Problems reading EXT4 in RAID1

Autopsy Help
1

Hi all,

I’m new here but I wanted to see if I can find a solution for a problem one of our customers is facing.

Let’s assume we have a Synology image (SYNOLOGY.E01). While processing this image, an error occured:

1.) Cannot determine file system type (Sector offset: 4982528, Partition Type: )
2.) Cannot determine file system type (Sector offset: 9437184, Partition Type: )

Partitioning table according to Autopsy:
Name ID Starting Length Description Flags
Sector in Sectors
vol1 (Unallocated: 0-2047) 1 0 2048 Unallocated Unallocated
vol4 (Unknown: 2048-4982527) 4 2048 4980480 Unknown Allocated
vol5 (Unknown: 4982528-9176831) 5 4982528 4194304 Unknown Allocated
vol6 (Unallocated: 9176832-9437183) 6 9176832 260352 Unallocated Unallocated
vol7 (Unknown: 9437184-5860328351) 7 9437184 5850891168 Unknown Allocated
vol8 (Unallocated: 5860328352-5860533167) 8 5860328352 204816 Unallocated Unallocated

According to Sleuthkit (mmls):
C:>mmls SYNOLOGY.E01
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

  Slot      Start        End          Length       Description

000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0004982527 0004980480
005: 001 0004982528 0009176831 0004194304
006: ------- 0009176832 0009437183 0000260352 Unallocated
007: 002 0009437184 5860328351 5850891168
008: ------- 5860328352 5860533167 0000204816 Unallocated

A test on Linux shows this:

xmount --in ewf SYNOLOGY.E01 --cache SYNO.ovl --out raw /ewf

ll /ewf

-rw-rw-rw 1 root root 3000592982016 Jan 1 1970 SYNOLOGY.dd
-rw-rw-rw 1 root root 745 Jan 1 1970 SYNOLOGY.info

fdisk -lu /ewf/SYNOLOGY.dd

Disk /ewf/SYNOLOGY.dd: 2,7 TiB, 3000592982016 bytes, 5860533168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 56E247B8-0EDC-4129-BB66-DCEFB58F2D35

Device Start End Sectors Size Type
/ewf/SYNOLOGY.dd1 2048 4982527 4980480 2,4G Linux RAID
/ewf/SYNOLOGY.dd2 4982528 9176831 4194304 2G Linux RAID
/ewf/SYNOLOGY.dd3 9437184 5860328351 5850891168 2,7T Linux RAID

losetup -a

losetup -o $((2048*512)) /dev/loop1 /ewf/SYNOLOGY.dd

losetup -o $((9437184*512)) /dev/loop3 /ewf/SYNOLOGY.dd

losetup -a

/dev/loop1: [0053]:2 (/ewf/SYNOLOGY.dd), offset 1048576
/dev/loop3: [0053]:6 (/ewf/SYNOLOGY.dd), offset 4831838208

mount -o ro /dev/loop1 /mnt/partition1

ll /mnt/partition1

total 96
drwxr-xr-x 22 root root 4096 Feb 22 2019 ./
drwxr-xr-x 5 root root 4096 Okt 22 16:32 …/
lrwxrwxrwx 1 root root 7 Sep 26 2018 bin -> usr/bin/
drwx------ 2 root root 4096 Sep 26 2018 config/
drwxr-xr-x 3 root root 4096 Sep 26 2018 dev/
drwxr-xr-x 48 root root 4096 Mär 21 2019 etc/
[…]

mount -o ro /dev/loop3 /mnt/partition3

mount: /mnt/partition3: unknown filesystem type ‘linux_raid_member’.

cat /proc/mdstat

Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md127 : inactive loop31
2925444560 blocks super 1.2
unused devices:

mdadm --stop /dev/md127

mdadm: stopped /dev/md127

mdadm --assemble -scan

mdadm: /dev/md/DiskStation:2 has been started with 1 drive (out of 2).

cat /proc/mdstat

Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md127 : active raid1 loop3[1]
2925444416 blocks super 1.2 [2/1] [_U]
unused devices:

mount -o ro /dev/md127 /mnt/partition3

ll /mnt/partition3/

total 297760
drwxr-xr-x 19 root root 4096 Feb 22 2019 ./
drwxr-xr-x 4 root root 4096 Okt 22 11:26 …/
drwxr-xr-x 12 root root 4096 Okt 31 2018 ‘@appstore’/
-rw------- 1 root root 16384 Mär 21 2019 aquota.group
-rw------- 1 root root 18432 Mär 21 2019 aquota.user
[…]

du -shx /mnt/partition3

1,9T /mnt/partition3

Our conclusion is that Sleuthkit cannot process the EXT4 filesystem in sector 9437184, because it is a RAID1 setup. Other tools like XWAYS seem to process this normally.

Has anyone ever encountered this and if yes, is there any solution available?

Thanks heaps in advance for a quick reply…!