Identifying electronic evidence from a damaged RAID server...

After our client’s mail server stored on a RAID-5 was maliciously damaged by one of their employees, we were instructed by their solicitor to conduct a full forensic examination of the evidence. It was suspected that the server’s hard drives were concealing inappropriate correspondence. The hard drives had been removed and the circuit boards, physically destroyed. To exasperate the situation, backups had been securely erased and could not be retrieved.

Our technicians removed the RAID server from site to ensure preservation of the evidence. Before acquisition and analysis could begin, it was necessary to render the hard drives serviceable in order to take an exact sector level duplicate. We are one of the few computer forensic experts that also specialise in data recovery. The hard drives were dismantled in our clean room and rebuilt using donor parts. 

We were then asked to establish whether or not there was sufficient evidence to show that activity was performed during a seven day window and whether the evidence of this activity had been forensically wiped (in addition to physical destruction of the hard disk drives in the RAID). Our data recovery engineers then imaged all the repaired hard drives in the RAID array, taking care to maintain the integrity of the evidence and adhering to Association of Police Chief Officers (ACPO) guidelines at all times.

Thankfully there was no media damage to the platters and we were able to image the drives without error.  The acquired images were verified using hash functions and the data parameters calculated in order to rebuild the data on the server.

The main tools used were AccessData Forensic Toolkit FTK and FTK Imager. The data recovered clearly identified signatures for forensic wiping programs, namely CCleaner and DiskWipe, which are used to clean hard drives and to destroy data permanently. Using powerful forensic data recovery tools, we were able to recover all the data and then search for specific activity by keyword and text string. Needless to say, there was a wealth of inappropriate activity that had been cloaked by the perpetrators. Our subsequent forensic report was presented to an employment tribunal which resulted in an successful outcome for our client.