Mounting a Windows software raid as a virtual disk
When an investigator attempts to bring a write blocked Windows dynamic disk online, Windows will refuse to mount it. This forces investigators to use the few tools that have built-in support for dealing with the RAID or to image the partition, and then mount the image. While imaging did not use to be an issue, with the rising sizes of disks available at low cost, it is becoming prohibitively expensive to image every software RAID. The solution is to mount the RAID through the use of a driver as a virtual disk. ^ The research was conducted by first analysing the Windows Dynamic Disk Logical Disk Manager database for the information needed in order to mount the RAID. Once the important information was identified, a Storport miniport driver was modified in order to mount the RAID after receiving the information. Finally the read function of the driver was designed handle mirrored, simple, spanned, and striped dynamic disks. ^ Speed results show that the driver achieves speeds between 4–10% slower on average and up to 15% slower when write blocked. The driver has been proven to be compatible with 32 bit Windows Vista, Server 2008 and 7, as well as 64 bit Windows 7 while in test mode. The hashes of the volume show it to be a bit-perfect copy of the Windows implementation, and several different file types were tested and open correctly without modifying the hash. Finally the driver has been tested and functions correctly on spanned, striped, mirrored, and simple RAIDs as well as correctly handling corrupted, linux, or GPT RAIDs when the RAID data was hand entered.^
Daniel N Ducharme,
"Mounting a Windows software raid as a virtual disk"
Dissertations and Master's Theses (Campus Access).