SYTECH – Digital Forensic Examination of Windows ‘Storage Spaces’

Windows ‘Storage Spaces’ introduced in consumer builds of Windows 8 and Windows Server 2012 allows a user to ‘span’ several (sometimes various) devices into a unified ‘span’ or ‘pool’ of storage space.

1

 

2

 

Devices used for ‘Storage Space’ volumes can be easily identified in forensic software as a drive with a ‘Windows Reserved’ partition, often 128MB in size and a ‘Storage Pool Partition’ (which will vary in size depending on the user configuration) with the header ‘SPACEDB’.

4

 

Although displayed as unallocated this device has a plethora of investigative data which can be configured in a very similar way to RAID storage ‘Simple (no resiliency), a ‘Two-way mirror’, a ‘three-way mirror’ and drives which can also use ‘parity’ volumes for redundancy.

5

 

Due to the way these volumes work (depending on the device configuration) a user can add disks at a later date. It should also be noted that users can start a span on a single device with the plan of adding disks later.

All of the above taken into consideration and scenarios (as shown below) where a user may lose, corrupt or destroy a device causing the computer to no longer detect the configuration of a Windows ‘Storage Volume’ can seriously hinder an investigation.

6

 

Please call (01782 286 300) or email (enquiries@sytech-consultants.com) SYTECH in cases where the potential reconstruction of ‘Windows Storage’ file systems is needed, in cases where the ‘STORAGEDB’ header is found and evidential material has been found in what normal forensic tools are calling ‘Unallocated’ SYTECH can help.

All submissions in relation to Windows ‘Storage Spaces’ should include all drives with ‘STORAGEDB’ headers for the greatest chance of success.

Missing drives, broken configurations or just in need of technical assistance please make use of our free consultancy service.

If a rebuild of the ‘Storage Space’ is possible SYTECH can offer both reconstruction and production of just volume data in an evidential format or full forensic analysis of the ‘Storage Space’.