Monday, 20 September 2010

Windows Dynamic Disks (LDM)

VBLK is the most important parameter in the LDM database. The best way to examine it is to use 'dmdiag.ext' which can be downloaded from the Windows website. It helps us to recreate the logical disk structure. I created a group of dynamics disks under Windows, consists of two physical drives. Volumes are:
1. Spanned (purple);
2. Stripped (green);
3. Simple (yellow);



Run the 'dmdiag.exe', we have:

#Record 48: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156

#Blocks: 14 15

Disk: Disk2 rid=0.1030 updated=0.1094

assoc: diskid=a5820739-c02a-4ed9-9b13-009f5a4ff6a0 lastdevice=IDE\DISKWDC_WD800BB-00CAA1______________________17.07W17\4457572D414D4538363336303834_030_0_0_0_0

flags:

#Record 55: type=0x0034 flags=0x0000 gen_flags=0x0004 size=156

#Blocks: 6 9

Disk: Disk1 rid=0.1027 updated=0.1103

assoc: diskid=aab20507-ea67-4952-ac74-82d1a6abb42a lastdevice=IDE\DISKMAXTOR_6Y080L0__________________________YAR41BW0\3259513133444535202020202020202020202020

flags:

#Record 36: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51

#Blocks: 13

Subdisk: Disk1-01 rid=0.1076 updated=0.1077

info: disk=0.1027 offset=0 len=20480000 hidden=0

assoc: plex=0.1074 (column=0 offset=0)

flags:

#Record 42: type=0x0033 flags=0x0000 gen_flags=0x0004 size=50

#Blocks: 16

Subdisk: Disk1-02 rid=0.1081 updated=0.1082

info: disk=0.1027 offset=20480000 len=10240000 hidden=0

assoc: plex=0.1074 (column=0 offset=20480000)

flags:

#Record 51: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51

#Blocks: 20

Subdisk: Disk1-03 rid=0.1091 updated=0.1094

info: disk=0.1027 offset=30720000 len=30720000 hidden=0

assoc: plex=0.1089 (column=0 offset=0)

flags:

#Record 58: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51

#Blocks: 22

Subdisk: Disk1-04 rid=0.1102 updated=0.1103

info: disk=0.1027 offset=61440000 len=98635377 hidden=0

assoc: plex=0.1100 (column=0 offset=0)

#Record 46: type=0x0033 flags=0x0000 gen_flags=0x0004 size=51

#Blocks: 17

Subdisk: Disk2-01 rid=0.1084 updated=0.1085

info: disk=0.1030 offset=0 len=20480000 hidden=0

assoc: plex=0.1074 (column=0 offset=30720000)

flags:

#Record 52: type=0x0833 flags=0x0000 gen_flags=0x0004 size=53

#Blocks: 21

Subdisk: Disk2-02 rid=0.1093 updated=0.1094

info: disk=0.1030 offset=20480000 len=30720000 hidden=0

assoc: plex=0.1089 (column=1 offset=0)

flags:

#Record 45: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48

#Blocks: 12

Plex: Volume1-01 rid=0.1074 update=0.1085

type: layout=CONCAT

state: state=ACTIVE

assoc: vol=0.1072

flags:

#Record 50: type=0x1032 flags=0x0000 gen_flags=0x0004 size=52

#Blocks: 19

Plex: Stripe1-01 rid=0.1089 update=0.1094

type: layout=STRIPE columns=2 width=128

state: state=ACTIVE

assoc: vol=0.1087

flags:

#Record 57: type=0x0032 flags=0x0000 gen_flags=0x0004 size=48

#Blocks: 18

Plex: Volume2-01 rid=0.1100 update=0.1103

type: layout=CONCAT

state: state=ACTIVE

assoc: vol=0.1098

flags:

#Record 44: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84

#Blocks: 10

Volume: Volume1 rid=0.1072 update=0.1085 mountname=E:

info: len=51200000 guid=9546148a-73bd-491a-8ba2-2e6e87c303a0

type: parttype=6 usetype=gen

state: state=ACTIVE

policies: read=SELECT

flags: writeback

#Record 60: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84

#Blocks: 8

Volume: Volume2 rid=0.1098 update=0.1105 mountname=G:

info: len=98635377 guid=6f913350-77b3-4bed-99d6-96ef6da8cf2d

type: parttype=6 usetype=gen

state: state=ACTIVE

policies: read=SELECT

flags: writeback

#Record 54: type=0x0251 flags=0x0000 gen_flags=0x0004 size=84

#Blocks: 7

Volume: Stripe1 rid=0.1087 update=0.1096 mountname=F:

info: len=61440000 guid=9f16eb7d-1f88-4405-aede-3928d2859cb3

type: parttype=6 usetype=gen

state: state=ACTIVE

policies: read=SELECT

flags: writeback


According to the information displayed above, the four layers Windows LDM structure can be recreated as:




Based on the this four-layered LDM structure, volumes can be recreated virtually using data recovery software.

6 comments:

  1. wow this is one of i think i can to learn it..
    but i like this your way to post this article.
    thanks for share

    ReplyDelete
  2. I'm very happy to see this informative post.
    The loss of data generally causes an end user to a feeling of dissatisfaction.
    However for the simplicity of individuals, scientific study has launched a solution for data corruption issues.
    If a data loss condition has taken place, end user need to know which software or computer software to use so that he can deal with this scenario of computer data loss.

    Regards,
    Best Partition Recovery Software

    ReplyDelete
  3. Who in his right mind whould create such a layout... but then it's not the job from the recovery technician or forensic analyst to judge that :)
    Thanks a lot for the tips, I am recovering my own data from a corrupt Windows stripe volume (really simple, 2 disks, 1 volume...) and am making progress, but need a way to find out what the size of the stripe was. I guess I have my answer.
    It took me one week... and it's such a simple setup! (yet one of the disk was badly damaged). In this article the ingenuity of the data recovery engineer shines for all to see.
    Regards.

    ReplyDelete
  4. Webintechs@seofrim
    nice blog....



    http://www.webintechs.com

    ReplyDelete
  5. Thank you for your whole labor on this web page. I love working on research and it’s really simple to grasp why. I notice all of the dynamic mode you present both useful and interesting tricks through this blog and therefore encourage contribution from other ones on the concept. Without a doubt i become educated in lot of things. You have been conducting a stunning job.
    external hard drive recovery

    ReplyDelete
  6. Thanks for providing recent updates regarding the concern, I look forward to read more.
    data recovery pakistan

    ReplyDelete