Issues! Clone Raid array and Win7

[brownwater]

Hello all! Lurking for awhile and now posting.

I have a few issues.

1st- wanted to know best software to use in cloning a raid 5 array with each drive at 256GB.

Need to be complete bit by bit clone. So far seems like acronis true image 2015 is the one that seems a go to for now, opinions?

2nd- Is there a way of bypassing Win7 local login without having to change password? I have tools that will bypass but would have to change password.

I know how this sounds bad but have an employee with local admin rights to node and encrypting company data.

thoughts?

Thanks!

[Mr-Protocol]

In regards to the imaging. Is it a software RAID?

If not, you can boot just about any current linux distro and get a bit FOR (not by) bit image of it. The linux distribution should detect the RAID Controller and present you one large volume. If you want to be in a read only environment check out a "forensic" distro like Paladin linux. https://www.sumuri.com/product-category/paladin/ you can modify the amount or if you choose to help donate, great.

If it only shows the disks individually one of two things are in place. 1) It is a software RAID setup. Or 2) The RAID controller driver is not install on Paladin.

If it is a hardware RAID with a RAID controller on board or a card, you can image all disks individually and find a RAID reconstruction software to rebuild it. You may have to go into the RAID controller boot options in order to find all the information you need like block size, etc.

If it is a software RAID, it would be easiest to perform a live image with the system booted and imaging obviously to storage not within that RAID setup. You may be able to rebuild the software RAID if you image all disks individually, but it all depends on the software used and knowing some offsets to start at.

Windows local login passwords are trivial. You can boot the machine with Linux, extract the login files needed to break the local password, then crack it offline. I believe KonBoot does a live memory patch to allow any password to login. I don't recall if it changes it since I have not played with that tool in years.

If your goal is to recover the bad employee's files he is encrypting, you may want to contact your system's administrator or have the proper management file charges for destruction of company information or things of that sort. If the encryption is unknown what the "bad employee" is using, it will be very difficult to determine.

Hope this helps.

[brownwater]

Thanks Man, It is a hardware setup and thought about imaging each drive and rebuilding the raid on an offsite PC.

There is know Admin or IT support. Was a hasting LAN build to get a company up and running by the owner. Even the security is hosed with having each employee having Admin rights to the local PC. So will rebuild once this issue is resolved.

Anyone know the going rate for pentesters in CA?

Thanks again!