Topic88

WinHex & X-Ways

Reconstruct RAID System

 

Menu command in the Specialist menu.

 

WinHex and X-Ways Forensics can internally destripe RAID level 0, 5, 5EE and 6 systems as well as JBOD consisting of up to 16 components. The components may be physical hard disks or images of physical disks for hardware RAIDs, or partitions for Linux software RAIDs. Components that are available as images need to be opened and interpreted before you use this function. Components that are partitions need to be opened first before the RAID reconstruction can take place.

 

You need to select the components in the correct order. WinHex lets you specify the strip size in sectors (often 128 or at least a power of 2 like 32, 64, 256) and different RAID header sizes per component (often simply 0). The strip size multiplied by the number of RAID component disks gives the so-called stripe size, i.e. a whole row.

 

The header is a reserved area at the start of a component disk that some RAID controllers set aside for their private data and thus must be excluded from the reconstruction. If there are a few reserved sectors at the end of a component disk, as is not uncommon for JBOD, prior to the reconstruction you would specify the number of actually used sectors plus header size for each component via Tools | Disk Tools | Set Disk Parameters as the "Sector count".

 

You can usually tell that either the component order, the strip size, the stripe pattern, or the RAID header size was selected incorrectly when no partitions are detected or partitions with unknown file systems or with file systems that cannot be interpreted properly.

 

When you add a reconstructed RAID system to a case (and optionally partitions opened from such a RAID system), the selected RAID configuration parameters are saved with the evidence object, which allows to access the RAID system instantly in later sessions (forensic licenses only).

 

In RAID level 5 and 6, data is not only striped across all component disks in a rotating pattern, but also interspersed with parity blocks for redundancy. RAID level 5 and 6 are implemented in different ways by different RAID controller manufacturers in that they employ different stripe/parity patterns. The supported patterns are the following:

 

Level 5: Backward Parity aka Left Asynchronous (Adaptec)

Component 1:  1  3  P

Component 2:  2  P  5

Component 3:  P  4  6

 

Level 5: Backward Dynamic Parity aka Left Synchronous (AMI and Linux standard)

Component 1:  1  5  9  P

Component 2:  2  6  P  10

Component 3:  3  P  7  11

Component 4:  P  4  8  12

 

Level 5: Backward Delayed Parity (HP/Compaq)

Component 1:  1  3  5  7   9   11  13  15

Component 2:  2  4  6  8   P   P   P   P

Component 3:  P  P  P  P   10  12  14  16

 

Level 5: Forward Parity (aka Right Asynchronous)

Component 1:  P  3  5

Component 2:  1  P  6

Component 3:  2  4  P

 

Level 5: Forward Dynamic Parity (aka Right Synchronous)

Component 1:  P  6  8  10

Component 2:  1  P  9  11

Component 3:  2  4  P  12

Component 4:  3  5  7  P

 

Level 5: Forward Delayed Parity

Level 5: Forward Dynamic Delayed Parity (CRU/Dataport)

 

Level 5EE: Backward Parity (Adaptec)

Component 1:  1  3  S  P

Component 2:  2  S  P  7

Component 3:  S  P  5  8

Component 4:  P  4  6  S    (S = spare)

 

Level 5EE: Forward Parity

Component 1:  1  P  S  7

Component 2:  2  3  P  S

Component 3:  S  4  5  P

Component 4:  P  S  6  8

 

Level 6: Backward Parity (Adaptec/JetStor)

Component 1:  1  3  P  Q

Component 2:  2  P  Q  7

Component 3:  P  Q  5  8

Component 4:  Q  4  6  P

 

Level 6: Backward Dynamic Parity

Component 1:  1  4  P  Q

Component 2:  2  P  Q  7

Component 3:  P  Q  5  8

Component 4:  Q  3  6  P

 

Level 6: Forward Delayed Parity

Level 6: Forward Parity

 

The parity start component can be defined differently if necessary, for many RAID variants. To stick with the select standard pattern, leave that value at 0. In order to define a non-standard parity start component, specify the number of the component where the parity is located first (1-based).

 

The delay with that the parity moves on HP/Compaq controllers is most often 4 or 16, but freely configurable.

 

If one of the RAID component disks is not available, you can reconstruct a RAID 5 system nonetheless because one component is redundant. Simply select a dummy substitute (one of the other, available components of the same RAID system) as the missing component and declare that component "missing"! RAID 5EE and RAID 6 can also be internally reconstructed if one component is missing.

 

Support for software RAIDs

 

Linux MD RAID container partitions are automatically recognized as such. They are represented as two distinct items: A static header area that contains metadata about the RAID in general and the following component in particular, usually at relative offset 4096, and an explorable partition that serves as the RAID component. In case of RAID level 1 that explorable partition contains a fully self-contained volume whose file system can be parsed normally (without any reconstruction effort) if supported. In case of other RAID levels, the reconstruction can be accomplished with the Specialist | Reconstruct RAID command, and some hints on the correct reconstruction parameters are shown as comments attached to the header area item. Note that you need to open all the relevant partitions first so that they are offered for selection as the components of the RAID. The result of the reconstruction will be a single volume, which is represented as encompassed in a virtual physical disk. The RAID components have to remain in the case as evidence objects for internal reasons, to allow to re-open the reconstructed RAID with a single mouse-click later.

 

Windows storage pool container partitions are also automatically recognized as such, and it is possible to properly open partitions whose sectors size is a multiple of the sector size of the underlying physical disk. This is important for example for Windows storage space partitions in Windows storage space pool disks. These partitions and disks have a simulated sector size of 4 KB even if they reside on physical disks with a sector size of 512 bytes. The search for lost partitions can find NTFS storage space partitions within storage space container partitions despite sector size discrepancies, which is a useful work-around for simple single-disk storage spaces.