recover your p0rn from your raid array! - my hard … recovery slides...recover your p0rn from your...
TRANSCRIPT
Recover your P0RN from your
RAID Array!
by Scott Moulton @MyHardDriveDied.com
• BRIEF Coverage ;)• Unusual Arrays• Intro to RAID• About RAID 0• Sight Samples• Sound Samples• About RAID 5• Demo with Sights!
WHAT IS THIS ABOUT?
Data Recovery – MyHardDriveDied.com © 2009
Mission Briefing (1)
WHY RAID RECOVERY?
• RAID recovery is EXPENSIVE!• Its more difficult than a single drive.• Its very time consuming.• Has more than one point of failure.• Many people have problems with
them and send me questions!
3
Data Recovery – MyHardDriveDied.com © 2009 4
Mission Briefing (2)
Assumptions for this Talk• We are assuming you have already
done what I previously described in videos to repair the damaged drive.
• We are also assuming you know nothing about how the data is stored; not the slice size or order.
• You have PORN, or at least pictures!
Data Recovery – MyHardDriveDied.com © 2009
Mission Briefing (3)Goals for this Talk!
• DIY:* Teach you how to rebuild RAID yourself from my experiences.
• Do it as cheap as possible! – i.e. free or under a $100!
• Do as much in software as quickly as possible by sight and sound using the PORN on the drive!
5
Data Recovery – MyHardDriveDied.com © 2009
Mission Briefing (4)
Whats it going to take?• A bit of time...• Lots of free disk space...• You have to find the Pictures...• Persistence and Experimentation...• In some cases, Research
Some Slides are for Reference & can be downloaded from www.MyHardDriveDied.com
6
Data Recovery – MyHardDriveDied.com © 2009 7
What is a RAID Array?
• Redundant Array of (Inexpensive or Independent) Disks.
• Regardless of marketing on the box some arrays are not “Redundant.”
• Different types of arrays need different quantities of drives & you need to know how many that is!– i.e. The Mystery Box
• JBOD’s such as in LaCie or generic external enclosures.
• XFS/ZFS Arrays such as NAS drives from Western Digital or Buffalo.
Data Recovery – MyHardDriveDied.com © 2009
Covering Unusual Arrays
8
• Combinations with offsets & RAID 0 such as some LaCie NAS drives, etc.
Data Recovery – MyHardDriveDied.com © 2009 9
JBOD
Data Recovery – MyHardDriveDied.com © 2009 9
JBOD
Data Recovery – MyHardDriveDied.com © 2009 10
JBOD Drives (1)
• Means “Just a Bunch of Disks” and they are just linked logically together end to end.
• These drives usually have no fan, get very hot and contain several drives. Sometimes the cables are melted together.
• Sometimes they are custom and employ different variations for different drives.
• Generally they can be recovered individually by scanning for file headers.
• One drive will have a File System Table of some sort, other will be just raw files and no file system structure without the first disk.
Data Recovery – MyHardDriveDied.com © 2009 11
JBOD Drives (2)
Data Recovery – MyHardDriveDied.com © 2009
Host Protected Area (HPA)
• ATA-4 Standard – Host Protected Area aka HPA, used to limit the capacity of a drive for storage of additional info usually stored at the end of the drive. Free tools like MHDD to set.
12
Data Recovery – MyHardDriveDied.com © 2009 13
NAS Boxes Fixed with HPA
Data Recovery – MyHardDriveDied.com © 2009 14
Windows Dynamic Disks
• Dynamic disks do not use partition tables, they use LDM which is at the end of the disk and needs to be done backwards.
• It uses one single partition occupying the entire disk minus one cylinder. When volumes are added or deleted the partition table is not updated.
• This will be noticed right away by some data recovery software like R-Studio.
Data Recovery – MyHardDriveDied.com © 2009
Processing XFS/ZFS Arrays
• XFS / ZFS is very hard to recover from due to the lack of commercial software available. Some software that can help are tools like:– TESTDISK (free) supports repairing
XFS partitions and write it back out.– UFS Explorer (ufsexplorer.com) has
versions that support XFS and ZFS.
15
Data Recovery – MyHardDriveDied.com © 2009
UFS Explorer for XFS
16
Data Recovery – MyHardDriveDied.com © 2009 17
Let’s talk
about RAID
ZERO!
Data Recovery – MyHardDriveDied.com © 2009 18
RAID 0 Arrays Overview
From Wikipedia.org
Data Recovery – MyHardDriveDied.com © 2009 19
RAID 0: How it works
• RAID 0 has NO redundancy and does NOTHING to protect data! Losing one drive loses all your data.
• RAID 0 should be called AIDS: – Array of Inexpensive Drives that Suck
Data Recovery – MyHardDriveDied.com © 2009 20
RAID 0 with more than TWO
• You can have a RAID 0 array with more than two drives.
• There is generally no sequencing numbers for the order.
• If there are four drives in the array, there can be as many as 72 different combinations to test.
★ More than two drives? No backup? Thats just CRAZY! Yes, Photographers I mean you! Your Mac is made of the same crap as a PC :O>
Data Recovery – MyHardDriveDied.com © 2009 21
WHICH IS THE FIRST DRIVE?
• In most cases you can determine the first drive in the array, depending on the slice size. How?
• In the first sector you will find an MBR and at sector 63 you will see the active boot partition, in most cases…
Data Recovery – MyHardDriveDied.com © 2009 22
Partition Example
From http://www.ranish.com/part/primer.htm
Data Recovery – MyHardDriveDied.com © 2009 23
NTFS Boot Sectors
From Microsoft.com
Data Recovery – MyHardDriveDied.com © 2009 24
RAID 0
• Put the first drive in the first slot of whatever software you are using.
• Put the other drives in their slots.• Set your size of your slice to your
guess…. Usually 64 is the defaults (unless some tech messed with it)
• Scan for Pictures (JPG,JPEG,GIF) or MP3s.• Stop, extract, view, listen, try again…
Data Recovery – MyHardDriveDied.com © 2009 25
Slice Sizes (2k to 2048k)
• Extract samples between the boundaries possible i.e.:
»16k»32k»64k»128k»256k»512k»1024k
Data Recovery – MyHardDriveDied.com © 2009 26
How do you know when you are wrong??
REVIEWING SAMPLES EXTRACTED
Data Recovery – MyHardDriveDied.com © 2009 27
Large File Sample
Data Recovery – MyHardDriveDied.com © 2009 28
Stick Porn under 32k Intact
Data Recovery – MyHardDriveDied.com © 2009 29
Recognizable Sample File 140k
Data Recovery – MyHardDriveDied.com © 2009 30
Small Files under 64k Intact
Data Recovery – MyHardDriveDied.com © 2009 31
File over 128k
Data Recovery – MyHardDriveDied.com © 2009 32
Files Just Over 64k
Data Recovery – MyHardDriveDied.com © 2009 33
Files Over 2 Megs
Data Recovery – MyHardDriveDied.com © 2009 34
Large RAW Files
Once you get it right you get
me!
Data Recovery – MyHardDriveDied.com © 2009 36
Extracted MP3 Sound File
SOUND SAMPLE
Data Recovery – MyHardDriveDied.com © 2009 36
Extracted MP3 Sound File
SOUND SAMPLE
Data Recovery – MyHardDriveDied.com © 2009 36
Extracted MP3 Sound File
SOUND SAMPLE
How Large is your RAID 5 Array??
Data Recovery – MyHardDriveDied.com © 2009 38
RAID 5: Controllers
• There are two kinds of controllers for RAID, Host Based and Discrete controllers.
• You are going to try to do this in software!
Data Recovery – MyHardDriveDied.com © 2009 39
RAID 5: How it works
• RAID 5 Array protects the server from “down time.”
• RAID 5 does this by storing parity data on all the hard drives.
• Parity is a formula that calculates error correction data.
• By distributing parity across all drives it creates a safety net for the data when a drive fails.
Data Recovery – MyHardDriveDied.com © 2009 40
RAID 5 Array Overview
From Wikipedia.org
Data Recovery – MyHardDriveDied.com © 2009 41
RAID 5: How it works
Data Recovery – MyHardDriveDied.com © 2009 42
RAID5 XOR
• Parity is calculated by using the math function XOR with the data with the number of slices in the row to store the parity slice.
• For 3 drives it looks like this: SliceA xor SliceB = Parity
Data Recovery – MyHardDriveDied.com © 2009 43
Why is it in for Recovery?
• There have also been times where RAID 5 arrays have failed a single drive, but no one noticed before a second one failed.
• If two drives fail and the array goes down, which drive do you need to repair???
Data Recovery – MyHardDriveDied.com © 2009 44
RAID 5: How it works
• Usually reassembly of RAID is hard because there are at least two or more unknowns so it is hard to guess correctly:– Disk Order is Unknown– Slice Sizes can Vary– Variations on Slice Arrangements– Fragmentation and Boundaries
• Looking at the Pictures as Jigsaws has helped me figure out the arrangements.
Data Recovery – MyHardDriveDied.com © 2009
Slice Sizes (2k to 2048k)
• You still have the slice boundaries:»16k»32k»64k»128k»256k»512k»1024k»2048k
45
Data Recovery – MyHardDriveDied.com © 2009
(EXTRA) JPG Start and End
46
Wikipedia Reference for JPG
Data Recovery – MyHardDriveDied.com © 2009
(EXTRA) EXIF: Manual Carving
47
Data Recovery – MyHardDriveDied.com © 2009
(EXTRA) EXIF: Info Thumbnail
48
Data Recovery – MyHardDriveDied.com © 2009
(EXTRA) EXIF: Calculation Size
49
Data Recovery – MyHardDriveDied.com © 2009
Contiguous Slice Sizes
50
2 Megs
1 Meg
512k
256k
128k64k
Data Recovery – MyHardDriveDied.com © 2009
Jigsaw: Do they Belong?
51
Do Slices Belong to SamePicture?
Data Recovery – MyHardDriveDied.com © 2009 52
Arrangements: Left Async
Data Recovery – MyHardDriveDied.com © 2009 53
Arrangements: Left Sync
Data Recovery – MyHardDriveDied.com © 2009 54
Arrangements: Right Async
Data Recovery – MyHardDriveDied.com © 2009 55
Arrangements: Right Sync
Data Recovery – MyHardDriveDied.com © 2009
Are they in the wrong order?
56
Do Slices Belong to SamePicture?
Data Recovery – MyHardDriveDied.com © 2009 57
Arrangements: Left Async
Data Recovery – MyHardDriveDied.com © 2009 58
Arrangements: Left Sync
Data Recovery – MyHardDriveDied.com © 2009
Arranged Correctly
59
Data Recovery – MyHardDriveDied.com © 2009 60
Steps to rebuild RAID 5 array
1.Repair all necessary BAD drives.2. Image the damaged drive(s) and recover as
many sectors as possible.3. Image all the good drives.4.Use software to analyze and re-weave the
images back together virtually. Test data!5.Write the newly weaved image back to a hard
drive to start the logical recovery (follow the logical recovery section for the type of format).
Data Recovery – MyHardDriveDied.com © 2009 61
Free Code to Assemble Array
• #!/usr/bin/perl –w## raid5 perl utility# Copyright (C) 2005 # Mike Hardy <mike [at] mikehardy.net>## This script understands the default linux raid5 disk layout,# and can be used to check parity in an array stripe, or to calculate# the data that should be present in a chunk with a read error. my [at] array_components. = my $chunk_size = 64 * 1024; # chunk size is 64Kmy $sectors_per_chunk = $chunk_size / 512;
http://www.freesoftwaremagazine.com/articles/recovery_raid
Data Recovery – MyHardDriveDied.com © 2009
Software to Rebuild RAID 5
• Remember our goal is to cost less than $100 and be able to rebuild “AIDS” and RAID5.
• Give the most options and produce an image file.
• My Choices:– Raid Reconstructor from Runtime.org– R-Studio from r-tools technology.
62
Data Recovery – MyHardDriveDied.com © 2009 63
Using R-StudioRAID Live Demo
Model in Photos: Randi Lamey
Data Recovery – MyHardDriveDied.com © 2009 64
The End
Data Recovery – MyHardDriveDied.com © 2009
Model in Photos: Randi LameyBonusPictures