Reassembling Linux-based Hybrid RAID

Abstract

Network-attached storage (NAS) is a system that uses a redundant array of disks (RAID) to create virtual disks comprising multiple disks and provide network services such as FTP, SSH, and WebDAV. Using these services, the NAS's virtual disks store data about individuals or groups, making them a critical analysis target for digital forensics. Well-known storage manufacturers like Seagate, Synology, and NETGEAR use Linux-based software RAID, and they usually support Berkeley RAID (e.g., RAID 0, 1, 5, 6, and 10) as well as self-developed hybrid RAID. Those manufacturers have published data on the introduction and features of hybrid RAID, but there is not enough information to reassemble RAID from a digital forensic perspective. Besides, digital forensic tools (such as EnCase, FTK, X-ways, and RAID Reconstructor) do not support automatic RAID reassembly for hybrid RAID, so research on hybrid RAID reassembly methods is necessary. This paper analyzes the disk array composed of hybrid RAID and explains the layout of disk array, partition layout in hybrid RAID, and hybrid RAID configuration strategy. Furthermore, it suggests parameters that are required for RAID reassembly and then propose a hybrid RAID reassembly procedure using them. Finally, we propose a proof-of-concept tool (Hybrid RAID Reconstructor) that identifies hybrid RAID from disk array and parse RAID parameters.