In this installment we will explore the practical use of XORing within the context of a RAID 5 recovery. Although the use of this math function in and of itself does not constitute RAID recovery, there are attributes of the mathematics that lend itself to data signatures that can then be used to acquire the RAID 5 configuration. In order to apply the XOR operation we must first understand the format of the Master File Table (MFT), the very crux of the Microsoft NTFS file system.

File systems, like most database handlers, use a simple flat file, index method to do look ups and quick displays. The flat file being the MFT, and then INDX record used for fast lookup and displays. Each has its own use within the file system and to a large part are dependent upon each other.

Since the INDX record is not used in the context of RAID 5 recovery for this particular grouping of tutorials we will dispense with its use within the NTFS file system architecture.

Let us leave it to say that in a more advanced context the INDX record does have its uses when assessing a RAID 5. The MFT however offers the clearest path to drive order and stripe size when using the XOR operation. The figure below (Figure 1) is a generic RAID 5 with three drives. The MFT is exposed using the utility WinHex in order to better illustrate how we use XOR to find the parity block within a RAID 5.

Figure 1

Do you simply disconnect USB flash drives without ejecting them first? Well read on and find out why this is a bad idea!

Why should I eject my flash USB memory stick…

Don’t we all simply disconnect our USB flash drives without ejecting them first? That extra two seconds could be better spent doing something else right? Wrong! Unplugging without warning can cause data corruption. Mac and Linux users be especially aware!

The reason this is a bad idea is all down to ‘write caching’. Essentially your operating system will cache all the files to be written and perform the function in one go. The functionality is designed to improve performance. When a user disconnects a USB flash drive without warning, the cache is cleared out. If a write process is in operation, this inevitably will result in data corruption.