|00000210 ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
|................|*00000240 41 54 41 20 59 32 34 33 41 35 44 43 20
20 20 20 |ATA Y243A5DC |00000250 20 20 20 20 20 20 20 20 9f fe 1a
f8 00 02 00 04 | ........|00000260 00 00 00 00 09 40 2f 8f 58 42 b2
b0 55 b7 5b 00 |.....@/.XB..U.[.|*00000600 dd dd dd dd 01 b3 12 db
00 01 00 02 ff ff ff ff |................|00000610 ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff |................|*00000640 44 65
6c 6c 20 20 20 20 10 00 00 72 10 28 1f 1e |Dell ...r.(..|00000650
02 ec 62 38 55 0c 0d e9 ff ff ff ff 00 00 00 00
|..b8U...........|00000660 f1 00 ff ff ff ff ff ff ff ff ff ff ff
ff ff ff |................|*00000a00 33 33 33 33 86 2c 1b 71 41 54
41 20 59 32 34 33 |3333.,.qATA Y243|00000a10 41 35 44 43 20 20 20
20 20 20 20 20 20 20 20 20 |A5DC |00000a20 9f fe 1a f8 00 00 ff ff
ff ff ff ff ff ff ff ff |................|*00000e00 ee ee ee ee f9
37 cd c9 44 65 6c 6c 20 20 20 20 |.....7..Dell |00000e10 10 00 00
72 10 28 1f 1e 02 ec 62 38 55 0c 0d e9 |...r.(....b8U...|00000e20
02 ec 6c 94 00 00 00 02 ff ff ff ff ff ff ff ff
|..l.............|*00000fe0 09 00 01 ff 91 00 01 01 80 00 ff ff ff
ff ff ff |................|00000ff0 ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff |................|00001000 c3 f3 fb 44 06 50 b9
c2 f4 0d 6f 22 9f fe 1a f8 |...D.P....o"....|*00001220 02 ec 6c 93
00 00 00 01 ff ff ff ff ff ff ff ff |..l.............|*000013e0 09
00 01 ff 91 00 00 01 80 00 ff ff ff ff ff ff
|................|000013f0 ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff |................|00001400 c3 f3 fb 44 06 50 b9 c2 f4 0d
6f 22 9f fe 1a f8 |...D.P....o"....|----hexdump -C
r510test/pulled_port3/sector_15625233500000000 31 90 71 58 fa 0e ce
bc 44 65 6c 6c 20 20 20 20 |1.qX....Dell |00000010 10 00 00 72 10
28 1f 1e 02 ec 62 38 b8 74 7c 43 |...r.(....b8.t|C|00000020 30 31
2e 30 30 2e 30 30 00 00 00 07 02 ec 62 38
|01.00.00......b8|*00000060 00 00 00 00 09 50 38 af ff ff ff ff ff
ff ff ff |.....P8.........|00000070 01 ff ff ff 00 00 80 00 00 00
00 00 09 50 78 af |.............Px.|*00000200 22 22 22 22 62 d4 ce
c2 00 04 00 0e ff ff ff ff |""""b...........|00000210 ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff |................|*00000240 41
54 41 20 20 20 20 20 20 57 44 2d 57 43 41 56 |ATA WD-WCAV|00000250
33 37 31 33 34 31 34 33 f0 18 4d 68 00 02 00 01
|37134143..Mh....|00000260 00 00 00 00 09 40 f8 af 58 42 b2 b0 55
b7 5b 00 |[email protected].[.|*00000600 dd dd dd dd b3 9e bf 13 00 01
00 02 ff ff ff ff |................|25HWRAIDforensics5
Appendices*00000660 f0 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
|................|*00000a00 33 33 33 33 2f ef aa 35 41 54 41 20 20
20 20 20 |3333/..5ATA |00000a10 20 57 44 2d 57 43 41 56 33 37 31 33
34 31 34 33 | WD-WCAV37134143|00000a20 f0 18 4d 68 00 00 ff ff ff
ff ff ff ff ff ff ff |..Mh............|*00000e00 ee ee ee ee ac c5
2a 58 44 65 6c 6c 20 20 20 20 |......*XDell |00000e10 10 00 00 72
10 28 1f 1e 02 ec 62 38 55 0c 0d e9 |...r.(....b8U...|00000e20 02
ec 62 38 00 00 00 02 ff ff ff ff ff ff ff ff
|..b8............|*00000fe0 09 00 01 ff 91 00 00 01 80 00 ff ff ff
ff ff ff |................|00000ff0 ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff |................|00001000 c3 f3 fb 44 06 50 b9
c2 f4 0d 6f 22 f0 18 4d 68 |...D.P....o"..Mh|*00001220 02 ec 62 38
00 00 00 01 ff ff ff ff ff ff ff ff |..b8............|*000013e0 09
00 01 ff 94 00 00 00 80 00 ff ff ff ff ff ff
|................|000013f0 ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff |................|00001400 c3 f3 fb 44 06 50 b9 c2 f4 0d
6f 22 f0 18 4d 68 |...D.P....o"..Mh|26
