Investigating a NAS (Network Attached Storage) device after a ransomware attack can be challenging due to its complexity. A solution provided involves connecting the NAS directly to a Linux host to run forensic tools. This set up allows effective detection and reassembly of RAID software, providing insight into how data on the device are managed. This method facilitates analysis, enabling data recovery efforts.