You are a forensic analyst in a corporate lab. A compromised server was taken offline and brought to the lab. The server runs Windows Server 2019 with a RAID 5 array of three 1TB SATA drives. The drives are hot-swappable. The server was shut down properly before removal. The lab has a forensic workstation with write-blockers, a hardware RAID controller, and imaging software. The analyst needs to acquire a forensic image of the RAID array. What is the correct course of action?
This preserves the logical structure and ensures integrity.
Why this answer
Option A is correct because the RAID 5 array must be reconstructed using the same controller model (or an identical one) to correctly interpret the parity and striping metadata. Imaging the logical volume via a write-blocker preserves the integrity of the file system and ensures a forensically sound acquisition of the live data, which is the standard practice when the controller is available and the array is intact.
Exam trap
The trap here is that candidates often assume imaging individual drives and software reconstruction is acceptable, but the CHFI exam emphasizes that hardware RAID controllers require identical hardware to preserve the array’s logical structure and forensic integrity.
How to eliminate wrong answers
Option B is wrong because sending the drives to a vendor for specialized RAID recovery is unnecessary and costly when the array is intact and the same controller model is available in the lab; this approach is reserved for physically damaged or corrupted arrays. Option C is wrong because imaging each drive individually and combining them in software is unreliable for RAID 5, as the software may not correctly reconstruct the parity and stripe order without the exact controller metadata, potentially leading to data corruption or incomplete acquisition. Option D is wrong because connecting all drives directly to the forensic workstation and using a software RAID tool risks altering the array metadata or causing the OS to auto-assemble the array, which could modify data and violate forensic integrity; a hardware controller with a write-blocker is required to maintain a read-only acquisition.