In this issue, data recovery experts from the Key Laboratory of Sichuan Province explain their research on data recovery and extraction from crashed RAID 5 and RAID 6. This research provides new method with higher efficiency and easier operations to address the problem of extracting data from crashed server arrays.
Forensic experts often need to extract data from servers during investigation, and direct access to those data might play an important role in solving cases because servers store huge amount of important data, among which critical evidence might exist. Yet system crashes caused by factors such as hacker attacks, system anomalies, hardware aging render direct access to data stored in servers nearly impossible. There are several data reorganization and extraction methods available on the market, but related process could only be done by professionals and has low speed and accuracy, so to develop a method that can be mastered by all forensic staff bears importance in digital forensics.
I Introduction
1. Servers
Servers are devices that provide computing services. A server has the similar structure with general-purpose computers with processor, hard disk, memory, and system bus. Differences between these two devices lies in the fact that servers need to provide more reliable services and have higher requirements of processing capability, stability, reliability, security, scalability and manageability. According to different types of services they are providing in the internet environment, servers can be divided into the following categories: file server, database server, application server, web server, etc. Servers also have different shapes, as shown in this picture.
Servers use array structures to store data. Disk array is composed of many cheaper disks that compose into a huge disk group, divides data into numerous sectors, and stores them in different hard disks. The most commonly used array levels are RAID 5 and RAID 6.
2. RAID 5 is more cost efficient in respect of credibility
RAID 5 is a storage solution that takes storage performance, data security and carrying cost into consideration. Instead of backing up all data, RAID 5 stores data and corresponding parity information on different disks that comprise the server. When partial data stored in RAID5 are damaged, they can be recovered by using corresponding parity information.
3. RAID 6, better in data redundancy
RAID 6 contains two sets of parity codes that use different algorithms to distribute data storage, which lead to its high data reliability. This method is usually used in situations that requires perfect data accuracy, such as governmental institutions that stores numerous resources, audio and video creation companies, audio and video editing studios, companies in the financial securities and banking industry, DVR system, and NVR system.
RAID 6 was developed on the basis of RAID 5 through expanding and enhancing data protection. Besides having the same XOR inspection area on each disk as the RAID 5, RAID 6 also has another XOR inspection area for each data block. Having two layers protecting shields, one as tiered parity and the other as overall parity, RAID 6 has better data redundancy.
4. RAID array being hacked is disastrous
Array is a good method for servers to store mass data, but its breakdown, whether caused by hacking or aging of hardware, could be disastrous with all data lost. If the server arrays have crashed during case investigation, critical evidences might be inaccessible and lead the case to a deadlock. Thus, developing a method that targets data recovery through reorganization of RAID arrays bears importance in digital forensics. There are several methods concerning data reorganization and extraction from RAID arrays available on the market, but related process could only be done by professionals and has low speed and accuracy. Thus, researches on developing a method that can be mastered by all forensic staff bears importance in digital forensics. The next chapter of this issue explains this method in detail by taking RAID 5 and RAID 6 as examples.
II Technical Solution
Data recovery experts from the Key Laboratory of Sichuan Province developed a brand new technical solution that can parse the whole array structure and realize data reorganization in high speed and recover data with a higher success probability.
For RAID 5 and RAID 6 arrays, relevant parameters are disk order, sector (strip size) and combination method. The file system would be formatted after setting the arrays up and parameters of the array could be determined through those of the file system. This chapter explains by taking the NTFS file system as an example.
1. Analyzing array parameters
MFT entries of high-level NTFS systems are numbered sequentially, and entries are evenly distributed across each hard disk of the array. Thus, array parameters can be obtained based on the sequence and distributing sizes of MFT entries. The first step would be loading the array data disk through a hexadecimal viewer. Using the hexadecimal viewer in the DRS(Data Recovery System) under the ‘Array Reorganization’ function, the following image should be obtained. Devices such as Winhex and hexadecimal tools can also be used to complete this step.
Among all the parameters, A and B are important parameters indicating the size and sequence of strips, with A being the MFT mark and B the MFT serial number.
Analysis of array parameters could be realized using sequencing rules indicated in this image and MFT serial numbers.
A1, A2, A3 and Ap are three consecutive data blocks and their inspection values together with data blocks are stored on four hard disks of the array. Use mark A to find the position of MFT on the disk, identify the changing rule of serial numbers at B, and find the point where the continuity of serial numbers of B breaks, which is the beginning of a sector in the array. This breaking point is the beginning of the sector and the next breaking point the ending. Record all parameters indicating beginning of B and analyze at least one parameter cycle, as indicated in the picture.
Array can be reorganized and data extracted by using recorded parameters and sequencing rules of the array.
2. Reorganizing data from the array
Reorganization of extracted data is difficult because of low speed caused by complicated methods used in parameter analysis. Thus, DRS(Data Recovery System) is recommended here to achieve array reorganization automatically, as shown in the picture below.
2. Extracting data
After successfully array reorganization, data extraction could be done by using the scanning service provided by data recovery software. ‘Data Recovery’ service in DRS system can also achieve the same goal. Detailed information on relevant data is listed on the result interface, including file name, file type, file size, common dates, data of modification, offset position, etc., as shown in the yellow block in the picture. (Sensitive information has been obfuscated.)
III Conclusion
Compared with conventional array recovery method, technical solution introduced in this issue can realize the following: parse relevant parameters in high speed and accuracy; reorganize files recovered from arrays successfully, obtain the array structure through fast scanning using DBR features and MFT features; distinguish data from data area and inspection area; and realize data reorganization applying commonly used RIAD 5 and RIAD 6 array arrangements. This technical solution can recover data with fast speed and high recovery rate in conditions where one or two hard disks are lost. This solution has already been applied to SalvationDATA DRS(Data Recovery System) and all complicated process can be realized by simply clicking the ‘Easy Shuttle’ button in the system. Forefront forensic experts can master the utilization of the system and gain access to critical data within a short period of time.
XLY Salvationdata Technology INC. is China’s leading integrated solutions provider of digital forensics, data recovery, data security and E-discovery. As a pioneer of the industry, SalvationDATA is always committed to providing innovation platform with proprietary technologies for Law Enforcement Agencies, Government, Military Intelligence Agencies, Digital Forensics Laboratories and Corporations, etc. SalvationDATA’s professional engineers and forensic experts are dedicated to providing outstanding service to more than 9,000 customers from over 130 countries around the world.
Click HERE to learn more about DRS.
SalvationDATA Blog 