Identifying electronic evidence from a damaged RAID server

Rate this item
(0 votes)

After our client’s mail server stored on a RAID-5 was maliciously damaged by one of their employees, we were instructed by their solicitor to conduct a full forensic examination of the evidence. It was suspected that the server’s hard drives were concealing inappropriate correspondence. The hard drives had been removed and the circuit boards, physically destroyed. To exasperate the situation, backups had been securely erased and could not be retrieved.

Our technicians removed the RAID server from site to ensure preservation of the evidence. Before acquisition and analysis could begin, it was necessary to render the hard drives serviceable in order to take an exact sector level duplicate. We are one of the few computer forensic experts that also specialise in data recovery. The hard drives were dismantled in our clean room and rebuilt using donor parts.

We were then asked to establish whether or not there was sufficient evidence to show that activity was performed during a seven day window and whether the evidence of this activity had been forensically wiped (in addition to physical destruction of the hard disk drives in the RAID). Our data recovery engineers then imaged all the repaired hard drives in the RAID array, taking care to maintain the integrity of the evidence and adhering to Association of Police Chief Officers (ACPO) guidelines at all times.

Thankfully there was no media damage to the platters and we were able to image the drives without error. The acquired images were verified using hash functions and the data parameters calculated in order to rebuild the data on the server.

The main tools used were AccessData Forensic Toolkit FTK and FTK Imager. The data recovered clearly identified signatures for forensic wiping programs, namely CCleaner and DiskWipe, which are used to clean hard drives and to destroy data permanently. Using powerful forensic data recovery tools, we were able to recover all the data and then search for specific activity by keyword and text string. Needless to say, there was a wealth of inappropriate activity that had been cloaked by the perpetrators. Our subsequent forensic report was presented to an employment tribunal which resulted in an successful outcome for our client.

Reference: http://www.datarecoveryspecialists.co.uk/blog/identifying-electronic-evidence-from-a-damaged-raid-server
Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).

36 comments

  • Comment Link Adan Saturday, 31 March 2018 02:21 posted by Adan

    Permanently waterproof your basement this weekend.

  • Comment Link Miquel Monday, 05 March 2018 22:39 posted by Miquel

    Fantastic blog! Do you have any hints for aspiring writers?
    I'm hoping to start my own site soon but I'm a little lost
    on everything. Would you advise starting with a free platform like Wordpress or go for a paid option? There are so
    many choices out there that I'm completely overwhelmed ..
    Any suggestions? Thanks a lot!

  • Comment Link Wilmer Friday, 02 March 2018 21:26 posted by Wilmer

    So we started looking into doggie daycare places.

  • Comment Link Angelina Thursday, 01 March 2018 01:08 posted by Angelina

    This piece of writing is really a good one it assists new internet people, who
    are wishing for blogging.

  • Comment Link Maryanne Monday, 26 February 2018 15:42 posted by Maryanne

    A. Exchange Damaged, Lifeless, or Dying Bushes.

  • Comment Link Nell Wednesday, 21 February 2018 00:37 posted by Nell

    Same is the case with the automated door openers.

  • Comment Link Gregg Monday, 19 February 2018 09:24 posted by Gregg

    The cleaners were extremely professional and polite.

  • Comment Link Terri Friday, 09 February 2018 21:04 posted by Terri

    Thanks for finally talking about >Identifying electronic evidence from a damaged RAID server - RAID Data Recovery
    - DataRecoup Recovery Services Liked it!

  • Comment Link Dani Friday, 09 February 2018 17:07 posted by Dani

    Are dwelling inspections vital for new properties?

  • Comment Link Ophelia Friday, 15 December 2017 01:10 posted by Ophelia

    Hello, this weekend is nice designed for me, for the reason that this moment i am reading this enormous educational
    paragraph here at my home.

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.