Dr Michael Cohen. This talk does not represent my Employer. April 2005



Similar documents
RAID Rebuilding. Objectives CSC 486/586. Imaging RAIDs. Imaging RAIDs. Imaging RAIDs. Multi-RAID levels??? Video Time

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

RAID by Sight and Sound

Practical issues in DIY RAID Recovery

by Scott Recover your P0RN from your RAID Array!

RAID HARDWARE. On board SATA RAID controller. RAID drive caddy (hot swappable) SATA RAID controller card. Anne Watson 1

File System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System

Getting Started With RAID

RAID. Storage-centric computing, cloud computing. Benefits:

QUICK RECOVERY FOR RAID

Disk management. Learning Objective. Preparing a Disk. Preparation tasks: Initializing the disk, i.e. defining disk s storage structure

PIONEER RESEARCH & DEVELOPMENT GROUP

Input / Ouput devices. I/O Chapter 8. Goals & Constraints. Measures of Performance. Anatomy of a Disk Drive. Introduction - 8.1

Open Source Data Recovery

How to recover a failed Storage Spaces

Chapter 12 Network Administration and Support

Overview of I/O Performance and RAID in an RDBMS Environment. By: Edward Whalen Performance Tuning Corporation

IFSM 310 Software and Hardware Concepts. A+ OS Domain 2.0. A+ Demo. Installing Windows XP. Installation, Configuration, and Upgrading.

Storing Data: Disks and Files

Chapter 6 External Memory. Dr. Mohamed H. Al-Meer

DELL RAID PRIMER DELL PERC RAID CONTROLLERS. Joe H. Trickey III. Dell Storage RAID Product Marketing. John Seward. Dell Storage RAID Engineering

RAID Made Easy By Jon L. Jacobi, PCWorld

Fault Tolerance & Reliability CDA Chapter 3 RAID & Sample Commercial FT Systems

Introduction. What is RAID? The Array and RAID Controller Concept. Click here to print this article. Re-Printed From SLCentral

1 Storage Devices Summary

Linux Software Raid. Aug Mark A. Davis

Filing Systems. Filing Systems

HP StorageWorks Modular Smart Array 1000 Small Business SAN Kit Hardware and Software Demonstration

technology brief RAID Levels March 1997 Introduction Characteristics of RAID Levels

COSC 6374 Parallel Computation. Parallel I/O (I) I/O basics. Concept of a clusters

Remote PC Guide Series - Volume 2b

Lab III: Unix File Recovery Data Unit Level

HP Embedded SATA RAID Controller

RAID Basics Training Guide

NSS Volume Data Recovery

Date: March Reference No. RTS-CB 018

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

RAID 5 rebuild performance in ProLiant

Cloud Storage. Parallels. Performance Benchmark Results. White Paper.

Module 6. RAID and Expansion Devices

VERITAS Volume Management Technologies for Windows

Definition of RAID Levels

Storage and File Structure

Configuring ThinkServer RAID 100 on the TS140 and TS440

The Windows File Articles -> Software Oct , 00:45 (UTC+0)

Lecture 18: Reliable Storage

Guide to SATA Hard Disks Installation and RAID Configuration

760 Veterans Circle, Warminster, PA Technical Proposal. Submitted by: ACT/Technico 760 Veterans Circle Warminster, PA

Recovering Data from Windows Systems by Using Linux

Acronis Disk Director 11 Home. User's Guide

HP Smart Array Controllers and basic RAID performance factors

Operating Systems. RAID Redundant Array of Independent Disks. Submitted by Ankur Niyogi 2003EE20367

MANAGING DISK STORAGE

Database Management Systems

NVIDIA RAID Installation Guide

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

RAID. Contents. Definition and Use of the Different RAID Levels. The different RAID levels: Definition Cost / Efficiency Reliability Performance

GPFS Storage Server. Concepts and Setup in Lemanicus BG/Q system" Christian Clémençon (EPFL-DIT)" " 4 April 2013"

File Systems for Flash Memories. Marcela Zuluaga Sebastian Isaza Dante Rodriguez

Data Integrity: Backups and RAID

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Areas Covered. Chapter 1 Features (Overview/Note) Chapter 2 How to Use WebBIOS. Chapter 3 Installing Global Array Manager (GAM)

VERITAS Volume Manager Delivering High Availability Storage Management Tools for Microsoft Windows

Data recovery Data management Electronic Evidence

IBM ^ xseries ServeRAID Technology

Recovering Data from Windows Systems by Using Linux

How To Set Up A Raid On A Hard Disk Drive On A Sasa S964 (Sasa) (Sasa) (Ios) (Tos) And Sas964 S9 64 (Sata) (

How To Create A Multi Disk Raid

SiS964/SiS180 SATA w/ RAID User s Manual. Quick User s Guide. Version 0.3

Comprehending the Tradeoffs between Deploying Oracle Database on RAID 5 and RAID 10 Storage Configurations. Database Solutions Engineering

The safer, easier way to help you pass any IT exams. Exam : Storage Sales V2. Title : Version : Demo 1 / 5

Windows Server Performance Monitoring

Outline. Database Management and Tuning. Overview. Hardware Tuning. Johann Gamper. Unit 12

Computer Forensic Tools. Stefan Hager

Lecture 36: Chapter 6

CSE-E5430 Scalable Cloud Computing P Lecture 5

RECOVERING FROM SHAMOON

Guide to SATA Hard Disks Installation and RAID Configuration

Installation Guide July 2009

HARD DRIVE CHARACTERISTICS REFRESHER

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

RAID installation guide for ITE8212F

Linux in Law Enforcement

Introduction to BitLocker FVE

Data Storage and Backup. Sanjay Goel School of Business University at Albany, SUNY

Firebird and RAID. Choosing the right RAID configuration for Firebird. Paul Reeves IBPhoenix. mail:

Using RAID6 for Advanced Data Protection

Storage node capacity in RAID0 is equal to the sum total capacity of all disks in the storage node.

Acronis Disk Director 11 Advanced Server. User's Guide

Exam: QUESTION 1 QUESTION 2 QUESTION 3 QUESTION 4

Xanadu 130. Business Class Storage Solution. 8G FC Host Connectivity and 6G SAS Backplane. 2U 12-Bay 3.5 Form Factor

WHITE PAPER Optimizing Virtual Platform Disk Performance

Oracle Cluster File System on Linux Version 2. Kurt Hackel Señor Software Developer Oracle Corporation

is605 Dual-Bay Storage Enclosure for 3.5 Serial ATA Hard Drives FW400 + FW800 + USB2.0 Combo External RAID 0, 1 Subsystem User Manual

Solution Brief July All-Flash Server-Side Storage for Oracle Real Application Clusters (RAC) on Oracle Linux

Transcription:

RAID Reconstruction And the search for the Aardvark Dr Michael Cohen This talk does not represent my Employer April 2005 1

RAID 0: Striping What is RAID? Improves performance due to parallel disk access No redundancy Lose a single disk=lose data Capacity of array = n * capacity of each disk 2

RAID 1: Mirroring Improves read speed not write speed Full redundancy May lose any number of disks but one Capacity of array = capacity of one disk 3

RAID 5: Striping with parity Strikes a balance between redundancy, speed and capacity Data is stripped across all disks and includes a parity block: A xor B xor C = 0 Can lose one disk from the array and recover the data. 4

Why would we care? Image acquisition: RAID arrays are common in server class machines Traditional techniques involve booting the original hardware and imaging over network/usb This is typically slow Cant use imaging hardware like Logicube etc. Data recovery: Some controllers can mark disks as bad when they detect a fault with the disk: Often the fault is intermittent. A drive may be repairable. 5

Sounds easy? We can just reassemble the striping pattern as in the previous figure? Unfortunately there is no standard striping pattern Each controller has its own pattern Often the order of the disks in the array is nothing like the labeling on the disk Sometimes we are missing one drive we should be able to rebuild the array without it. 6

Definitions: Block Logical Block Physical Block Array period Physical array period Logical array period Slot Striping Map 7

How do we reassemble the array? We need to establish the block size Look through the data for obviously disjoint dis-continuities Disk1 Disk2 Disk3 0x1dfe0..S(...Ns...wh s.s(.hre(... s...hrefs...re 0x1dff0 ite(...(...s.....kes..(.pos. p places...posixp 0x1e000..self(...(....as.possible.so..a.E..[siblM.so. 0x1e010 s5.../home/mic/p it.may.be.instal.a.mavh..ef...n. 0x1e020 yflag_website/py led.with.as.few....a.6..b..t.j.y... 0x1efe0 pts.to.include.a ill.then.be.inde...e.n..u..d. 0x1eff0 s.many.libraries xed.during.scann.e.a..r...r... 0x1f000...Gedz...HI... ing...usage:.loa tation/tutorials 0x1f010 K6...G...[.$.T d_dictionary.py. /index.html">tut 0x1f020 46...SA.Ls.I..[ [Dictionary.file orials</a>.</td> 8

Demo 9

Establish the RAID map Common pitfalls to avoid: Block that contain zeros will copy the parity block so it will be difficult to tell them apart. Regions of the disk containing random data can be indistinguishable from parity and are best avoided. Bonus: Finding a dictionary makes life really easy because we are able to follow the block order alphabetically: Search for Aardvark For example /usr/share/dict/american-english is 900kb, with a 4k block size this will cover over contiguous blocks. 10

Block 30: 0x1e000..self(...(....as.possible.so..a.E..[siblM.so. 0x1e010 s5.../home/mic/p it.may.be.instal.a.mavh..ef...n. 0x1efe0 pts.to.include.a ill.then.be.inde...e.n..u..d. 0x1eff0 s.many.libraries xed.during.scann.e.a..r...r... Block 31: 0x1f000...Gedz...HI... ing...usage:.loa tation/tutorials 0x1f010 K6...G...[.$.T d_dictionary.py. /index.html">tut 0x1ffe0.L..Q.U;=-)gmBy$ olor="white">.<a k.rel="styleshee 0x1fff0 tjr..xd..j@....href="./documen T".href="./defau Block 32: 0x20000 g.has.not.been.t.tf..slo.y..xlt. lt.css".type="te 0x20010 ested.on.windows..[..smp*kf...m xt/css">.</head> 0x20fe0.wrong?</li>.</o N...L@.._hUC. nhance.portabili 0x20ff0 l>.<div.class="a.g$.k.h*_._#.{n. ty.</p>.<p>pyfla Block 33: 0x21000 dmonition-answer <a.href="%(rootd X.O...RL.I... 0x21010.admonition">.<p ir)sdocumentatio I.M.+...V_~U. 11

Build the RAID Map Block Disk 1 Disk 2 Disk 3 30: 0 1 P 31: P 2 3 32: 5 P 4 33: 6 7 P 34: P 8 9 12

Determine the period The period is the number of blocks before the pattern starts repeating Its usually easy to determine the period by looking at the parity. In the previous case the period was 3 so the slot map was: Block Disk 1 Disk 2 Disk 3 30: 0 1 P 31: P 2 3 32: 5 P 4 13

Recovering the partition table Determine the start of the partition in the logical image: Usually there is a partition table at the start of the logical image: ~/pyflag$./bin/mmls -t dos d1.dd DOS Partition Table Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0000000062 0000000062 Unallocated 02: 00:00 0000000063 0000009829 0000009767 Linux (0x83) 03: 00:01 0000009830 0000020479 0000010650 Win95 FAT32 (0x0C) 14

PyFlag Hooking infrastructure PyFlag is a GPL forensic software There are many types of forensic images, in lots of different formats: dd format (disk/partition) Encase format RAID Format There are many different types of forensic tools Sleuthkit PyFlag Lookback mounting through the kernel md5sum, file, hexedit Exgrep, foreman, strings 15

Putting them together We need to use Forensic Tools on Forensic Images It would be best if we can use standard forensic tools on all kinds of images We do not want to change the tools: Although many tools are Open Source, it would be a nightmare to maintain patches against all of them. We wish to enhance the functionality of arbitrary tools without touching their source code? Is this possible? 16

Hooking IO For fun and profit We can do this by using a technique called library hooking: Consider a program: main() { fd=open("somefile",o_rdonly); read(fd,buffer,size); close(fd); } 17

How does this work? open() Normal Operation open syscall Program C Library Kernel Hooked program Program Hooker C Library Kernel open() Driver calls open() 18

How does this work? The hooker library intercepts standard library calls related to IO (open, read, write etc) When the application wants to issue an IO function, the hooker uses an appropriate driver to access the raw image depending on its format The Hooker returns the data to the program as if the image was a simple linear block of data. Parameters to the hooker driver are passed in through environment variables. An iowrapper is responsible for arranging the hooker and its environment variables. The hooker can use a number of drivers (We call them subsystems). 19

Example: Let us see the hexdump of an Encase image: ~/pyflag$ hexdump -C test.e01 head 00000000 45 56 46 09 0d 0a ff 00 01 01 00 00 00 68 65 61 EVF...ÿ...hea 00000010 64 65 72 00 00 00 00 00 00 00 00 00 00 b2 00 00 der...².. 00000020 00 00 00 00 00 a5 00 00 00 00 00 00 00 80 00 10...... ~/pyflag$./bin/iowrapper -i ewf -filename=test.e01 -- hexdump -C foo head 00000000 eb 3c 90 4d 53 44 4f 53 35 2e 30 00 02 01 01 00 ë<.msdos5.0... 00000010 02 e0 00 40 0b f0 09 00 12 00 02 00 00 00 00 00.à.@.ð... 00000020 00 00 00 00 00 00 29 fc 02 29 08 4e 4f 20 4e 41...)ü.).NO NA 00000030 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 33 c9 ME FAT12 3É 20

Example Let us convert an Encase image to a dd image: The -f ensure we only hook files called foo this allows dd to create the output file. blocksize is 64k to ensure faster performance. ~/pyflag$./bin/iowrapper -i ewf -filename=test.e01 -f foo -- dd if=foo of=out.dd bs=64k 21

Remote Subsystem We can trick local programs to read disk images directly off remote systems: Program being hooked receives data across the network from a remote servlet. The servlet provides direct access to the raw disk on the remote machine Program Hooker Network Remote Servlet Direct Raw Disk 22

Remote Subsystem Advantages: We do not need to copy the entire image prior to analysis we can analyse the remote image un-intrusively in place. Since the local program reads the filesystem structures directly, rather than relying on remote system's kernel system calls we are immuned from kernel level rootkits on the remote system hiding files. Disadvantages: Slow operation due to network latency. Possibilities of race conditions since we are operating on a live system. 23

Example ~/pyflag$./bin/iowrapper -i remote -host \ 127.0.0.1 -user root -server_path \ /bin/remote_server -device /dev/hdc -- mmls foo DOS Partition Table Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0000000062 0000000062 Unallocated 02: 00:00 0000000063 0000096389 0000096327 Dell Utilities FAT (0xde) 03: 00:01 0000096390 0019647494 0019551105 NTFS (0x07) 24

Back to reassembling RAID: Through the use of hooking, we can use arbitrary programs with the RAID driver transparently: The IO Hooker hooks system calls to enable other tools to work with the reassembled image. Example:./bin/iowrapper -i raid -blocksize 4k -slots 3 -offset 63s -map 0.1.P.P.2.3.5.P.4 -filenames d?.dd --./bin/fls -r -f linux-ext2 foo 25

Recover the Logical Image: Use PyFlag to hook dd to copy the logical image to a dd image:./bin/iowrapper -i raid -blocksize 4k -slots 3 -offset 63s -map 0.1.P.P.2.3.5.P.4 -filenames d?.dd -- dd if=foo > /tmp/recovered.dd 26

Is there a shortcut? Shortcuts make life easier Sometimes the shortcuts don't work If you can save 2 hours by trying something that takes a few seconds it might be worth it. PyFlag's hooker reassembles the array on the fly: The logical image is reassembles on an as needed basis by the external program. It takes no time to try. We can brute force the RAID parameters!!!! 27

Brute Forcing RAID Parameters Can we tell when the parameters are wrong? We need a program that gives an indication of success. We use it to guess the map from a library of possible maps We need to assume a number of slots and a block size: ~/pyflag$./launch.sh utilities/raid_guess.py -o 63s -s 3 -b 4k d1.dd d2.dd d3.dd 28

What if one of the disks is dead? PyFlag can recover a single disk from a RAID 5 array: If PyFlag fails to open the file, it assumes its missing:./bin/iowrapper -i raid -blocksize 4k -slots 3 -offset 63s -map 0.1.P.P.2.3.5.P.4 -filenames d1.dd d2.dd foo --./bin/fls -r -f linux-ext2 foo Set number of slots to 3 Set file number 0 as d1.dd Set file number 1 as d2.dd Set file number 2 as foo Could not open file foo, marking as missing 29

What else can go wrong? Sometimes there is a header at the start of the disk: Common with software RAID (e.g. Microsoft LDM, HP Smart Array) You can find those by searching for the partition table: bash$ mmls -t dos header.dd DOS Partition Table Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0000000062 0000000062 Unallocated 02: 00:02 0000000063 0000016064 0000016002 Hibernation (0x12)1 30

How to find the header We can guess the header size by trying to find the logical image's partition table: bash$ for i in `seq 0 4 1000`; do \ echo trying offset ${i}k; \./bin/iowrapper -i advanced -offset ${i}k -filename d1.dd -- \./bin/mmls -t dos foo; \ done 2>&1 less 31

Can we Hook the kernel? Sometimes it would be nice to mount the image over the loopback device: This uses the kernel's own filesystem drivers supports many more types of filesystems than Sleuthkit. The kernel loopback driver does not use the C library to access the image hence we need to hook in kernel space. Fuse (Filesystems in user space) allows us to hook system calls in the kernel directly, passing them to a user space program to implement a virtual filesystem. 32

Filesystems in User Space Program C Library Kernel Hooker Fuse VFS Switch User space Kernel FS Driver Kernel Space 33

PyFlag's Fuse hooker The Fuse hooker hooks IO in the kernel: Works on all programs due to very low level hooking. Creates a pseudo file representing the raw image. This file can then be mounted using the standard loopback device. ~/pyflag#./launch.sh \./utilities/fuse_loopback_subsystem.py /tmp/mnt/ \ -i raid -header 0 -blocksize 4k -slots 3 -map \ 0.1.P.P.2.3.5.P.4 -offset 63s -filename d?.dd ~/pyflag# mount -oloop /tmp/mnt/mountme /mnt/data/ 34

How does this information affect me? Traditionally RAID acquisition was difficult and slow: Now we can acquire individual disks in parallel: For example 3TB Apple X-Raid has 14 disks of 250GB each Assuming about 2GB/Min acquisition rate it would take around 4 hours to acquire each disk. Acquiring linearly would take approximately 36 hours and would require a 3.5 TB server to place the image into. Traditional methods involve copying over USB/FireWire or Ethernet both would achieve far less than 2GB/Min typically. 35

Conclusions Acquiring Large RAID arrays is now practical and possible Automated techniques were presented for recovering RAID logical images Data recovery of RAID arrays is possible. 36