RAID Forensic Analysis

As shown in the figure, I encountered an E01 file packaged by RAID. I tried to perform forensic analysis on him through autopsy, but it was useless and I couldn’t see any data. I have a question now, does autospy support forensic analysis of RAID?


Are you certain that is a RAID image? It appears that it’s a single HDD1 image that is split into multiple parts and not a RAID image. What does that NTFS/exFAT partition look like in hex?

Hello. Thank you for your reply, this is one of the disk images in this RAID group. The following is the hexadecimal format of NTFS / exFAT partition parsed by autopsy.
Thank you!


Ah, I didn’t realize there were other images for multiple discs.

Unfortunately Autopsy doesn’t have native RAID processing so you’ll have to rebuild those images outside of Autopsy using another tool and then feed a new single rebuilt image into Autopsy. If those images came from a Linux machine with a software RAID (MDRAID) then you could use a Linux machine with mdadm to rebuild them and reimage. However, it looks like that RAID set came from a Windows machine, likely one with hardware RAID. Were you the one who created those images and if so do you still have access to the original hardware?

Hello. Thanks for your reply, unfortunately autopsy does not have this feature, I will try other tools for analysis. Unfortunately, this image was not created by me and I cannot access the original hardware.