Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • RAID
  • Levels
  • Schematics
  • By Hardware
  • By Software
  1. Volumes and Partitions

Volumes’ Aggregation

Why?

  • improve performance.

  • prevent faults by adding redundancy.

  • gather free space from several drives.

Types:

  • RAID (Redundant Arrays of Inexpensive Disks).

    • common in high-performance systems has many variants: RAID-1, RAID-5, ...

    • can be implemented both in hardware, or software (usually at OS level).

  • Spanning.

    • creates a logical volume by adding free space from several smaller volumes.

    • just sums up space, it doesn’t have any redundancy or performance gains.

RAID

Levels

  • RAID-0 - has no redundancy, but may increase performance.

  • RAID-1 – consists of an exact copy (or mirror) of a set of data on two or more disks.

  • RAID-2 – stripes data at the bit (rather than block) level, and uses a Hamming code for error correction rarely used.

  • RAID-3 – consists of byte-level striping with a dedicated parity disk rarely used.

  • RAID-4 – consists of block-level striping with a dedicated parity disk, and provides good read performance.

  • RAID-5 – block-level striping with distributed parity among the drives.

  • RAID-6 – extends RAID 5 by adding another parity block and supports up to 2 drive failures.

  • RAID hybrid – a combination of more than one RAID level, e. g. RAID 10.

Schematics

By Hardware

Characteristics:

  • requires a specific controller.

  • guarantees the best performance.

  • but is more expensive.

  • may require the installation of drivers.

Data acquisition:

  • it’s easier to acquire at the logical level as if it were a single disc.

  • acquisition OS must support RAID controllers.

  • individual acquisition of RAID discs:

    • only when the OS doesn’t support RAID controllers.

    • analysis is more complex – the RAID volume must be rebuilt.

By Software

Characteristics:

  • implemented in the OS (supported by most modern OS).

  • less efficient, depending on the CPU to calculate the parity bits data splits.

  • Windows – Logical Disk Management (LDM).

    • requires dynamic volumes.

    • RAID volume configuration is stored on each drive.

    • supports RAID 0, 1, and 5.

  • Linux

    • uses Logical Volume Manager.

    • saves metadata of the volume inside the drives.

    • uses volumes on DOS partitions.

    • supports RAID 0, 1, 5 and 6.

    • supports Windows LDM (use of Logical Disk Manager may require kernel recompilation).

    • allows the creation of snapshots – records only the changes and can be reverted to a previous state.

Acquisition:

  • it’s easier to acquire at the logical level as if it were a single disc.

  • individual acquisition of RAID discs:

    • it’s easier than hardware RAID systems.

    • there are some tools to automatically rebuild the RAID volume.

  • Windows – with this OS a write blocker must be used.

  • Linux – it’s possible to do a read-only mount and it also supports LDM from Windows OS.

Last updated 1 year ago

RAID-1
RAID-3/4
RAID-5