Data recovery on an array of 4 drives in RAID – March 2019

Although most of our time is spent recovering individual hard drives, we also get requests for data recovery from failed server or NAS devices where the hard drives are put into a RAID array. For small units usually RAID 0 or RAID 1 is used, for bigger units RAID 5 is the most commonly used setup. For this particular recovery, the client had 4x 8TB Seagate hard drives in RAID 6. The actual hard drives themselves were in good working order, but the array had been lost due to malicious activity when the unit was apparently hacked.

The first step was to investigate the actual contents of each drive using a hex editor which allows us to basically read the ‘ones and zeroes’ of the drive. By doing this we can compare the data on each drive and establish the parameters that were used to configure the RAID array. Below is an example of what the data would look like when viewing it in a hex editor.

Once we have established how the hard drives were put together to form the RAID array, we can configure a virtual data recovery environment with the parameters that we found and mount the RAID virtually and start to access the storage array. Here you can see that the array consisted of a ZFS filesystem and, within that, the actual data was hosted using a 13TB ReFS3 partition.

Now that we have uncovered the data structure we can start extracting the data. An issue with this particular recovery was the use of the ZFS filesystem. When mounted virtually, it is hugely resource-heavy. Even with an incredibly powerful machine sporting 128GB of DDR4 RAM, the memory usage was constantly maxed out and a pagefile was needed to work with this setup.

All in all, after a few days, the data was fully processed and recovered in our Cape Town data recovery lab. if you have any RAID data recoveries that you need assistant with, don’t hesitate to contact us.