手工計算恢復Raid

    內容表格
    沒有標頭

    版本為 13:05, 14 Nov 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    本篇文章翻自R-TT
    http://www.r-tt.com/Articles/Finding...rs/index.shtml
    譯者與改編者:OSSLab thx and aweij

    以下講解手工恢復Raid 5 狀況

    案例:

    1. 3 顆硬碟 不知順序
    2.  檔案系統: NTFS (created by Windows XP/2003 跟 Master Boot Record (MBR start block)
    3. Type: Basic volume

    恢復 Raid 陣列所需參數
    1. 磁碟順序
    2. 條帶 也可校驗塊(Strip  size ) 大小
    3. 條帶順序
    4. 磁碟偏移(Offset)

    以下是以R Studio 專用磁碟映像檔案格式:

    Disk1.arc
    Disk2.arc
    Disk3.arc

    RAID Data Recovery




    "請留意這邊程式中的表示方式,就算R-Studio在Disk2.arc中找到Disk1 object,那並不一定是在Raid中的第一顆磁碟"

     
      尋找 MBR  決定  RAID 偏移量

    1. 打開所有文件  進入 Text/hexadecimal edi
    2. 不要打開寫入,預防寫入資料
    3. Write down the Windows disk signature for each object to recognize later which Editor's window belongs to which object.

    "註記 磁碟簽名  disk signature 在每一個object中, 讓之後的編輯可以被辨識是在每一個object中"

    4.  " 利用搜尋HEX碼的功能去找出我們要的 mbr 33 C0 8E D0 BC (這串HEX碼就是MBR的起始BLOCK, 每個CASE中的CODE不一定相同) ; 記得在下面的搜尋條件中選取"From start position" 以及 填入"0" 在" Search at offset(hex) "

    5. Click OK to start searching.

    Data in Search dialog box to begin search for the Master Boot Record (MBR)

    Search results:
    File Recovery from RAIDs
    Disk1.arc 完全沒找到
     

    RAID reconstruction
    Disk2.arc MBR pattern found.


    RAID reconstruction
    Disk3.arc opened in the Text/hexadecimal editor. MBR pattern found.

    The result is that the Text/hexadecimal editor finds this pattern at address 00 on Disk2.arc and Disk3.arc; Disk1.arc shows only zeros. That means that the offset is 0, and Disk1.arc cannot be the first disk in the RAID.

    " 我們在Hexview 編輯器利用搜尋於Disk 2 以及Disk 3找到的MBR Patterns , 在Disk1的相同位置是顯示0 ,那應該是表示偏移量為 0 , 且Disk 1 不是為陣列 中的 第一顆磁碟 " 

     

     


    "同一個位置 Disk2 及 Disk3 有 master bootstrap loader code. 在這個例子裡 , 兩個DISK在同一個地方有相同的MBR data  "

     

    "第二步 , 我們需要找到NTFS boot sector "

    Take a look on the Sectors preceding partition field on the Template pane

    " 打開Template pane 找到Sectors preceding partition 以及 Windows disk signature "


    Template pane for Disk2 and Disk3

    For our case, the sector preceding the partition is 16,065.
    " 在這個例子裏面, Sectors preceding partition為 16,065 "

    If this value is larger than 63, we should divide it by N -1, where N is the number of disks (in our case, N = 3), which gives us 8,032. This is an approximate position to start searching for the NTFS boot sector. We will start the search from this position to avoid finding false NTFS boot sectors that may remain from previous NTFS partitions.

    " 如果這個數值超過63 , 我們應該把它分割為 N - 1 , (N 就是此RAID 的 DISK數量 在這個CASE裡面是3個) , 為了避免找到之前NTFS partitions中錯誤的NTFS boot sectors,所以我們指定一個位置(大概是在開始搜尋NTFS boot sector的附近),大概在 8,032 處. "


    Jump to that sector in the Editor and then search for the NTFS boot sector pattern.

    " 利用HexView 在NTFS boot sector pattern中移動位置到我們要的sector "


    The Sectors search field in the Text/hexadecimal editor

    On the Search dialog box, enter EB 52 90 4E 54 46 53 20 20 20 20 (the NTFS boot sector always starts from these bytes) into the HEX field, select From current position and enter 0 in Search at offset.

    " 在搜尋的作業視窗中, 選項選擇 "From current position"以及在" Search at offset(hex)" 中填入 0 ,後 搜尋 EB 52 90 4E 54 46 53 20 20 20 20 (因為NTFS boot sector 都是這些bytes開始)  "


    Data in Search dialog box to start search for NTFS boot sector

    The Editor finds this pattern at sector 8064 on Disk2 and Disk3.

    " 用這個編輯器在DISK 2 跟DISK 3 中找sector 8064 "


    Now select the Boot sector NTFS pattern on the Template pane.
    RAID Data Recovery
    Click image to enlarge
    Disk2.arc opened in the Text/hexadecimal editor. NTFS boot sector pattern found. The same pattern is found on Disk3.arc.

    " 在DISK 2 中找到跟Disk 3 相同的 NTFS boot sector pattern "

    "參照找到NTFS boot sector pattern 時得到的Bios parameters Block資料我們找到我們需要的資訊"

    Required parameters that we have found
    Bytes per sector: 512
    Sectors per cluster: 8
    Logical Cluster Number for the file $MFT: 786432


    Previously found parameters:
    RAID offset: 0

    Next we need to find the MFT (master file table) on the disk:
    " 接著需要在DISK上尋找MFT "


    1. We will try to find an approximate MFT offset from the RAID start:

    " 1. 接著開始試著由RAID 開始處找尋 接近的MFT 偏移量"


    MFT offset from the partition start in sectors = Logical Cluster Number for the file $MFT * Sectors per cluster+RAID offset = 786,432*8+0 = 6,291,456 sector

    " 分割區由起始sectors開始計算的MFT 偏移量 = Logical Cluster Number for the file $MFT * 每個叢集扇區+RAID 偏移量=786,432*8+0 = 6,291,456 sector "

    If the RAID offset is not 0, we need to add the offset to the result of the equation above.
    MFT start on the first disk = MFT offset from the partition start in sectors/(N-1) = 6,291,456/2 = 3,145,728

    "如果Raid 偏移量不是 0 , 我們必須在raid上給定一個使其平均的值. 在此例子中

    第一顆磁碟開始的MFT = 在叢集中的分割區起始MFT 偏移量/(N-1) = 6,291,456/2 = 3,145,728 "

    2. We will begin to search for the exact MFT start at a position a couple thousand sectors less than this value. Say, sector 3,140,000.

    " 接著要在小於3,140,000叢集中的 數千叢集中找到正確的MFT位置"

    On the Search dialog box, enter "FILE" into the ANSI field, then select From current position and enter 0 in Search at offset.

    " 在搜尋的作業視窗中, 選項選擇 "From current position"以及在" Search at offset(hex)" 中填入 0 ,後 搜尋 "FILE"這個ANSI值  "


    This pattern is found at sector 10,241,463 on Disk2 and at sector 3,153,792 on Disk3.

    " 在這個作業中找到我們要的東西 , 於Disk2 在 sector 10,241,463 , 於Disk3 在 sector 3,153,792  "



    First file record sector in Disk3. Start of a data block.
    "在Disk3 中找到開始紀錄資料的Block(First MFT record ) "


    What is important: The signature FILE ends with 0, which means that the file record number is not overwritten with a fixup. If it had ended with * (FILE*), we would not have been able to proceed further in our search and would have needed to use another technique.

    " 請注意 : 在這邊看到的signature FILE 最後是以 0 為結束, 也就是說這個file record number 並沒有在安裝時被寫入資料.

    如果他是以* (FILE*) 為結束, 我們不該輕率的做更多的處理,應該使用更多其他的工具以及技術去處理此case "

     

    The pattern $.M.F.T. (HEX 24 00 4D 00 46 00 54) shows that this is a correct MFT beginning. 

    "這個例子裡的$.M.F.T. (HEX 24 00 4D 00 46 00 54) 告訴我們這是正確的MFT 起始值"

    Because sector 3,153,792 is closer to our expected value of sector 3,145,728 than to sector 10,241,463, we may assume that Disk3 is the first disk in the RAID.

    " 因為Disk 3 我們看到的值 (3,153,792) 較接近我們算出的3,145,728, 所以我們可以判斷Disk3 應為Raid中的第一個Disk "


    To proceed further, we need to keep in mind that a file record in MFT occupies two sectors, and that data is written to a RAID 5 successively, one data block to one disk, then the next data block to the next disk, and a parity block to the third disk. We can represent an example of such a scheme in the following table ...

    " 在準備進一步作業之前, 我們必須先知道 MFT 值占用了兩個sectors , 而且他成功的寫入raid中 , 接著將每一個Disk 中的data block 對應好 , 我們可以將這些資料整理成下表 "

     

    RAID DISK 1
    Second RAID disk Third RAID disk
    PD 1 2
    3 PD 4
    5 6 PD

    ... where the numbers represent the order in which the data blocks are written to their respective disks, and PD stands for the "parity of data" block.
    (This table represents only an example, and the block order may be arbitrary in a general case.)

    " 這個表格中的這些數字,表示data blocks寫入到他們各自的Disk中, PD意味奇偶校驗Block"

    " (這個表格並不是所有的case一體適用的通用表格, 而是只適用於這個case ) "


    Here that means that the file record numbers in MFT will increase by one within one data block. Then the MFT will continue on another disk, where file record numbers will increase by one within its respective data block, the third disk containing the parity block. And so on.

    " 這裡表示 MFT內紀錄的數值一個一個遞增存在data block內, 然後MFT會繼續記錄在下一個Disk內 ,然後第三個disk 包含了parity block ,其他以此類推"

    So, to find the block size, we will look at the file record numbers on this disk to discover the place where they no longer increase by one. This place would mean the end of that data block. Then we will look at other disks to find the disk and the place on it where file record numbers in the MFT resume increasing by one. Then we will look at another disk to find where the MFT continues, and so on.

    " 因此,我們利用在disk中尋找某一個不為每次加一這樣遞增的record來找到block size,那個地方就是data block的尾巴,接著我們在其他disk中尋找每次遞增一的MFT file record number , 作為在其他disk中MFT繼續的地方,其他以此類推"


    Such a search can be done by scrolling down the text in the Editor by two sectors.

    "這種搜尋方式可以做到在編輯器中每2個 sectors為單位捲動"

    On Disk 3 the data block ends in sector 3,153,919 with file record number 3F 00.

    "在disk 3中, data block結束在sector 3,153,919處, record number是 3F 00"


    Last file record in Disk3. End of a data block is on the next sector (3,153,919).

    Looking at other disks, we find that this MFT continues on Disk 1 in sector 3,153,792 with file record number 40 00 and ends in Sec: 3,153,919 with file record number 7F 00. And so on.

    " 我們在其他Disk中 , 找到Disk 1的MFT 繼續於 3,153,792 ,他的 record number 為 40 00 然後結束於 3,153,919處 ,record number 為 7F 00 , 以此類推 "




    File record continues in Disk1. Start of a data block.


    Last file record in Disk1. End of the data block is on the next sector (3,153,919)

    The final results are represented in the Table below:

    "最後我們可以把它表列成以下表格 : "

    Disk1 Disk2 Disk3
    Sec: 3,153,792 Rec: 40 00
    Sec: 3,153,918 Rec: 7F 00
    Sec: 3,153,919 End of stripe
    Sec: 3,153,792 No records
    Sec: 3,153,918 No records
    Sec: 3,153,919: End of stripe
    Sec: 3,153,792 Rec: 00 00
    Sec: 3,153,918 Rec: 3F 00
    Sec: 3,153,919 End of stripe
    Sec: 3,153,920 Rec: No records
    Sec: 3,154,046 Rec: No records
    Sec: 3,154,047 End of stripe
    Sec: 3,153,920 Rec: C0 00
    Sec: Sec: 3,154,046 Rec: FF 00
    Sec: 3,154,047 End of stripe
    Sec: 3,153,920 Rec: 80 00
    Sec: 3,154,046 Rec: BF 00
    Sec: 3,154,047 End of stripe
    Sec: 3,154,048 Rec: 00 01
    Sec: 3,154,174 Rec: 3F 01
    Sec: 3,154,175 End of stripe
    Sec: 3,154,048 Rec: 40 01
    Sec: Sec: 3,154,174 Rec: 7F 01
    Sec: 3,154,175 End of stripe
    Sec: 3,154,048 Rec: No records
    Sec: 3,154,174 Rec: No records
    Sec: 3,154,175 End of stripe

    No records mean this is a parity block.


    Example of a parity sector

    計算後結果

    硬碟順序
      DISK  一為 Disk3.arc
      DISK  二為 Disk1.arc
      DISK  三為 Disk2.arc

    偏移 0
    Stripe size: 128 sectors, or 65,536KB (64KB)
    Stripe order: (PD stands for Parity of Data)

    First RAID disk Second RAID disk Third RAID disk
    1 2 PD
    3 PD 4
    PD 5 6


    Now we can create such a RAID in R-Studio:
    "  然後就利用R-Studio重建raid.... "

    Powered by MindTouch Core