04. April 2018 - Sebastian Evers
Storage media with data loss:
Data specified for recovery:
The RAID 5 of a customer failed. We were told that the RAID system „crashed“ and went offline. In order to correct the error, the allegedly defect RAID controller was exchanged by the manufacturer. After the replacement of the controller five HDDs of the ProLiant server were not recognized anymore. When the hard disks were finally forced to recognise again, only one of the two logical volumes was visible.
The german-based system was picked up by a courier and directly transported about 600 kilometres to the Attingo laboratory. The first damage evaluation showed no physical damages of the hard disks. 100% raw data of all five hard disks could be copied. The technicians had to ascertain a heavily damaged logical content of the RAID array. Spot checks of several large and fragmented file types were positive.
Attingo was able to determine the previous RAID-parameters of the array and reconstruct parts of the NTFS file system. Different approaches delivered outcomes of qualitative diversity: The recovery of existing files, the recovery of deleted files, anonymous files with folder structure and the recovery of files without any file system structure. With a mix of all these approaches, a usable result was generated which significantly reduced the data loss of the customer.
As diagnosed, the RAID 5 was originally on five hard disks. One of these hard disks was removed, formatted and partially with software-based recovery tries overwritten. Afterwards, a new RAID 5 array was created with the four remaining hard disks and the data was partially overwritten with a new parity. Additionally, new logical volumes were created and recovery software was installed. Because of all of this, several million sectors of users data was overwritten and important file system information was lost.