Wednesday, 20 January 2016 00:00

RAID 5 Recovery and XOR Mathematics in NTFS 5 (Part 3)

Rate this item
(0 votes)

In this installment we will explore the practical use of XORing within the context of a RAID 5 recovery. Although the use of this math function in and of itself does not constitute RAID recovery, there are attributes of the mathematics that lend itself to data signatures that can then be used to acquire the RAID 5 configuration. In order to apply the XOR operation we must first understand the format of the Master File Table (MFT), the very crux of the Microsoft NTFS file system.

 

File systems, like most database handlers, use a simple flat file, index method to do look ups and quick displays. The flat file being the MFT, and then INDX record used for fast lookup and displays. Each has its own use within the file system and to a large part are dependent upon each other.

Since the INDX record is not used in the context of RAID 5 recovery for this particular grouping of tutorials we will dispense with its use within the NTFS file system architecture.

Let us leave it to say that in a more advanced context the INDX record does have its uses when assessing a RAID 5. The MFT however offers the clearest path to drive order and stripe size when using the XOR operation. The figure below (Figure 1) is a generic RAID 5 with three drives. The MFT is exposed using the utility WinHex in order to better illustrate how we use XOR to find the parity block within a RAID 5.

mft-boot-record

Figure 1

 

Figure 1 is a partial MFT record from three different drives, each marked from left to right respectively Drive 0, Drive 1, and Drive 2. Each depiction shows the same sector for each drive. In other words the sector being displayed for each drive is the same. In a RAID 5 configuration this is considered the ‘stripe’, and although this is not the entire stripe, it does offer a better understanding within the context of this figure. That being said, there are also three red rectangles enclosing the upper left hand corner of the MFT record. For Drive 0, and Drive 2 the word ‘FILE’ is highlighted. On Drive 1 there are only four dots being displayed. This particular part of the MFT record is called the header and in the header is a ‘magic’ number that identifies the record type within the NTFS file system. The magic number is ‘FILE’ for an NTFS 5 MFT record. The question is, why do records on Drive 0, and Drive 2 display the word ‘FILE’ and the record on Drive 1 does not. The next installment of this series will give a clearer explanation of why Drive 1 does not display the magic number ‘FILE’ and how we can use that to determine stripe size and drive order.

Reference: http://dtidatarecovery.com/raid-5-recovery-xor-mathematics-ntfs-5-3/

Last modified on Wednesday, 20 January 2016 13:58
Data Recovery Expert

Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

Get Help Now

Thank you for contacting us.
Your Private Investigator will call you shortly.