Digital forensic approaches to Intel and AMD firmware RAID systems

Abstract

In recent years, as the amount of data that individuals deal with has increased, CPU manufacturers (Intel and AMD) have developed RAID systems that are readily available on desktop PCs. This is referred to as firmware RAID. In contrast to RAID systems on servers and network-attached storage (NAS) devices, which require a relatively complex configuration process, firmware RAID is relatively straightforward and easy to set up via the basic input/output system (BIOS). Intel supports this technology on the majority of its motherboards, with the exception of a few minor models released since 2020, under the name of Intel Rapid Storage Technology (IRST). Similarly, AMD has provided for this technology to all motherboard chipsets released since 2017 under the name of RAIDXpert. From the perspective of digital forensics, a disk with a firmware RAID is recognized by the operating system as a single physical disk and is typically connected to the motherboard without any additional devices. Consequently, during a digital forensics investigation, investigators barely recognize its application, and, as a result, a significant amount of data could be omitted without intention, or could be lost through simple anti-forensic behavior by a malicious user. At present, there are no publicly available techniques for identifying or reconstructing disks in a firmware RAID system, despite the fact that this system is available on nearly every desktop PC. In this paper, we present an analysis of the operational patterns and structures of firmware RAID supported by Intel and AMD. Our approach has led to the development of X-raid, a digital forensic tool capable of identifying firmware-based volumes within a system and reconstructing normal or deleted virtual disks. Furthermore, we propose a methodological digital forensic framework for investigating computer systems with considerations of firmware RAID.