Windows Dynamic Disks (LDM)

VBLK is the most important parameter in the LDM database. The best way to examine it is to use 'dmdiag.ext' which can be downloaded from the Windows website. It helps us to recreate the logical disk structure. I created a group of dynamics disks under Windows, consists of two physical drives. Volumes are:

1. Spanned (purple);

2. Stripped (green);

3. Simple (yellow);

Run the 'dmdiag.exe', we have:

#Record 48: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156 #Blocks: 14 15 Disk: Disk2 rid=0.1030 updated=0.1094 assoc: diskid=a5820739-c02a-4ed9-9b13-009f5a4ff6a0 lastdevice=IDE\DISKWDC_WD800BB-00CAA1______________________17.07W17\4457572D414D4538363336303834_030_0_0_0_0 flags:

#Record 55: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156 #Blocks: 6 9 Disk: Disk1 rid=0.1027 updated=0.1103 assoc: diskid=aab20507-ea67-4952-ac74-82d1a6abb42a lastdevice=IDE\DISKMAXTOR_6Y080L0__________________________YAR41BW0\3259513133444535202020202020202020202020 flags:

#Record 36: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 13 Subdisk: Disk1-01 rid=0.1076 updated=0.1077 info: disk=0.1027 offset=0 len=20480000 hidden=0 assoc: plex=0.1074 (column=0 offset=0) flags:

#Record 42: type=0x0033 flags=0x0000 gen_flags=0x0004 size=50 #Blocks: 16 Subdisk: Disk1-02 rid=0.1081 updated=0.1082 info: disk=0.1027 offset=20480000 len=10240000 hidden=0 assoc: plex=0.1074 (column=0 offset=20480000) flags:

#Record 51: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 20 Subdisk: Disk1-03 rid=0.1091 updated=0.1094 info: disk=0.1027 offset=30720000 len=30720000 hidden=0 assoc: plex=0.1089 (column=0 offset=0) flags:

#Record 58: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 22 Subdisk: Disk1-04 rid=0.1102 updated=0.1103 info: disk=0.1027 offset=61440000 len=98635377 hidden=0 assoc: plex=0.1100 (column=0 offset=0)

#Record 46: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51 #Blocks: 17 Subdisk: Disk2-01 rid=0.1084 updated=0.1085 info: disk=0.1030 offset=0 len=20480000 hidden=0 assoc: plex=0.1074 (column=0 offset=30720000) flags:

#Record 52: type=0x0833 flags=0x0000 gen_flags=0x0004 size=53 #Blocks: 21 Subdisk: Disk2-02 rid=0.1093 updated=0.1094 info: disk=0.1030 offset=20480000 len=30720000 hidden=0 assoc: plex=0.1089 (column=1 offset=0) flags:

#Record 45: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48 #Blocks: 12 Plex: Volume1-01 rid=0.1074 update=0.1085 type: layout=CONCAT state: state=ACTIVE assoc: vol=0.1072 flags:

#Record 50: type=0x1032 flags=0x0000 gen_flags=0x0004 size=52 #Blocks: 19 Plex: Stripe1-01 rid=0.1089 update=0.1094 type: layout=STRIPE columns=2 width=128 state: state=ACTIVE assoc: vol=0.1087 flags:

#Record 57: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48 #Blocks: 18 Plex: Volume2-01 rid=0.1100 update=0.1103 type: layout=CONCAT state: state=ACTIVE assoc: vol=0.1098 flags:

#Record 44: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 10 Volume: Volume1 rid=0.1072 update=0.1085 mountname=E: info: len=51200000 guid=9546148a-73bd-491a-8ba2-2e6e87c303a0 type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

#Record 60: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 8 Volume: Volume2 rid=0.1098 update=0.1105 mountname=G: info: len=98635377 guid=6f913350-77b3-4bed-99d6-96ef6da8cf2d type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

#Record 54: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84 #Blocks: 7 Volume: Stripe1 rid=0.1087 update=0.1096 mountname=F: info: len=61440000 guid=9f16eb7d-1f88-4405-aede-3928d2859cb3 type: parttype=6 usetype=gen state: state=ACTIVE policies: read=SELECT flags: writeback

According to the information displayed above, the four layers Windows LDM structure can be recreated as:

Based on the this four-layered LDM structure, volumes can be recreated virtually using data recovery software.