CENTRE FOR CYBERCRIME INVESTIGATION TRAINING & RESEARCH

SEIZURE, ACQUISITION AND RECONSTRUCTION OF DATA

AUTHOR

Shashidhar T K
Principal Consultant,
Data Security Council of India

DISCLAIMER

This report contains information that is Intellectual Property of CCITR. This

paper represents the opinions of the author. No part of this paper can be
reproduced in any form whatsoever. The information contained herein has
been obtained from sources, believed to be reliable. However, the author
expressly disclaims all warranties, express or implied, as to the accuracy,
completeness, or adequacy of the information. CCITR shall have no liability
for errors, omissions or inadequacies in the information contained herein, or
for interpretations thereof.

Published by Centre for Cybercrime Investigation Training & Research

(CCITR), CID, Bengaluru.

Copyright © 2024 CCITR

INTRODUCTION

The ubiquitous integration of Redundant Array

of Independent Disks (RAID) technology across a
spectrum of computing platforms, from
personal computers to high-performance
servers and network-attached storage devices,
has become an indispensable component of
modern digital infrastructure. This widespread
adoption significantly elevates the likelihood of
forensic investigators encountering RAID
configurations during digital investigations. Therefore, a comprehensive
understanding of RAID configurations, and associated forensic challenges is
imperative for the successful recovery and analysis of digital evidence.

What is RAID?

RAID is a storage technology that combines multiple physical disks into a single
logical unit. It offers data redundancy, improved performance and scalability.
RAID can be implemented using either hardware-based or software-based
approaches. Hardware RAID employs dedicated hardware controllers for efficient
RAID operations, while software RAID relies on the operating system to manage
RAID configurations.

Why RAID?
Data
RAID is one of the versatile technology that finds 1 Redundancy

application in various fields, including servers where

continuous uptime is critical, home computers for RAID Improved
Offers
2 Perfomance
data protection and backup, scientific research for
handling large datasets and video surveillance
systems for reliable recording and monitoring, etc. 3 Scalability

Due to the RAID-enabled system's design, configuration, and the large storage
capacities involved, acquiring and reconstructing data from RAID-enabled disks
presents significant challenges for forensic examiners. With systems now scaling
to multiple terabytes, the primary concern is the sheer storage capacity of RAID-
enabled disks. Addressing these challenges is essential for investigators to
effectively solve cases involving RAID-enabled systems.

01 CCITR|RAID Forensics
UNDERSTANDING RAID

RAID protects against data loss in case of a single drive failure. Imagine having
multiple copies of important files spread across different drives. If one drive fails,
you can still access the data from the remaining drives.

There are different RAID levels available to preserve the data on Hard Disk Drive
(HDD) or Solid-State Drive (SDD). RAID levels are categorized based on the
techniques used in RAID. The key techniques include:
Striping: Data is divided into blocks and distributed across multiple disks for
increased performance.
Mirroring: Data is duplicated on multiple disks for redundancy.
Parity: Error-correcting code is calculated and stored on one or more disks to
recover data in case of a disk failure.

The most popular RAID levels include RAID 0, RAID 1, RAID 5, RAID 6, RAID 10,
though there are many more. The RAID level employed by an organization
depends on what the company likes to achieve. Certain RAID configurations can
significantly improve reading and writing speeds. This is achieved by distributing
data across multiple drives, allowing the system to access data in parallel. RAID
systems can be scaled up by adding more disks. As mentioned earlier, different
levels use different techniques for storing data.
RAID 0
RAID 0: This level performs basic disk striping
by spreading data across all the drives in the D1 D2 Data

RAID group in chunks. This level offers the best D3 D4

Stripe
performance, as no single drive is tasked with D5 D6

the load of storing all the data. However, with D7 D8 Block

RAID 0, if a disk fails, the data on that disk is

lost. Disk 0 Disk 1

RAID 1

RAID 1: This level performs disk mirroring by D1 D1

storing data on two separate drives D2 D2

simultaneously. An advantage of RAID 1 is that D3 D3

there is always a full copy of data, in case one D4 D4

of the drives fails.

Primary Disk Mirror Disk
Disk 0 Disk 1

CCITR|RAID Forensics 02
 RAID 5: This level stripes data and parity information across at least three
drives. Parity information allows for the reconstruction of failed data in case of
a single drive failure.

RAID 5

A3 A Parity Parity Block

Block A1 A2

B1 B2 B Parity B3

Stripe
C1 C Parity C2 C3

D Parity D1 D2 D3

Disk 0 Disk 1 Disk 2 Disk 3

Parity Block of D Parity Block of C Parity Block of B Parity Block of A

RAID 10: This level combines striping and mirroring. It stripes data across
multiple mirrored sets of drives. RAID 10 offers good performance and
redundancy, but it requires more drives than other RAID levels.

RAID 10
RAID 0

Striping

RAID 1 RAID 1
Mirroring Mirroring

D1 D1 D2 D2

D3 D3 D4 D4

D5 D5 D6 D6

D7 D7 D8 D8

Disk 0 Disk 1 Disk 2 Disk 3

Primary Disk Mirror Disk Primary Disk Mirror Disk

03 CCITR|RAID Forensics
For example, consider a RAID-enabled system having 24TB storage capacity
(4 Hard Disk Drives x 6TB storage capacity) as shown below.

In Disk Management, it shows 12TB storage space under RAID 10 level

configuration as shown below.

Even though the total raw storage capacity is 24TB (4 HDDs x 6TB), it is showing
12TB storage space only. This difference makes sense because RAID 10 offers data
redundancy but sacrifices storage space.

CCITR|RAID Forensics 04
 RAID 10
RAID 0

Striping

RAID 1 RAID 1
Mirroring Mirroring

6 TB 6 TB 6 TB 6 TB

Disk 0 Disk 1 Disk 2 Disk 3

Storage space Storage space

available for user available for user
6 TB 6TB 12 TB

LET'S BREAK IT DOWN:

RAID 10 combines mirroring (RAID 1) with striping (RAID 0)

Mirroring duplicates data across half the drives for redundancy.

With four drives, half are used for mirroring, leaving the other half for usable
storage.
Therefore, in this case, only half the total capacity (24TB) is available, which is
12TB.

In this research 02 test devices were used. The specifications of devices are as
follows:
Workstation Tower Desktop

OS Microsoft windows 10 pro v22H2 OS Microsoft windows 10 pro v22H2

Processor i9-7 gen Processor i7-11 gen

RAM 64GB RAM 16GB

HDD 12TB HDD 1TB

M.2 NVMe SSD

SSD 1TB 128GB (2 Nos) and 250GB
and SATA SSD

05 CCITR|RAID Forensics
 INTRODUCTION TO RAID FORENSICS

Unlike a system attached with a single drive, RAID presents a unique challenge for
the investigators. To handle RAID-enabled systems, law enforcement officials
would require a deep understanding of different RAID levels (e.g., RAID 5, RAID 6),
its configurations and expertise in RAID forensics to handle them.

RAID forensics deals with the recovery and analysis of digital evidence from
storage systems that utilize RAID technology. RAID forensics requires specialized
knowledge, tools, and techniques to effectively analyze and interpret data stored
within RAID arrays.

The success of RAID forensics depends on the following:

RAID level involved. For example, recovering data from RAID 0 (striping) is
more challenging than RAID 1 (mirroring).
The condition of the RAID-enabled disks. For example, data recovery becomes
more difficult if multiple disks have failed.

WHAT INVESTIGATORS CAN EXPECT FROM RAID FORENSICS?

Identification of the RAID-enabled systems/devices.

Identification of RAID levels and understanding its
configurations.
Cloning/imaging the RAID-enabled disks.
Reconstruction/rebuilding of data and file systems.
Data Recovery from the disk.
Analysis of the reconstructed data for incriminating
evidence.

KEY STAGES OF RAID FORENSIC PROCESS

01 03 05
IDENTIFY RE-CONSRTUCT
Examine and Reassemble
determine the RAID ACQUIRE fragmented data ANALYSE & REPORT
SEIZE
level and its from multiple
Taking control or Extracting a complete Analyzing the re-
configurations. disks
possession of RAID- copy of the data constructed data and
enabled systems and using appropriate reporting the relevant
02 tools and techniques 04
its peripherals evidence

CCITR|RAID Forensics 06
SEARCH AND SEIZURE OF RAID-ENABLED SYSTEM IN “ON” CONDITION

Please ensure that you have the proper legal authority to conduct search and
seizure. Obtain a search warrant in case of a private place.
Secure and take control of the scene of crime both physically and
electronically.
Physically, by limiting access of all persons to the scene of the crime.
Electronically, by limiting additional new entries to the scene of crime by
disabling connectivity.
Document the current state (ON/OFF) of the system being seized.
If the target system is in ON condition, follow the steps below:
Capture the photograph of the system, including the peripherals
connected to it.
Take a photograph of the desktop screen containing files & folders,
shortcuts, along with date & time.
If possible, collect all the credentials related to the system.
Examine whether the system is connected to the network, if yes, isolate
the system from the network by disconnecting the connected ethernet
cable from the system or by disabling the Wi-Fi connection.

Examine whether the target system is RAID-enabled or not.

Open the "Disk Management" by searching in the Start Menu.
In the lower central pane, identify the column named “Type” for each
listed disk.
If the “Type” of all disks are set to “Basic” then, it confirms that is the
target system is not enabled with software RAID or it may be using
hardware RAID having RAID controller card (hardware).
If any disk “Type” is set to “Dynamic” or multiple disks share the same
drive letter or “Device Type” is marked as RAID, this confirms the usage of
software RAID.

Put efforts to collect all the credentials related to the RAID.

Identify and record the details of each disk including volume name, layout,
status, storage capacity, free space, etc. This helps in determining the RAID
level used for the configuration.
If the system is not RAID configured, follow the best practices for seizing the
Desktop.

07 CCITR|RAID Forensics
Connect the external USB drive (Preloaded with live data acquisition/ RAM
acquisition tools) to the target system.
Record the make, model, serial number of the USB drive and document it in
the mahazar, including the date and time of insertion.
Acquire RAM dump using the memory acquisition tools (e.g., Dumpit, CAINE,
etc).
After acquiring the RAM, generate hash value of the forensic image file using
the hashing tools (certutil command, HashMyFiles, HashCalc, etc).
Take the picture of the hash value along with the hashing algorithm used or
copy and paste in notepad and save in external USB drive.

Check whether the disks utilized for RAID are encrypted or not.
Open the "Disk Management" tool by searching in the “Start Menu”.
In the lower central pane, identify the column named “File System” for
each listed disk.
If the “File System” of any disk marked as “NTFS (BitLocker Encrypted),”
note down the BitLocker Drive Encryption recovery keys of those disks
using Control Panel\All Control Panel Items\Device Encryption.
The Magnet Encryption Disk Detector tool may also be used.

If encrypted, identify and capture the encryption recovery key of the target
system.
If you are, unable to identify the encryption keys, it is recommended to take
logical backup/image.

In case, the disks involved in RAID configuration contain large storage

capacity.
It would be difficult for an IO to seize all disks or take an image copy of all
disks because it demands more external HDDs.
In this situation, IO can copy a relevant data from the RAID-enabled disks
to the sterile external storage device in front of Panch witnesses.
The hash values of the collected data must be generated using hashing
algorithm and record the same in the mahazar.

Perform normal shutdown if the data on the device is stable. If it is suspected

that anti-forensic shutdown methods are employed, remove the power cable.
All the steps mentioned above must be documented in the Mahazar.
Follow the remaining process as detailed in the procedure for search and
seizure of RAID-enabled system in switched OFF condition

CCITR|RAID Forensics 08
SEARCH AND SEIZURE OF RAID-ENABLED SYSTEM IN “OFF” CONDITION

Confirm that the system is in OFF condition.

Examine whether the target system is RAID-enabled or not
If multiple HDDs/SSDs are connected to the
motherboard of the system, it might be an
indication of RAID configuration.
To confirm the utilization of RAID configurations,
open the system case and look for a separate RAID
controller card which is used for RAID
management. These cards have label/logo of the
manufacturer e.g. (Broadcom, Microchip, Intel, HP,
Advantech, Cineraid).
If multiple data cables are connected to each storage drive (more than one
SATA or SAS cable per drive), it might indicate a hardware RAID setup.
If possible, collect all the credentials related to the system and the RAID
Unplug the power cable and other devices from sockets.
Never switch ON the computer at this stage, under any circumstances.
Label and photograph (or video) all the components.
Carefully open the outer casing of RAID-enabled system.
Identify the drives (HDD/SSD) and slots in which it is installed and take photos
of the same.
Detach the drives from the motherboard by disconnecting the data transfer
and power cables.
Take out the storage device (hard disk) carefully and record unique identifiers
such as the make, model, serial number and the slot number. Even if the entire
CPU is seized, note down the unique identifiers.
Take the signature (wherever applicable) of the accused and witness(es) on
each hard disk by using a permanent marker pen.
Prepare detailed notes giving 'when, where, what, why, who, how' and overall
actions that are taken in relation to the computer equipment.
To avoid clock inaccuracy, please make it a best practice to note down the
actual date and time on the system without causing any changes to the
evidentiary value of the system. This can be achieved after removing the hard
disk from the target system, the IO may switch 'ON' the system and go to BIOS
(Basic Input Output System) / UEFI (Unified Extensible Firmware Interface)
settings. Note down the date and time shown in BIOS. Highlight any deviation
in the date & time.
All the steps mentioned above must be documented in the Mahazar
proceedings.
09 CCITR|RAID Forensics
FLOWCHART ON SEARCH AND SEIZURE OF RAID-ENABLED SYSTEM

CCITR|RAID Forensics 10
11 CCITR|RAID Forensics
IDENTIFICATION OF RAID CONFIGURATIONS

While dealing with RAID-enabled disks, the investigator must ensure proper
identification of RAID configurations because of the following reasons:

DATA RECOVERY
Knowing the RAID configuration can facilitate smooth data
recovery. Different RAID levels (e.g., RAID 0, RAID 1, RAID 5)
1
have different methods of data striping and redundancy, so
understanding the specific configuration is essential for
effective recovery of the data.

EVIDENCE PRES ERVATION

Few RAID configurations may spread data across multiple disks
in complex ways. Properly identifying the RAID setup ensures
2
that all relevant disks are seized as evidence. Failure to seize all
disks may result in incomplete evidence collection, potentially
impacting the investigation and legal proceedings.

DATA INTERPRETATION
RAID configurations affect how data is stored and accessed.
Understanding the RAID setup allows investigators to interpret
3
the data correctly. For instance, they need to know if data is
striped across disks or mirrored for redundancy, as this impacts
how they analyse and interpret the information.

ENCRYPTION
Certain RAID configurations may encrypt the disks. Identifying
4 the RAID setup helps investigators determine if encryption is in
use and what steps are necessary to access the encrypted data,
such as obtaining encryption keys or passwords.

DATA DUPLICATION
RAID configurations can involve data duplication for
redundancy and performance reasons. Using the identified
5
RAID configuration, investigators do not mistakenly treat
duplicated data as separate evidence, thereby avoiding errors
in analysis and interpretation.

CCITR|RAID Forensics 12
PROCEDURE TO IDENTIFY THE RAID CONFIGURATIONS

Step 01: Right-click on “This PC” and select “Manage” the “Computer
Management” window will open.

Figure 1: Computer Management Window.

Step 02: Click on “Disk Management” available under the “Storage” category. All
the disks and volumes will be displayed as shown below.

Figure 2: Disk Management window displaying all the storage drives attached to the system.

The color denotation in Windows operating system is as follows,

“UNALLOCA
“PRIMARY “SPANNED “STRIPED “MIRRORED
TED”
PARTITION” VOLUME” VOLUME” VOLUME”
STORAGE

BLACK BLUE VIOLET GREEN MAROON

On performing the above step, IO will be able to identify how many disks are
utilized to configure RAID and determine the levels of RAID employed. As a best
practice, it is recommended to record each disk details including volume name,
layout, type, file system, status, storage capacity, free space, etc.

13 CCITR|RAID Forensics
ACQUISITION OF RAID-ENABLED SYSTEM

Due to the utilization of RAID-enabled systems, data is distributed across multiple

disks using various techniques such as striping, mirroring or parity. Proper
acquisition ensures that all relevant disks are seized and cloned or imaged. This
helps in preserving the integrity of the data stored across the RAID array. Failure
to acquire any one disk could affect data recovery and may compromise the
integrity of the evidence.

Acquiring RAID-enabled systems allows investigators to identify the RAID

configuration, including the RAID level, stripe size, disk order and parity
information. Understanding the RAID configuration is essential for interpreting the
data correctly and recovering the same. In addition to the above, investigators
can employ specialized tools and techniques for data recovery and
reconstruction, maximizing the chances of retrieving valuable evidence.

PROCEDURE TO ACQUIRE THE RAID-ENABLED SYSTEM IN “ON” CONDITION

Step 01: Acquiring the RAM Dump

Identify the RAM capacity of the target system and accordingly use a
destination USB drive (pen drive or external HDD) having more storage
capacity.
Plugin the USB drive, pre-loaded with the necessary tools (eg., Dumpit, FTK
Imager.exe, etc) for acquiring the RAM dump of the target system.
Run the “FTK Imager.exe” application available in the USB drive. In the home
page, go to “File” tab & click on “Capture Memory” and store the RAM dump in
the USB drive.
Generate the hash value of captured RAM dump and record the same.

Step 02: Checking for Disk Encryption

Check whether the disks utilized for RAID are encrypted or not by using
Windows Disk management tool or Encrypted Disk Detector (EDD) tool.
If encrypted, identify and capture the encryption recovery key of the target
system.
If you are, unable to identify the encryption keys, it is recommended to take
logical backup/image.

CCITR|RAID Forensics 14
Step 03: Acquiring the Logical Backup/Image

Identify the storage capacity of the target system’s array of HDDs/SSDs and
accordingly use a destination external HDDs having more storage capacity
than the target system.
Connect the external HDD, pre-loaded with the necessary tools (in this
scenario, we have taken FTK imager tool as an example) for acquiring the array
of HDDs/SSDs.
Run the “FTK Imager.exe” application available in the external HDD. In the
home page, click on “File” and select “Create Disk Image”.
Select source evidence type as “Logical Drive”, click on “Next”, choose the
volume to be imaged from the drop-down list and click on “Finish”.
In the “Create Image” window, click on “Add” to include image destination and
in “Select Image Type” window, select “E01” or “Raw” format because most of
the forensic tools support these image formats.
Click on “Browse”, select the image destination folder to store the image file.
Please note, the destination folder should always be in external storage
device. Then, click on “Start” to initiate the imaging process. After the
completion of the imaging process the images will be available in the given
destination folder.

Scan the QR code for accessing the

step-by-step procedure to extract the
data from RAID-enabled system in
“ON” condition

15 CCITR|RAID Forensics
PROCEDURE TO ACQUIRE THE RAID-ENABLED SYSTEM IN “OFF” CONDITION

At scene of crime, if the situation permits perform the steps below:

Carefully open the outer casing of RAID-enabled system and identify the
drives (HDD/SSD) and slots in which it was installed.
Detach the array of HDDs/SSDs from the motherboard by disconnecting the
data transfer and power cables and seize it. Record all the steps in the
mahazar.

At the lab, draw mahazar proceedings of opening and follow the steps below:
Connect the HDDs/SSDs to the examiner’s system through a writeblocker
device to perform forensic imaging process.
Run the “FTK Imager.exe” application available in the external HDD. In the
home page, click on “File” and select “Create Disk Image”.
Select source evidence type as “Physical Drive”, click on “Next”, choose the
physical drive to be imaged from the drop-down list and click on “Finish”.
In the “Create Image” window, click on “Add” to include image destination and
in “Select Image Type” window, select “E01” or “Raw” format because most of
the forensic tools support these image formats.
Click on “Browse”, select the image destination folder to store the image file.
Please note, the destination folder should always be in external storage
device. Then, click on “Start” to initiate the imaging process. After the
completion of the imaging process the images will be available in the given
destination folder.
Repeat the steps for imaging the other remaining seized HDDs/SSDs

Scan the QR code for accessing the

step-by-step procedure to extract the
data from RAID-enabled system in
“OFF” condition

CCITR|RAID Forensics 16
RECONSTRUCTION OF THE DATA ACQUIRED FROM RAID ENABLED DISKS

Reconstruction or rebuilding of RAID data refers to the process of restoring a

functional RAID array after a disk failure. To carry out the reconstruction of data
from the extracted RAID-enabled drives, the tools such as RAID Recovery,
UFSexplorer, Rebuild RAID, EaseUS RAID Data Recovery, ReclaiME Free RAID
Recovery, etc., may be utilized.

To reconstruct the data, here we are using a free tool named UFS Explorer RAID
Recovery. This tool helps to address the complex RAID data recovery challenges
faced by forensic examiners. The tool can recover the lost files from a wide range
of storage media, including internal hard disk drives, portable devices, virtual
disks, etc. This tool may be downloaded using the link:
https://www.ufsexplorer.com/ufs-explorer-raid-recovery/.

PROCEDURE TO RECONSTRUCT THE RAID-ENABLED DISKS

Step 1: Install and open UFS Explorer RAID Recovery tool in the analysis system.

Step 2: Click on “Open” and select “Image file or virtual disk”.

Figure 3: UFS Explorer RAID Recovery tool displaying all the storage drives in the system.

17 CCITR|RAID Forensics
Step 3: In the “Choose disk image file” dialog box, select the target disk and open
the E01 image file of the RAID enabled disk. Subsequently, add all image of the
disks.

Figure 4: Choosing image file to rebuild RAID

Step 4: After adding all the disk images, the tool automatically detects the RAID
level and storage capacity of the disks.

Figure 5: UFS Explorer RAID Recovery tool displaying the image file along with RAID partitions.

CCITR|RAID Forensics 18
Step 5: Double click on the partition to view the reconstructed data.

Figure 6: Reconstructed data.

Once the data reconstruction is completed, the investigator can access the
contents across the array of disks and employ digital forensic techniques to
uncover incriminating evidence.

19 CCITR|RAID Forensics
CHALLENGES INVOLVED IN RAID FORENSICS

The RAID forensics involving identification, acquisition and analysis of data stored
on RAID-enabled systems poses several unique challenges compared to
traditional single-disk forensics. Some of the primary challenges include the
following:

Unknown RAID configuration: Recovering data heavily relies on understanding

the RAID levels. Without this knowledge, piecing together data fragments
spread across multiple disks becomes significantly harder.

Missing or damaged drives: RAID systems often offer redundancy, but if

multiple drives fail or damaged, reconstructing the data becomes near
impossible. Redundancy only protects against a certain number of drive
failures depending on the RAID level.

Fragmentation: In few RAID levels, data typically striped across multiple disks
to improve the performance. This fragmentation makes it more challenging to
rebuild the data during forensic analysis.

Increased acquisition time: Imaging a RAID system involves acquiring data

from every disk in the array, significantly extending the time it takes compared
to a single drive. This can be a critical factor in time-sensitive investigations.

Complex analysis: The process of analyzing data from a RAID system is often
intricate. Forensic tools need to account for RAID configurations and data
striping, which can be a lengthy process.

Expertise required: Successfully conducting RAID forensics necessitates a

deep understanding of RAID configurations and specialized forensic tools.
Investigators may need to consult with forensic experts to ensure a thorough
and accurate analysis.

Data encryption: If the RAID system utilizes encryption, investigators will need
to acquire the decryption key to access the data. Without the key, data
recovery becomes impossible.

CCITR|RAID Forensics 20
RESEARCH PUBLICATIONS

MONTHLY NEWSLETTER
 RAID FORENSICS
SEIZURE, ACQUISITION AND RECONSTRUCTION OF DATA

CENTRE FOR CYBERCRIME INVESTIGATION TRAINING & RESEARCH

Cybercrime Division, Carlton House, 2nd Floor,
Annexe Building -2, CID HQRS,
Palace Road, Bengaluru, Karnataka - 560001
[email protected] 080-22094436

@CybercrimeCID @DSCI_Connect