This script is designed to locate and rebuild Apple software RAIDs.
The presence of these RAIDs may not always be obvious, which can lead the examiner to misinterpret the contents of their component partitions.
This script works by searching selected GUID Partition Table (GPT) disks for partitions having the following type-GUID, which signifies an Apple RAID partition:
52414944-0000-11AA-AA11-00306543ECAC
.A RAID’s partitions are referred to as its members. In the case of Apple RAIDs, each one has a header that is usually located in the last 4,096-bytes. This header contains the following information:
AppleRAID-SetName
)AppleRAID-LevelName
)AppleRAID-ContentHint
)AppleRAID-Members
)AppleRAID-ChunkCount
)AppleRAID-ChunkSize
)Having found an Apple RAID partition, the script will attempt to validate the header by reading the aforementioned information. It will then endeavor to find the other RAID members.
At the conclusion of processing, the script will present a dialog box listing the complete RAIDs that have been found plus any that are invalid or incomplete. The user then has the option to rebuild one or more of the complete RAIDs.
It should be noted that:
AppleRAID-SetName
value.This script was developed for use in EnCase training. For more details, please click the following link:
Tested under EnCase 24.03.00.109.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox