Wednesday, 20 January 2016 00:00

RAID 5 Failure and XOR Mathematics in NTFS 5 (Part 4)

Rate this item
(0 votes)

We have had three installments on RAID 5 failure and how the XOR operation gives us insight into discovering the stripe size and drive order for an array. Understanding the next installment is critical to the entire method of reverse engineering a RAID 5 configuration.

We understand that when we use an XOR operation on the same bits we always return FALSE. So, XORing a TRUE and a TRUE give you a FALSE, and XORing a FALSE and a FALSE give you a FALSE. Understanding this, we can hopefully understand the following.

The Master File Table (MFT) Magic number is ‘FILE’. Four ASCII letters represented in HEX format as 46h, 49h, 4Ch, 45h. These HEX values correspond to the letters ‘F’, ‘I’, ‘L’, ‘E’ respectively. Now, when you XOR 46h with 46h you get 00h. This is illustrated in the following diagram.

RAID 5 MFT Recovery

Figure 1

Next, let’s take a look at the actual data and what happens when the entire magic number is XORed. This next figure is of key importance in understanding what is referred to as a parity block. The parity block is the XORing of all the drives in the array and the result is stored in the parity block for that particular stripe; each stripe in a RAID 5 has its own parity block, and as the stripes progress the parity block switches from drive to drive in a very definable pattern. There are basically two RAID 5 stripe types, right to left, and left to right. Within each of these is there are two types, Asymmetrical, and Symmetrical, or Asynchronous, and Synchronous. These two terms and their meanings have nothing to do with how a RAID 5 actual works. The term ‘symmetrical’ means the same on both sides where ‘asymmetrical’ is the opposite. The term ‘synchronous’ and ‘asynchronous’ mean to either wait for something to finish, or execute then continue on with your task irregardless of what is currently going on. The actual functioning of the parity block in its rotation as well as the order of read precedence will be discussed in the next installment. As for now, below is what using the XORing operation on a RAID 5 looks like.

Bear in mind, this is only for odd numbered RAID 5 failure configurations.


RAID 5 Drive OrderFigure 2

In figure 2 we see Drive 0 as all zeroes, Drive 1, and Drive 2, with the HEX representation for the magic MFT number ‘FILE’. From Figure 2 we can see that the parity block is Drive 0, and the two data blocks are Drive 1, and Drive 2.

In the next installment we will discuss the RAID 5 block reading methods using two different ordering types.


Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).


  • Comment Link Iesha Sunday, 14 January 2018 14:10 posted by Iesha

    What's up, I log on to your blog on a regular basis.
    Your humoristic style is witty, keep it up!

  • Comment Link Roseann Friday, 05 January 2018 13:13 posted by Roseann

    Hello, I enjoy reading through your post. I like to write a little comment to support you.

  • Comment Link Deana Friday, 17 November 2017 23:26 posted by Deana

    Thank you for the good writeup. It in fact used to be a
    entertainment account it. Look advanced to
    more introduced agreeable from you! However, how can we be in contact?

  • Comment Link Casie Monday, 13 November 2017 12:44 posted by Casie

    Having read this I believed it was extremely informative.
    I appreciate you finding the time and effort to put this
    article together. I once again find myself spending a significant amount of time both reading and leaving comments.
    But so what, it was still worth it!

  • Comment Link Jami Sunday, 12 November 2017 03:48 posted by Jami

    Aw, this was an exceptionally good post. Spending some time and actual effort to generate a great
    article… but what can I say… I put things off a whole lot and never seem to get nearly anything done.

  • Comment Link Mora Saturday, 11 November 2017 18:54 posted by Mora

    I'm not certain the place you are getting your info,
    however great topic. I needs to spend a while studying more or understanding more.
    Thank you for wonderful info I used to be in search of this information for my mission.

  • Comment Link Karolyn Monday, 06 November 2017 09:51 posted by Karolyn

    After going over a number of the blog articles on your
    web page, I honestly appreciate your way of blogging.
    I book-marked it to my bookmark site list and will be checking
    back soon. Please check out my web site too and tell me what you think.

  • Comment Link Jestine Wednesday, 01 November 2017 13:56 posted by Jestine

    It's not my first time to pay a visit this site, i am visiting this web site dailly and obtain fastidious data from here everyday.

  • Comment Link Karolyn Wednesday, 01 November 2017 07:25 posted by Karolyn

    Heya i am for the first time here. I found this board and I find It really useful & it helped me out a lot.
    I hope to give something back and aid others like you helped me.

  • Comment Link Frankie Friday, 27 October 2017 07:47 posted by Frankie

    Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your weblog?

    My website is in the very same niche as yours and my users
    would genuinely benefit from some of the information you
    provide here. Please let me know if this okay with you. Thanks!

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.