ASSIGNMENT 2 - RAID File System Forensics
20067817 Danny O’Leary
Introduction RAID (Redundant Array of Independent Disks) is a system used to create data redundancy, and large drives. There’s many different types of RAID and some of the aims of RAID are to: 1. Be failure resistant: This means in the case of RAID that it will be able to protect data even in the case where a drive fails and with other systems, it may potentially cause a crash. 2. Be failure tolerant: Like above with being failure resistant. It is also important that not a single component can cause issues like this, and RAID also prevents against this. When using RAID usually more than one disk is being used for data redundancy and to have backups of the file system, but the machine itself may still only see one volume for the RAID system. There’s many different types of RAID, which operate in slightly different ways. RAID can also be hardware or software based. Some of the different types of RAID are: RAID 0: In this there’s 2 disks that are used to store information. These both store separate information so if one of them has a fault, the other information is still stored. RAID 1: In this, there’s also 2 disks, but instead of having separate data they have the same data on both. This is done so that if one disk fails, you still have all the information. RAID 3: In this version of RAID there’s 3 disks that are used. The first two work the very same as RAID 0. The addition of the third disk is to use parity bit and exclusive or to be able to work backwards and find out the information of a failed disk by doing exclusive or on the other two disks. For this assignment I will be attempting to set up a RAID array using Linux with the software mdadm and gparted, and forensically analysing them.
Setup Downloaded mdadm using sudo apt-get install mdadm. Mdadm is a Linux software that is used to be able to create RAID arrays from 2 hard drives or other storage means such as USB sticks. In my case I decided to use 2 USB sticks to create the RAID array (Raid.wiki.kernel.org, 2016). The type of RAID system that is created by mdadm is software RAID
Downloaded gparted using sudo apt-get install gparted. Gparted is a software for Linux that allows partitions to be edited. It allows a user to be able to move, resize or copy partitions (Gedak, 2016). In this I can create unformatted partitions to be able to be used to set up using mdadm to create a RAID array.
I used gparted to format the USB stick into two partitions to ensure the partitions were the same sizes. I done this with both USB sticks and made them match in size.
The next thing that I done was to combine these to create a RAID file system. To do this again using the mdadm command to create a RAID array.
This command is used to create the Raid Array at the drive /dev/md0 using two different devices. In this case they were sdc, and also sdd which were my two USB sticks. I used RAID 1 because it includes mirroring which isn’t included in RAID 0. This allows for backups of drives if something goes wrong you have another. It might be better to use RAID 3 in some certain circumstances because of the parity bits being able to use both disks and work back to either with a third disk. However RAID 3 is not supported by Linux, and any of the other ones also require more than two drives which I didn’t have so I chose RAID 1.
When I completed the tasks above to create RAID 1, it showed as RAID 1, but upon using it, there also had to be another file system, and it was suggested to do use one of the ext file systems. Since it wouldn’t work for me without this, I decided to use ext 2. So I wasn’t able to get the information from the partitions using the mmls command. Instead I decided to go through what the information on the fsstat command said. I also tried to DD this file, but to no avail. All of the information just read as 0’s.
An example of how this file system is laid out
SuperBlock
Group Descriptor Table
Data Bitmap
INode Bitmap
INode Table
Free INodes
Free Blocks
This is the information that I could find on one of the USB sticks. It’s hard to make any sense of it, but we can see that there’s a partition table from bytes 2 – 32. I used the DD command to try pull out the partition table, but again it didn’t give back any valid information that could be used. It also says that it is a GUID Partition table that uses EFI.
I also used the mmls command on the other usb stick, but this time it said that it couldn’t locate any partitions. So instead I ran the fsstat command to check if there was any information that could be found from that. Using the fsstat command on this USB stick also didn’t work.
References Gedak, C. (2016). GParted -- A free application for graphically managing disk device partitions. [online] Gparted.org. Available at: http://gparted.org/ [Accessed 26 Apr. 2016]. Raid.wiki.kernel.org. (2016). RAID setup - Linux Raid Wiki. [online] Available at: https://raid.wiki.kernel.org/index.php/RAID_setup [Accessed 26 Apr. 2016]. Anon, (2016). [online] Available at: http://www.mysolutions.it/tutorial-mdadm-software-raidubuntu-debian-systems/ [Accessed 26 Apr. 2016].