Rebuilding RAID

Add the Drives to Encase

First, you are going to want to open encase and create a case. Once you have the case created go to the evidence tab and select “Add Evidence” on the top menu and then select “Add Raw Image”. On the next screen, you will select the disk you want to add and repeat the process until you add all the disk.

Reconstruct the RAID in Encase

In the top right of the evidence screen select the gear icon then select "Create Disk Configuration". On the next window, you will select the configuration for your RAID. You will need to select the proper Disk Configuration (RAID type), the right stripe size, and then the correct disks to create the RAID in Encase. You can drag the disk up and down the list to put them into the correct order. Now under evidence, you will see a new item with the name of the RAID that you just reconstructed. You can select it and see if the data is there and if the array was rebuilt properly.

Acquiring the Evidence in Encase

Once you have the array rebuilt in Encase you are going to want to acquire the evidence. To do that navigate to the "Evidence" screen then select "Process Evidence" after that click "Acquire". From there you will fill out all the relevant information boxes. Make sure to note the output path as this is where the E01 file will be stored. The default format will be Ex01 but you will want to change that to E01 under the "Format" tab. Select "OK" and let the data process. Encase shows the progress in the bottom right like Autopsy. You can also check under the "Console" tab to see more detailed logs of the operation.

Using FTK Imager to Convert E01 to DD

This is a relatively simple process. You will open FTK Imager, add the E01 evidence source. To do this select the add evidence icon then "Image File", finally browse to the image location, and select "Finish". Now that the E01 is added to FTK we can convert it. To do this right-click the E01 file and then select "Export Disk Image...". This will open a new dialog to export the disk image. You can select multiple formats but I will just cover DD. Select "Add..." under "Image Destination(s)" and select "Raw (dd)". You can fill in the relevant information on the next screen. Finally, select the image destination folder and file name then finish.

Importing the RAID to Linux

Now we will cover importing the recently created DD file into Linux. First, you will need to move the file onto the Linux system. If it's a VM with VMware tools you can simply copy them into the VM. You can use other methods like netcat to transfer the files. Once you have the file on the linux system you will want to mount it. Before we can mount it we will need to know where the partitions are located. To figure this out we can use fdisk. Simply run fdisk -l /path/to/file.dd. This will return the partitions on the disk, you will need to note the beginning and end sectors for the partitions. Now we can mount the dd image using the mount command.

Run sudo mount -o ro,offset=65536,sizelimit=26214400 /path/to/image.dd /path/to/mount_point.

This command will mount the image to the mount point. It uses the options flag and then specifies read-only, the offset (starting point of the partition), and the sizelimit (endpoint of the partition). To calculate the offset and sizelimit multiply the sector number by the sector size. So if the start sector is 128 and the sector size is 512 bytes you would do 128 x 512. This sizelimit option is important because it tells mount where to stop or else it will not let you mount another partition in the image because it will already be in use.