File Recovery Method in NTFS-Based Damaged RAID System

Due to the recent demand for mass storage devices, a redundant array of independent disks (RAID) is used in network-attached storage (NAS), direct-attached storage (DAS), servers, and workstations in addition to laptops and PCs. RAID makes multiple disks into volumes, and alternately stores stripe sizes on member disks. Due to these characteristics, RAID systems create several research issues in digital forensics. One of them, a damaged RAID system, is a case where the RAID configuration information is known, but some member disks are lost. The damaged RAID system has lost some member disks, so it stores a striped filesystem and files when reassembled into volumes. Striped file systems and files are distinctive forms in which data is fragmented within volumes so that meaningful data must be found in the fragmented data. This form is not supported by previous research or other digital forensics tools, and is unknown. In this paper, targeting the NTFS file system, which is the most used file system, we propose and verify a file recovery method from a damaged RAID system by combining RAID reconstruction, file system analysis, striped file system analysis, file carving, and striped file analysis.