Forensic Imaging of RAID Volumes and NAS Devices

Forensic Imaging of RAID Volumes and NAS Devices Forensic Imaging of RAID Volumes and NAS Devices

Forensic Imaging of NAS/RAID: Some Thoughts

The process is straightforward: We create a forensic imaging from each drive of the storage device. The problems will start later after the imaging process. First of all: how to reassemble the chunks to get a drive so that it is ready for a forensic analysis?

Commercial programs like OS Forensics offer features to reconstruct NAS drives or RAID volumes. But these capabilities usually cover only a few RAID vendors while most are unsupported.
This post shows you how to create a working forensic copy of a NAS Device or RAID Volume. Independent from the NAS Brand or RAID Technology used.

NAS Forensic: Creating Copies of Single Disks

The first step is the creation of a forensic imaging of each disk drive in the NAS/RAID. Tradionellly, I am using DEFT Linux for this task. As a tool, we use “Guymager.” The single steps to create a forensic image with Guymager are out of the scope of this article. DEFT includes tools for many different forensics techniques.

Advice: Use only High Speed USB 3.0 equipment while doing the forensic copies. This applies for the USB-Adapter as well for the Laptop. For my multiple imagings, i am using the following equipment:

Anker USB 3.0 to SATA Converter & Lenovo Ideapads 13.3 Inch:

The Lenovo’s fit easily into the luggage and have two USB 3.0 ports, so dual copies are possible.

A practical case: Synology DS-815 with 4 x 3 TByte Disks

Right now I am working on an investigation of data theft. The suspect stole internal company documents and it seems like he probably stored them on that NAS before law enforcement confiscated the device. The Task: Recover all information from the NAS to apply a word- and file-list based search. Aside from the existing file, each sector of the RAID 5 should carve for deleted information.
As output format a will use EnCase (.E01). All checksums are verified by Guymager using the SHA1 Checksum. In the next article of this series, we will show how the Forensic Imaging process of rebuilding the NAS will take place.

Forensic Imaging: A Time-consuming process per drive

The creation process takes about 16 hours of time for each drive. The good news. At the creation of the copy, the total size of each NAS drive is reduced from 3 TByte down to 500 GB. From originally 12 TByte the forensic imaging reduced the space requirement to about 2 TByte.

Next Part: How to Reconstruct the Single Disk Images Into a RAID Volume for Analysis