Special RAID Type

Recently, I’ve seen two very special types of RAID. They are neither RAID5 nor RAID6. But they have the same tolerance of drive failure as RAID5/RAID6, where the data is still recoverable when two drives are failed.



1. RAID from Adaptec 3805
It has a data stripe size of 512 sectors and two rows as one data unit (5 data stripes) cycle. The data structure is:



P1= D5 XOR D2
P2= D1 XOR D3
P3= D2 XOR D4
P4= D3 XOR D5
P5= D4 XOR D1

For example, if Drive 1 and Drive 3 are failed, data on them can be regenerated by:
D1= D4 XOR P5;
D3= D5 XOR P4;




Due to the parity bits are not on the same row as the data bits, there is no software available in the market supports the regeneration of the missing data strips from crossed-row data and parity. The parity has to be on the same row as the data to regenerate the missing data by R-studio. Special script needs to be written to regenerate the content of the failed drives, so as to use conventional software to retrieve the data in the final step.
To regenerate the D1 on the first row of each data unit cycle, as in the example above, the script will calculate the XOR result between D4 on the first row and P5 on the second row and store the result on the first row of the missing drive. After running the script, the data structure will look like:



Now, we can use the R-Studio to retrieve the data. Build a virtual RAID using all the working drives and the drives regenerated. Set the RAID type as customized:




2. The second special type of RAID allows maximum two failed drives. It uses the redundancy of the original data, playing the same role as the parity. The data structure is:



Within a data unit cycle, it also has two rows as the first type. There is no parity at all. The green colored set of data is the redundancy. As can be seen from the data structure, even though it supports up to two failed drives, these two failed drives can NOT be 1+3, 1+4, 2+4, 2+5, 3+5. Any other failed drives combinations will be tolerated. For example, Drive 1 and Drive 2 are failed.




Using R-Studio, we can construct a customized virtual RIAD to retrieve the data as:

Written by: Zijian Xie (R&D Manager, MSc,BEng)

Script to attach MDF without LDF under SQL2000

USE MASTER

GO

SP_CONFIGURE 'ALLOW UPDATES',1 RECONFIGURE WITH OVERRIDE

GO

UPDATE SYSDATABASES SET STATUS =32768 WHERE NAME='db_NAME'

Go

sp_dboption 'db_NAME', 'single user', 'true'

Go

DBCC CHECKDB('db_NAME')

Go

update sysdatabases set status =28 where name='db_NAME'

Go

sp_configure 'allow updates', 0 reconfigure with override

Go

sp_dboption 'db_NAME', 'single user', 'false'

Go

Seagate 7200.12 ‘SIM ERROR’ Firmware Fault

The symptoms of ‘SIM Error’ firmware fault from hard drives belong to Seagate 7200.12 family are:

1. Hard drive status keeps BUSY forever after switching on;

2. In the serial command line, it outputs (when PCB is attached to hard drive):

SIM Error 3005
No HOST FIS-ReadyStatusFlags 2002A1A5
ASCII Diag mode

3. In the serial command line, it outputs (when PCB is detached from hard drive):

No HOST FIS-ReadyStatusFlags 2002A1A5

To use the conventional method of fixing a ‘BUSY and LBA=0’ 7200.11 hard drive, it outputs:

No HOST FIS-ReadyStatusFlags 2002A1A5
ASCII Diag mode
F3 T>/2
F3 2>Z
Spin Down Complete
Elapsed Time 6.015 secs
F3 2>
ASCII Diag mode
F3 T>/2
F3 2>U
HighPowerMode
ExecuteSpinRequest
Spin Up Complete
Elapsed Time 3.624 secs
F3 2>/1
F3 1>N1
Init SMART Fail

The initialization of SMART module is failed even though the hard drive passes the Spin up and Spin down operation. To solve this problem, instead of doing N1 to clear the SMART after comand U, we use command m0 first.

(P) SATA Reset

SIM Error 3005
No HOST FIS-ReadyStatusFlags 2002A1A5
ASCII Diag mode

F3 T>/2

F3 2>Z

Spin Down Complete
Elapsed Time 6.035 secs
F3 2>U

HighPowerMode
ExecuteSpinRequest

Spin Up Complete
Elapsed Time 3.573 secs
F3 2>/

F3 T>m0,2,2,,,,,22
Max Wr Retries = 00, Max Rd Retries = 00, Max ECC T-Level = 16, Max Certify Rewr
ite Retries = not supported

User Partition Format Successful - Elapsed Time 0 mins 00 secs

F3 T>/1

F3 1>N1

Clear SMART is completed.
F3 1>
Rst 0x08M
(P) SATA Reset

Written by: Zijian Xie (R&D Manager, MSc,BEng)

Types of RAID6

1. P+Q RAID6

Each data stripe of a P+Q double parity RAID6 has a standard RAID5 parity and a ‘Q’ parity which is generated by Reed-Solomon coding algorithm. It allows up to two drives failure. The minimum number of disks is 4.

The HP ADG RAID6 is a special type of P+Q RAID6. Within each standard data stripe, there are an integer number of smaller data stripes where the P and Q parities remain on the same disk. This is also called delay parity. Generally speaking, this type of RAID6 has a delay parity value of 16.

2. NetApp Double XOR RAID 6

It is also called RAID-DP and has a similar data structure of RAID4. P and Q parities are generated and stored on the same drives. It allows up to two drives failure. The minimum number of disks is 4.

3. X-Code RAID6

It is also called vertical XOR RAID6. The minimum number of disks is 4. It allows up to two drives failure. Each data stripe group has N (disk number) of data stripes. For example, if it has 5 disks, each data stripe group has 5 rows of data stripes as shown in the figure below.

4. ZZS Code RAID6

The minimum physical number of disks of ZZS code RAID6 is 5 and it has to be a prime number (5, 7, 11, 13, 19...). But the ZZS coding algorithm also allows one of the drives contains zeros. In another word, the minimum logical number of disk is 4. In ZZS coding algorithm, it also defines the calculation unit (one cycle) is equal to (n-1)/2 if there is n physical disks in the RAID6. For example showing below, it has 7 disks, thus, each cycle has three data stripes.

5. Park Code RAID6

Park is an engineer of IBM. He designed a new coding algorithm to implement a type of RAID6, supports disk number of 3 to 38. Park code RAID6 is always using three data stripes as a calculation unit.

Currently, I don't find any software application support the ZZS and Park RAID6. But, with all the disks intact, the data are still retrievable by customised RAID of R-studio. Leave your comments if you know any other types of RAID6 or solutions.

Written by: Zijian Xie (R&D Manager, MSc,BEng)

256-Bit Based Hardware Encryption on WD MyBook Essential

Western Digital’s refreshed My Book Essential external hard drive provides a simple, secure, and inexpensive home backup solution. With an enormous 2TB capacity, built-in WD SmartWare software, 256-bit built-in encryption with user password protection, there is very little not to like here. But, imagine what would happen if the hardware of the device is broken? For example, the PCB board of the hard drive is damaged by a power surge. Can data recovery engineer retrieve any user data by any conventional techniques? A test is being carried out on two 320GB WD MyBook Essential external hard drives for research purpose.

Two drives are initialized by factory default setting and there are no user password being used. Use a hex editor to view the sector 0 and sector 1 from these two drives (as shown in the figure below respectively). Sector 0 is a Master Boot Record. Sector 1 contains a patterning data where it should be zero in a conventional hard drive. The patterning data are unique and different on two drives (as shown in the table below).

Drive A 0x E6 89 D2 0F D3 62 4C F8 3A 2E 7B B7 6A 7A FC BF

Drive B 0x 3A 73 9F 10 1A 47 97 F2 9A 31 BB E5 CC 8F 97 50

Assume that both PCB boards are now damaged by users and the drives are not spinning up anymore.

A compatible PCB is borrowed from a donor drive (as shown in the figure below).

Direct replacement of WD PCB is not going to work. The adaptive ROM content on the donor PCB needs to be recreated by ROM overlay modules on the platter. This can be achieved by firmware manipulation tool, which is not introduced here. The reason of using a SATA interface PCB instead of USB interface on a donor drive, it is because the firmware repair utilities don’t support USB interface for firmware manipulation. Once the ROM is regenerated and the PCB is attached to the failed hard drives, both hard drives are spinning up again and recognized by computer correctly.

Use a hex editor to view the same sectors again after replacing the PCB, sector 0 contains some data, which look like have been encrypted, and sector 1 contains zeros. Obviously, the contents are totally different to what they were seen before the PCB was swapped.

Based on the test above, the original PCB utilizes an encryption feature where the decryption key is unique to a hard drive. Even the sectors are become accessible through a donor PCB, the user files are still not recoverable without the original PCB being fixed. The patterning data stored at sector 1 and some following sectors where they should contain zeros are the key parameter to the decryption process. But there is only the WD knows the decryption algorithm until someone else is able to disclose it by reverse engineering. Bear in mind that, the patterning data will be unknown without the original PCB is working. So, to find out the key parameter, the controller chip and/or the firmware modules have to be looked at.

Written by: Zijian Xie (R&D Manager, MSc,BEng)

Deleted Microsoft SQL Database Recovery Case Study

The video will show how we use the File Defragmentation Technique (FDT) to retrieve a accidentally deleted Microsoft SQL database (SQL2000, SQL2005, SQL2008). A comparison on the recovery performance between conventional DR method and FDT will be given too.

（Keyword: Forensic MDF Recovery, SQL Recovery, SQL Deletion Recovery)

Windows Dynamic Disks (LDM)

VBLK is the most important parameter in the LDM database. The best way to examine it is to use 'dmdiag.ext' which can be downloaded from the Windows website. It helps us to recreate the logical disk structure. I created a group of dynamics disks under Windows, consists of two physical drives. Volumes are:

1. Spanned (purple);

2. Stripped (green);

3. Simple (yellow);

Run the 'dmdiag.exe', we have:

#Record 48: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156 #Blocks: 14 15 Disk: Disk2 rid=0.1030 updated=0.1094 assoc: diskid=a5820739-c02a-4ed9-9b13-009f5a4ff6a0 lastdevice=IDE\DISKWDC_WD800BB-00CAA1______________________17.07W17\4457572D414D4538363336303834_030_0_0_0_0 flags:

#Record 55: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156 #Blocks: 6 9 Disk: Disk1 rid=0.1027 updated=0.1103 assoc: diskid=aab20507-ea67-4952-ac74-82d1a6abb42a lastdevice=IDE\DISKMAXTOR_6Y080L0__________________________YAR41BW0\3259513133444535202020202020202020202020 flags:

#Record 36: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 13 Subdisk: Disk1-01 rid=0.1076 updated=0.1077 info: disk=0.1027 offset=0 len=20480000 hidden=0 assoc: plex=0.1074 (column=0 offset=0) flags:

#Record 42: type=0x0033 flags=0x0000 gen_flags=0x0004 size=50 #Blocks: 16 Subdisk: Disk1-02 rid=0.1081 updated=0.1082 info: disk=0.1027 offset=20480000 len=10240000 hidden=0 assoc: plex=0.1074 (column=0 offset=20480000) flags:

#Record 51: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 20 Subdisk: Disk1-03 rid=0.1091 updated=0.1094 info: disk=0.1027 offset=30720000 len=30720000 hidden=0 assoc: plex=0.1089 (column=0 offset=0) flags:

#Record 58: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 22 Subdisk: Disk1-04 rid=0.1102 updated=0.1103 info: disk=0.1027 offset=61440000 len=98635377 hidden=0 assoc: plex=0.1100 (column=0 offset=0)

#Record 46: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 17 Subdisk: Disk2-01 rid=0.1084 updated=0.1085 info: disk=0.1030 offset=0 len=20480000 hidden=0 assoc: plex=0.1074 (column=0 offset=30720000) flags:

#Record 52: type=0x0833 flags=0x0000 gen_flags=0x0004 size=53 #Blocks: 21 Subdisk: Disk2-02 rid=0.1093 updated=0.1094 info: disk=0.1030 offset=20480000 len=30720000 hidden=0 assoc: plex=0.1089 (column=1 offset=0) flags:

#Record 45: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48 #Blocks: 12 Plex: Volume1-01 rid=0.1074 update=0.1085 type: layout=CONCAT state: state=ACTIVE assoc: vol=0.1072 flags:

#Record 50: type=0x1032 flags=0x0000 gen_flags=0x0004 size=52 #Blocks: 19 Plex: Stripe1-01 rid=0.1089 update=0.1094 type: layout=STRIPE columns=2 width=128 state: state=ACTIVE assoc: vol=0.1087 flags:

#Record 57: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48 #Blocks: 18 Plex: Volume2-01 rid=0.1100 update=0.1103 type: layout=CONCAT state: state=ACTIVE assoc: vol=0.1098 flags:

#Record 44: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 10 Volume: Volume1 rid=0.1072 update=0.1085 mountname=E: info: len=51200000 guid=9546148a-73bd-491a-8ba2-2e6e87c303a0 type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

#Record 60: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 8 Volume: Volume2 rid=0.1098 update=0.1105 mountname=G: info: len=98635377 guid=6f913350-77b3-4bed-99d6-96ef6da8cf2d type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

#Record 54: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 7 Volume: Stripe1 rid=0.1087 update=0.1096 mountname=F: info: len=61440000 guid=9f16eb7d-1f88-4405-aede-3928d2859cb3 type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

According to the information displayed above, the four layers Windows LDM structure can be recreated as:

Based on the this four-layered LDM structure, volumes can be recreated virtually using data recovery software.