If your RAID was NTFS-formatted, the MFT Report provides you another investigation tool. MFT records in NTFS are 1 KB (2 sectors) data blocks containing file metadata such as timestamps, allocation information, security attributes, etc. MFT records are well known and, best of all, they are numbered. We will show how we can use that characteristic for finding an unknown RAID's parameters.
We will use the 3 image files from RAID example 1. Open these files in the main window, then click Tools->MFT report to bring up this window:
Click on Search until and wait for the program to collect 100,000 MFT records. Once done, it will provide a side-by-side view of the MFT records found on the drives:
The drive names head the columns and the sector numbers head the rows. From the lines we see, there are big gaps between MFT records. We want to find a continuous area. Simply scroll down:
Here we see a continuous area of 64 MFT records with 2 sectors each = 128 sectors. We have found the RAID block size is 128. Put this value into the field "Coloring width", along with the start sector 0 for the field "Coloring start sector". Then click on Cycle down to position the window at a cycle start.
You see the empty space for drive 3. This empty space is 128 sectors long. When you scroll down, you will see the empty space for drive 2, 128 sectors long, and then for drive 1, also 128 sectors long. This is obviously a Backward RAID rotation. It is not dynamic because the MFT numbers for drive 1 are smaller then the ones for drive 3.
The drive order is drive1, drive2, drive3.
Thus, we have successfully found this RAID's parameters, simply by looking at its MFT records.