Wednesday, 24 June 2015

Repeating questions

There is a set of questions which customers seem to be repeating perpetually,

We have a large fancy storage system which failed. Can we fix it in place, without copying data?

No, you can not. You absolutely have to copy the data away. Yes, this means purchasing the disk set of the same size. Yes we know full well that it is 50TB, meaning 13x 4Tb drives. Yes, plus a RAID controller for it.

Can we have a RAID5 recovered when two disks failed?

No, that won't work.

OK if we can get the RAID recovered, maybe we can just get 2/3rds of files, since we'are only missing a little bit? 

No,  that won't work either, because any file lager than block size will be broken.

So we still can get some small files?

There are surprisingly few useful small files when the value of small is defined by the RAID controller.

OK maybe we can get our Word/Excel files and repair them using whatever DOC/XLS repair tool?

No, that won't work. The data is missing, and when the data is missing, no fancy repair tool can reconstruct it.

Saturday, 6 June 2015

Things to avoid in data recovery

This is a short list compiled based on the tech support experience,without much explanation

  • USB-to-SATA converters (for bad reliability);
  • Marvell chipsets (for bad handling of bad sectors);
  • Silicon Image controllers or any RAID cards based on these (after SIL_QUIRK_MOD15WRITE; even if SIL_QUIRK_MOD15WRITE does not apply to your controller, this is not an excuse to use Sil);
  • nVidia chipsets (for bad reliability of disk controllers under load)

Thursday, 28 May 2015

Timestamp and other metadata reliability

In forensics, turns out it is important to know timestamps reliably. In olden filesystems, like NTFS and FAT, you either have a timestamp (if the record is intact) or you don't (if the record is overwritten). Now, CoW filesystems like ReFS and BTRFS, produce a whole lot of different versions of metadata records - do you want a generation 3 timestamp or generation 8 timestamp? Considering that metadata generation numbers (as used for timestamps) do not necessarily match file pointer generation data, there seems to be no way to get forensically reliable timestamps on modern filesystems. This is probably something worth looking into.

Wednesday, 15 April 2015


Been answering a support query recently, and mentioned to client that USB is outright bad in all respects [for data recovery use].

Well, pretty much so,
  • if one of the drives has a bad block, quite likely the USB converter will lock up on hitting that block;
  • with USB 2.0, speed is 15 MB/sec maximum, for all drives combined,
    • even if you have what appears to be different ports, they will be routed through a same root port or hub anyway;
  • devices advertised as USB 3.0 often work at 2.0 speeds, with no warning whatsoever;
  • power supply issues and limitations are difficult to control, 
    • especially so if hubs are involved;
  • any setup with daisy-chained hubs is unstable,
    • especially so with USB 3.0;

So, think twice before starting a recovery with a laptop-based all-USB setup.

Tuesday, 14 April 2015

RAID block size limiters

If you are doing a RAID Recovery and the software has the capability to limit the allowed block sizes for search (which is quite often actually, ReclaiMe Pro has it, Runtime has it, ZAR has it, and perhaps R-Studio has too), and if you happen to know the block size exactly, do not set the limiter to exact block size.

If you know the block size is 128 whatever units, set limits to 64 low and 256 high (of the same units, repeat, the same units). Otherwise, if the automatic detection gets you the value at one of the edges of the range, you do not know if it is because the value is correct, or because it hit the limit and was not able to further change the block size. The final block size must be inside the allowed range, not on the edge.