We've been receiving a reasonable number of emails lately asking for a bit of clarfication on F-Response and RAID. As such, I've decided to provide a brief overview of RAID, how F-Response works with RAID, and provide a few resources you can use for additional information.

First, What is RAID? This is best left up to the wizards of the Wikipedia, who defines RAID as follows:

"RAID — which stands for Redundant Array of Inexpensive Disks (as named by the inventor^[1]), or alternatively Redundant Array of Independent Disks (a less relative name, and thus now the generally accepted one^[2]) — is a technology that employs the simultaneous use of two or more hard disk drives to achieve greater levels of performance, reliability, and/or larger data volume sizes.

The phrase "RAID" is an umbrella term for computer data storage schemes that can divide and replicate data among multiple hard disk drives. RAID's various designs all involve two key design goals: increased data reliability and increased input/output performance. When several physical disks are set up to use RAID technology, they are said to be in a RAID array. This array distributes data across several disks, but the array is seen by the computer user and operating system as one single disk." -- Source Wikipedia RAID

So, the key indicator to focus on here is that a RAID array is typically understood by the operating system as one single disk. This is very important, as F-Response uses the operating system to understand the physical disks that are available to be "accessed". As such, in the case of Hardware RAID F-Response will see the single physical disk. However, you don't need to take our word on it, just ask Lance Mueller, who used F-Response to image a 1 Terabyte Hardware RAID Array .

Now, I know what you are thinking, what about Software RAID.. well that is a very different animal. Software RAID typically functions as part of the Operating System on in tandem with the Operating System and can function as either a physical or logical disk. In this case the Software RAID drive may be accessible by F-Response, however it may still require reassembly by a standard forensic application capable of Software RAID reassembly.

In this case you'll be best served using a tool such as X-Ways Forensics , Encase Forensic , or Raid Reconstructor , all three of these applications provide excellent capabilities for RAID reassembly.

Now, as promised, there are numerous resources for getting better handle on RAID imaging and reconstruction, I'd recommend the following:

RAID Rebuilding by S/A Dickerman (Techno Forensics Slide Presentation) 

How to Image RAIDs by Dave Shaver 

Bottom line,RAID imaging is often best done live, and, armed with F-Response (Any Version) you'll find RAID imaging and analysis to be a much more readily accessible and less painful experience.

Enjoy!

Warmest Regards,

M Shannon, Founder

F-Response.com