Recover your P0RN from your

RAID Array!

by Scott Moulton @MyHardDriveDied.com

• BRIEF Coverage ;)• Unusual Arrays• Intro to RAID• About RAID 0• Sight Samples• Sound Samples• About RAID 5• Demo with Sights!

WHAT IS THIS ABOUT?

Data Recovery – MyHardDriveDied.com © 2009

Mission Briefing (1)

WHY RAID RECOVERY?

• RAID recovery is EXPENSIVE!• Its more difficult than a single drive.• Its very time consuming.• Has more than one point of failure.• Many people have problems with

them and send me questions!

3

Data Recovery – MyHardDriveDied.com © 2009 4

Mission Briefing (2)

Assumptions for this Talk• We are assuming you have already

done what I previously described in videos to repair the damaged drive.

• We are also assuming you know nothing about how the data is stored; not the slice size or order.

• You have PORN, or at least pictures!

Data Recovery – MyHardDriveDied.com © 2009

Mission Briefing (3)Goals for this Talk!

• DIY:* Teach you how to rebuild RAID yourself from my experiences.

• Do it as cheap as possible! – i.e. free or under a $100!

• Do as much in software as quickly as possible by sight and sound using the PORN on the drive!

5

Data Recovery – MyHardDriveDied.com © 2009

Mission Briefing (4)

Whats it going to take?• A bit of time...• Lots of free disk space...• You have to find the Pictures...• Persistence and Experimentation...• In some cases, Research

Some Slides are for Reference & can be downloaded from www.MyHardDriveDied.com

6

Data Recovery – MyHardDriveDied.com © 2009 7

What is a RAID Array?

• Redundant Array of (Inexpensive or Independent) Disks.

• Regardless of marketing on the box some arrays are not “Redundant.”

• Different types of arrays need different quantities of drives & you need to know how many that is!– i.e. The Mystery Box

• JBOD’s such as in LaCie or generic external enclosures.

• XFS/ZFS Arrays such as NAS drives from Western Digital or Buffalo.

Data Recovery – MyHardDriveDied.com © 2009

Covering Unusual Arrays

8

• Combinations with offsets & RAID 0 such as some LaCie NAS drives, etc.

Data Recovery – MyHardDriveDied.com © 2009 9

JBOD

Data Recovery – MyHardDriveDied.com © 2009 9

JBOD

Data Recovery – MyHardDriveDied.com © 2009 10

JBOD Drives (1)

• Means “Just a Bunch of Disks” and they are just linked logically together end to end.

• These drives usually have no fan, get very hot and contain several drives. Sometimes the cables are melted together.

• Sometimes they are custom and employ different variations for different drives.

• Generally they can be recovered individually by scanning for file headers.

• One drive will have a File System Table of some sort, other will be just raw files and no file system structure without the first disk.

Data Recovery – MyHardDriveDied.com © 2009 11

JBOD Drives (2)

Data Recovery – MyHardDriveDied.com © 2009

Host Protected Area (HPA)

• ATA-4 Standard – Host Protected Area aka HPA, used to limit the capacity of a drive for storage of additional info usually stored at the end of the drive. Free tools like MHDD to set.

12

Data Recovery – MyHardDriveDied.com © 2009 13

NAS Boxes Fixed with HPA

Data Recovery – MyHardDriveDied.com © 2009 14

Windows Dynamic Disks

• Dynamic disks do not use partition tables, they use LDM which is at the end of the disk and needs to be done backwards.

• It uses one single partition occupying the entire disk minus one cylinder. When volumes are added or deleted the partition table is not updated.

• This will be noticed right away by some data recovery software like R-Studio.

Data Recovery – MyHardDriveDied.com © 2009

Processing XFS/ZFS Arrays

• XFS / ZFS is very hard to recover from due to the lack of commercial software available. Some software that can help are tools like:– TESTDISK (free) supports repairing

XFS partitions and write it back out.– UFS Explorer (ufsexplorer.com) has

versions that support XFS and ZFS.

15

Data Recovery – MyHardDriveDied.com © 2009

UFS Explorer for XFS

16

Data Recovery – MyHardDriveDied.com © 2009 17

Let’s talk

about RAID

ZERO!

Data Recovery – MyHardDriveDied.com © 2009 18

RAID 0 Arrays Overview

From Wikipedia.org

Data Recovery – MyHardDriveDied.com © 2009 19

RAID 0: How it works

• RAID 0 has NO redundancy and does NOTHING to protect data! Losing one drive loses all your data.

• RAID 0 should be called AIDS: – Array of Inexpensive Drives that Suck

Data Recovery – MyHardDriveDied.com © 2009 20

RAID 0 with more than TWO

• You can have a RAID 0 array with more than two drives.

• There is generally no sequencing numbers for the order.

• If there are four drives in the array, there can be as many as 72 different combinations to test.

★ More than two drives? No backup? Thats just CRAZY! Yes, Photographers I mean you! Your Mac is made of the same crap as a PC :O>

Data Recovery – MyHardDriveDied.com © 2009 21

WHICH IS THE FIRST DRIVE?

• In most cases you can determine the first drive in the array, depending on the slice size. How?

• In the first sector you will find an MBR and at sector 63 you will see the active boot partition, in most cases…

Data Recovery – MyHardDriveDied.com © 2009 22

Partition Example

From http://www.ranish.com/part/primer.htm

Data Recovery – MyHardDriveDied.com © 2009 23

NTFS Boot Sectors

From Microsoft.com

Data Recovery – MyHardDriveDied.com © 2009 24

RAID 0

• Put the first drive in the first slot of whatever software you are using.

• Put the other drives in their slots.• Set your size of your slice to your

guess…. Usually 64 is the defaults (unless some tech messed with it)

• Scan for Pictures (JPG,JPEG,GIF) or MP3s.• Stop, extract, view, listen, try again…

Data Recovery – MyHardDriveDied.com © 2009 25

Slice Sizes (2k to 2048k)

• Extract samples between the boundaries possible i.e.:

»16k»32k»64k»128k»256k»512k»1024k

Data Recovery – MyHardDriveDied.com © 2009 26

How do you know when you are wrong??

REVIEWING SAMPLES EXTRACTED

Data Recovery – MyHardDriveDied.com © 2009 27

Large File Sample

Data Recovery – MyHardDriveDied.com © 2009 28

Stick Porn under 32k Intact

Data Recovery – MyHardDriveDied.com © 2009 29

Recognizable Sample File 140k

Data Recovery – MyHardDriveDied.com © 2009 30

Small Files under 64k Intact

Data Recovery – MyHardDriveDied.com © 2009 31

File over 128k

Data Recovery – MyHardDriveDied.com © 2009 32

Files Just Over 64k

Data Recovery – MyHardDriveDied.com © 2009 33

Files Over 2 Megs

Data Recovery – MyHardDriveDied.com © 2009 34

Large RAW Files

Once you get it right you get

me!

Data Recovery – MyHardDriveDied.com © 2009 36

Extracted MP3 Sound File

SOUND SAMPLE

Data Recovery – MyHardDriveDied.com © 2009 36

Extracted MP3 Sound File

SOUND SAMPLE

Data Recovery – MyHardDriveDied.com © 2009 36

Extracted MP3 Sound File

SOUND SAMPLE

How Large is your RAID 5 Array??

Data Recovery – MyHardDriveDied.com © 2009 38

RAID 5: Controllers

• There are two kinds of controllers for RAID, Host Based and Discrete controllers.

• You are going to try to do this in software!

Data Recovery – MyHardDriveDied.com © 2009 39

RAID 5: How it works

• RAID 5 Array protects the server from “down time.”

• RAID 5 does this by storing parity data on all the hard drives.

• Parity is a formula that calculates error correction data.

• By distributing parity across all drives it creates a safety net for the data when a drive fails.

Data Recovery – MyHardDriveDied.com © 2009 40

RAID 5 Array Overview

From Wikipedia.org

Data Recovery – MyHardDriveDied.com © 2009 41

RAID 5: How it works

Data Recovery – MyHardDriveDied.com © 2009 42

RAID5 XOR

• Parity is calculated by using the math function XOR with the data with the number of slices in the row to store the parity slice.

• For 3 drives it looks like this: SliceA xor SliceB = Parity

Data Recovery – MyHardDriveDied.com © 2009 43

Why is it in for Recovery?

• There have also been times where RAID 5 arrays have failed a single drive, but no one noticed before a second one failed.

• If two drives fail and the array goes down, which drive do you need to repair???

Data Recovery – MyHardDriveDied.com © 2009 44

RAID 5: How it works

• Usually reassembly of RAID is hard because there are at least two or more unknowns so it is hard to guess correctly:– Disk Order is Unknown– Slice Sizes can Vary– Variations on Slice Arrangements– Fragmentation and Boundaries

• Looking at the Pictures as Jigsaws has helped me figure out the arrangements.

Data Recovery – MyHardDriveDied.com © 2009

Slice Sizes (2k to 2048k)

• You still have the slice boundaries:»16k»32k»64k»128k»256k»512k»1024k»2048k

45

Data Recovery – MyHardDriveDied.com © 2009

(EXTRA) JPG Start and End

46

Wikipedia Reference for JPG

Data Recovery – MyHardDriveDied.com © 2009

(EXTRA) EXIF: Manual Carving

47

Data Recovery – MyHardDriveDied.com © 2009

(EXTRA) EXIF: Info Thumbnail

48

Data Recovery – MyHardDriveDied.com © 2009

(EXTRA) EXIF: Calculation Size

49

Data Recovery – MyHardDriveDied.com © 2009

Contiguous Slice Sizes

50

2 Megs

1 Meg

512k

256k

128k64k

Data Recovery – MyHardDriveDied.com © 2009

Jigsaw: Do they Belong?

51

Do Slices Belong to SamePicture?

Data Recovery – MyHardDriveDied.com © 2009 52

Arrangements: Left Async

Data Recovery – MyHardDriveDied.com © 2009 53

Arrangements: Left Sync

Data Recovery – MyHardDriveDied.com © 2009 54

Arrangements: Right Async

Data Recovery – MyHardDriveDied.com © 2009 55

Arrangements: Right Sync

Data Recovery – MyHardDriveDied.com © 2009

Are they in the wrong order?

56

Do Slices Belong to SamePicture?

Data Recovery – MyHardDriveDied.com © 2009 57

Arrangements: Left Async

Data Recovery – MyHardDriveDied.com © 2009 58

Arrangements: Left Sync

Data Recovery – MyHardDriveDied.com © 2009

Arranged Correctly

59

Data Recovery – MyHardDriveDied.com © 2009 60

Steps to rebuild RAID 5 array

1.Repair all necessary BAD drives.2. Image the damaged drive(s) and recover as

many sectors as possible.3. Image all the good drives.4.Use software to analyze and re-weave the

images back together virtually. Test data!5.Write the newly weaved image back to a hard

drive to start the logical recovery (follow the logical recovery section for the type of format).

Data Recovery – MyHardDriveDied.com © 2009 61

Free Code to Assemble Array

• #!/usr/bin/perl –w## raid5 perl utility# Copyright (C) 2005 # Mike Hardy <mike [at] mikehardy.net>## This script understands the default linux raid5 disk layout,# and can be used to check parity in an array stripe, or to calculate# the data that should be present in a chunk with a read error. my [at] array_components. = my $chunk_size = 64 * 1024; # chunk size is 64Kmy $sectors_per_chunk = $chunk_size / 512;

http://www.freesoftwaremagazine.com/articles/recovery_raid

Data Recovery – MyHardDriveDied.com © 2009

Software to Rebuild RAID 5

• Remember our goal is to cost less than $100 and be able to rebuild “AIDS” and RAID5.

• Give the most options and produce an image file.

• My Choices:– Raid Reconstructor from Runtime.org– R-Studio from r-tools technology.

62

Data Recovery – MyHardDriveDied.com © 2009 63

Using R-StudioRAID Live Demo

Model in Photos: Randi Lamey

Data Recovery – MyHardDriveDied.com © 2009 64

The End

Data Recovery – MyHardDriveDied.com © 2009

Model in Photos: Randi LameyBonusPictures