Description

This script is designed to locate and rebuild Apple software RAIDs.

The presence of these RAIDs may not always be obvious, which can lead the examiner to misinterpret the contents of their component partitions.

This script works by searching selected GUID Partition Table (GPT) disks for partitions having the following type-GUID, which signifies an Apple RAID partition:

  • 52414944-0000-11AA-AA11-00306543ECAC.

A RAID’s partitions are referred to as its members. In the case of Apple RAIDs, each one has a header that is usually located in the last 4,096-bytes. This header contains the following information:

  • A signature
  • The GUID/UUID of the associated RAID
  • The GUID/UUID of this member
  • A bare-bones XML property-list stream containing the RAID’s configuration including:
    • User-provided name (aka AppleRAID-SetName)
    • RAID-type (aka AppleRAID-LevelName)
    • Content-hint (aka AppleRAID-ContentHint)
    • An array (aka list) of each member’s GUID/UUID (aka AppleRAID-Members)
    • This member’s chunk-count (aka AppleRAID-ChunkCount)
    • This member’s chunk-size (aka AppleRAID-ChunkSize)

Having found an Apple RAID partition, the script will attempt to validate the header by reading the aforementioned information. It will then endeavor to find the other RAID members.

At the conclusion of processing, the script will present a dialog box listing the complete RAIDs that have been found plus any that are invalid or incomplete. The user then has the option to rebuild one or more of the complete RAIDs.

It should be noted that:

  • The script supports Stripe, Mirror and JBOD RAIDs.
  • JBOD RAID’s are rebuilt using EnCase’s Span disk-configuration option.
  • The script does not support nested RAIDs nor RAIDs implemented on non-GPT disks.
  • The configuration of each rebuilt RAID can be inspected using EnCase’s Edit Disk Configuration option, which is to be found under the Evidence tab. The same option can be used to change the name of a rebuilt RAID, which will otherwise inherit the AppleRAID-SetName value.
  • Rebuilt RAIDs that are unwanted can be removed using Evidence tab’s Remove option.
  • Detailed feedback is provided via the console including the physical location of each member’s RAID header.
  • The examiner also has the option of bookmarking all of the discovered RAID headers.

This script was developed for use in EnCase training. For more details, please click the following link:

Releases

Release
Size
Date
MacOS Software RAID Utility 1.1
162.2 KB
  |  
Dec 10, 2024
More info Less info
Product compatibility
EnCase App Central
Version 1.0.0
Release notes

Tested under EnCase 24.03.00.109.

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service.
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-12-3-sha256-6304 | Sun Dec 15 20:16:44 PST 2024