RAID Data Not On One Disk

As a computer repair technician for over 20 years, I’ve handled no shortage of data recovery cases.  Most were just logical cases where the file table was corrupt, or the drive had been formatted / overinstalled with Windows, etc.  It’s usually just a matter of running your favorite data recovery software like Recuva, R-Studio, GetDataBack, or another and sorting through what it finds.  Occasionally I ran into the tough cases where we had to try and image around the bad sectors using a tool like dd or ddrescue.

However this week for the first time I found myself in totally over my head.  The issue was logical in nature I suppose.  Was a perfectly healthy RAID array last week that suddenly had a motherboard failure.  After replacing the motherboard, the controller would no longer recognize the RAID array and allow it to be used.  It just prompted to create a new array.

The Challenge of RAID Data Recovery

While I’m no enterprise storage expert, I know that RAID isn’t your typical file storage system.  Data is striped across multiple disks and then some other parity data, which I’m not going to try and explain in detail, is written.  This parity data is then used in the event of a single drive failure to rebuild its data.

I must admit, I was a bit lost as to how to even attempt recovering the data.  Scanning a single member of the array, as expected, yielded little fruit.  Only a few very tiny files were recovered.  Anything larger than a few MB was clearly lost from typical single drive recovery.  So I knew I needed to find some software specifically geared toward RAID data recovery.

I found quite a number of offerings ranging greatly in price and functionality.  After asking around on some data recovery forums, I finally decided on one called R-Studio.  It’s a program that is used by a number of professional data recovery guys from what I could gather.

How I Recovered The RAID

The program does include a feature for automatically detecting the RAID layout, however it didn’t seem to be working.  Even after multiple attempts at different intensities the correct settings were never found.  The work would need to be done manually.

In my case there were four hard drives so only around 24 possible combinations of drive order.  However once you add in stripe size there’s thousands of possible layouts.  I was back to the drawing board, and back to the data recovery chat forums.

Fortunately I met up with someone who works at Data Medics data recovery and was willing to help me out remotely.  Using remote access software which he provided he was quickly at work playing around with the settings.  I won’t pretend I understood half of what he did.  There was a lot of checking for different things in HEX, which I assume was him looking for different file system structures in the code.

Within just a few minutes he seemed to have locked in the location of two of the drives, and was only playing around with the order of the other two, along with the stripe size and parity rotation settings.

Next, after a few minutes of that, he was actually able to open up the file structure.  He immediately browsed to a picture folder and began opening up pictures.  The first couple didn’t open at all, but finally one did.  The image was around 2MB in size, but appeared to be a thousand little stripes of many pictures.  He went back, changed a few settings, and then opened up the same picture.  This time, it was only about four big stripes.  We must be getting closer I said.

Finally, with one more change of the settings he was able to open the picture up successfully.  He verified a few more files to be sure that they opened, and then he logged off.  A second later I received a message: “you’re all set, just copy the files out”.  The entire process took less than one hour, far less than the time I’d wasted on it.

As a thank you for his remote help, I sent him $200 via PayPal and offered to mention it in my next blog post.  Thanks Jared from Data Medics!