Redundant Array of Inexpensive Disks

Redundant Array of Inexpensive Disks and Data Forensics

The design concept of integrating together a series of inexpensive disk drives in an array and using firmware-based algorithms and intelligence to make them compatible with one another so that device reliability increases significantly is called a RAID system. The acronym stands for redundant array of inexpensive disks (RAID), or is also called a redundant array of independent disks (Leventhal, 2010). RAID systems being designed today can have up to ten levels, while six levels are the most predominant system configuration in use (Elerath, 2009). These six levels include level 0 which is for striped disk arrays without fault tolerance, level 1 for mirroring and duplexing, level 2 for error-correcting coding, level 3 for bit-interleaved parity, level 4 for dedicated parity drive, and level 5 for block interleaved distributed parity. The role of forensics in dissecting and reconstructing data in these systems is challenging and requires a combination of techniques and technologies to capture data needed for investigations.

State-Of-The-Art Forensics on RAID Systems

Interpreting complex patterns in data sets and then being able to interpolate their structure, in effect creating a pattern matching approach to interpret and reconstruct the data is considered state-of-the-art today in computer forensics (Teelink, Erbacher, 2006). Creating an entire array of disk drives through this technique requires the use of pattern matching algorithms that combine visualization and data analysis, in addition to data recovery applications at the byte level (Teelink, Erbacher, 2006). Data visualization can also assist in the development of pattern matching where iterative analysis of a RAID drive is necessary for reconstructing damaged or potentially lost data (Teelink, Erbacher, 2006).

A second approach is to rely on the RAID sequencing and recovery strategies for recovering the data on the disks. Often on RAID systems an entire volume can be reconstructed if the Level 4 (dedicated parity drive) or Level 5 (block interleaved distributed parity) areas of the entire logical volume are available (Miller, 2007). Often forensic investigators will begin with these inherent advantages of the RAID technology, yet revert to virtualization techniques if these do not work (Leventhal, 2010). RAID is by nature a technology that can replicate list partitions and drives (Elerath, 2009) (Leventhal, 2010) (Miller, 2007).