 All right, so I'm Scott Moulton. I've done quite a few talks here I'm from a company primarily my hard drive died calm Which is a data recovery company and I do forensics for a living as well from forensic strategy services So we crossed back and forth and do a number of different things So so as you guys can see this is supposed to be recover my porn from my radar a so if you guys aren't either Interested in radar rays or porn then you're in the wrong talk So maybe you want to leave so and I got the idea from this talk from Karlo down here stand up Karlo Wave thank him He's gonna do to discreetly recover your porn so if you don't want to post it on that night anyway All right, so what does this talk about basically We're gonna kind of run through real quick just the Ideas of what rate is how many people in here are dealing with rate arrays on daily basis? Yeah, pretty much how many people have had to recover a failed rate array That's great for redundancy right like if that was the point of a rate array you still have to do recovery Part of the problem is obviously this marketing problem So I'm gonna cover a couple of different Unusual types of rate arrays then we're gonna hit rate 0 rate 5 and then I'm gonna try to do a demo So hopefully it all fits in there. So so that's the idea of what we're gonna cover So I'm gonna go ahead and answer the questions now. These are the three questions that I'm gonna constantly get so Yes, you can download these pictures slides my hard drive died comms got a presentation page and Defcon 17 I just posted these up there so you guys can go download them and Her name is on the last slide So if you can either download it or wait for the rest of this presentation, then you'll have her name and yes, you can Whatever hire however you give them and yes, she's single But I know that you know for a lot of people here because I know a lot you guys It wouldn't make a difference whether she was married or single or you know, you don't care. I know All right, so why are we gonna talk about raid recovery? The first reason here is mainly because it's expensive anybody sent one into a recovery company before Yeah, how much? 3000 that's probably just a your personal race. See that sucks dude. Yeah. Yeah, you guys got but it's expensive Right, they usually either charge by the size by the number of drives and they usually even charge sometimes Even if they don't get it back because it's so complicated to rebuild because you have multiple steps You got to go through you got to go through the physical side of repairing the disc that you need to repair I'll cover that stuff in a second then you've got to go through the Reassembly mode and then sometimes you've got to spit it out as a full array as one solid image so that you can parse through it in some Package that doesn't crash when it runs into bad sectors or something It's a lot more difficult than doing single drives if you've seen my previous talks here You know already that I've covered a lot with single drives how to do physical repair all that stuff still applies to these Whether it's scuzzy drives, it's IDE drives, whatever rate array you're dealing with all of that stuff So there's like 50 hours out there. I've done on do it yourself repair your own drive how to go through that process Time-consuming it fails. But the biggest thing here is that when I leave here like I get hundreds of questions all the time about I've You know, it's not my one hard drive. I have this rate array So I'm trying to answer these questions in a talk so you guys can get this So here's kind of my assumptions for the talk The first one is is that you've already done what you've got to do from my previous four or five years of doing this Kind of talk about repairing that drive So somehow you've repaired the drive and you've either got a DD image of it Or you've got a physical clone of the drive running and there's some weird things with some clones sometimes So I'll talk about that And then we're also when we're talking about raid my assumption here is that you're getting a Raid array that you might not know anything about sometimes because in the data recovery world You may have the luxury of having a controller that you understand that you know how the layout is of its own your own personal Ray, but how many you got in the mystery box? You guys got that before right like so many hands you piles I don't know what this is But somehow we got to do it and if you're lucky they route the number on the drives as they remove them from the Raid array if not then you've got like here's 52 cards and figure out which ones were in the right order So that happens a lot and I'm counting on you having you know, maybe not porn maybe just pitchers But I mean who doesn't have porn you've been even in company. You don't have porn really your boss or somebody might but anyway, so Usually it's of himself and that's all right All right, so it's kind of the do it yourself talk I'm going to kind of just cover I'm teaching you the whole point is is in one hour as much as I can You're still gonna have to kind of do some of your own research and figure some stuff out because if you can figure stuff out about The Raid array itself the order of the disk that the way they came out or whatever great If not then we're gonna kind of guess and I'm gonna show you how I guess as I go through this After you've seen like 3,000 of these it becomes kind of like matrix stuff You go girl in red dress or not in red dress or whatever, but you start to see it And We're going to do it as cheap as possible I'd like to say free all the time, but you know, let's face it in the commercial industry That's where you know that reassembly of Raid is usually a commercial product So you're gonna sometimes be stuck with buying something someone try to stick under a hundred bucks So at least it's affordable and then and then basically, you know The whole point is we're gonna look at pitchers and sound and we're gonna try to figure it out from those things It's gonna take you a lot of time. It's gonna take you a lot of disk space There's no easy way around those things and you've got to find pitchers and you're gonna constantly have to be persistent and experiment If you've got the drives and you've repaired it and you've got images of it You can probably figure this out But it may take you 24 hours to actually go through rotations and things that you can actually figure out So research helps slides are on my hard drive dot com. All right. So what is a Raid array? So Functionally we have a array of independent and this is where the you know the terminology kind of gets messed up I think originally what happened was it was supposed to be a redundant array of Inexpensive disk and somebody took a bill to the boss and he goes how is this inexpensive? Explain that to me. So so it's gone to independent and people make up a lot of other words to put in the eye spot. So anyway, so this is all about marketing and Redundancy some arrays are not redundant So now what you have in the last eight or ten years that you didn't have before with Raid arrays is you've got a box That's on a shelf and some photographer or something comes and sees a box and it says Raid on it and he buys it And then what is that usually what Raid is that usually Raid zero, right? It completely worthless for those people who thought it was redundant, right? So so that's our biggest problem is that you're gonna see a bunch of Raid zero You will still see raid one even though it's supposed to be a mirror You're going to see it from time to time because whatever crap got written to the first disk got written to the second disk bad too And then you get raid five those are going to be the most common when you get into like raid six raid five ee and e and You know other variations of raid you're probably not seeing those or there's a backup But for the most part you're going to be dealing with raid zero and raid five at least in a data recovery arena or something So I get these mystery boxes and we got a guess about it So I'm going to talk about just real quick the unusual stuff because usually you still have this multiple step process It's kind of like you have an operating system, but you also have a file system So you have to deal with these things differently. So for instance, you may still have A functional side of raid which is I've got slices and they're on the drives and they're all broken up in different orders But then you may have some variations of what's actually happening to the data that's sitting on them like XFS or ZFS or whatever else So they've written so you have some combinations One of the things that really kind of isn't really a raid but keep people keep throwing it into that thing is the J-bods so you have J-bods which are typically on like the lacy drives or there's a bunch of different like phantoms and just different variations of drives, so I'll hit that real quick XFS and ZFS You're usually looking at like the Buffalo Territations some variations of different ones that have Linux with lacy drives Lacy's kind of a promiscuous. They like one day of the week or let's see Whatever they call it, but one day of the week. There'll be one format another day of the week There'll be a different one So there's some variations you can start to look at and try to figure out what they are But those are some of the hardest ones to deal with because XFS and ZFS right now very limited in the in the number of tools That you actually have and how you process them because there's no real easy way to deal with XFS other than doing like file carving or Something like that, but that doesn't give you back metadata like structure and directories and dates and times and file names file names Is the worst one to lose? So these are the kind of boxes that you're looking at when you're dealing with those kind of arrays So let's talk about JBod real quick and who noticed that there's actually a drive on the Slide that's what I thought. Yeah. All right, so so drink every time there's porn. I got a drink So JBod basically just a bunch of discs So you basically have a bunch of discs however that they've stuck them together usually you're still talking about a pair So you've got something that will Basically have usually not a fan or anything that's usually why it's broken overheated something melted down Now you'll have two discs and typically what'll end up happening is you'll have a file system on one disc And the second disc will just be concatenated There will be a board or something that helps concatenate it when you get to end of this disc Then go to the next disc so they look a lot like this right here so Physically you take these drives out one of the drives This is going to be similar to kind of raid zero and the fact that if you don't have one of the drives It's it's damaged. You've got you've lost data. There's nothing you can do about it So you will have two drives if there are JBod one drive will still continue to have files on it that you can just do like Standard file carving stuff like go find all the jpegs and copy them off and you'll get those you'll lose names And you'll lose structure and stuff and the other disc is going to have the file system and sometimes have what's called an HPA on there So you'll have a host protected area and it will be the size of the two drives together So in other words, you'll plug in let's say these are two two fifties and together they make 500 The first drive will have an HPA on it that will say I am 500 gigs So you plug in this 250 gig drive and it says I'm 500 Well, you know right away that that's what you're dealing with that you've got one and you know which one you have too Because that'll be the first one that means the second disc is dead So you have file system and you can probably actually at least fix the files that exist on this one disc So that's the one thing so HPA so this is common practice that you actually have to use an HPA So a host protected area is basically that extra space that was on a disc that says hey I've got some utilities or I've got some DVDs or I've got this other stuff that's sitting out there It's primary purpose was to make the disc smaller than it originally is so there's this extra space And it will report to the to the system as it's booting and it will actually show up So I could take a 500 gig hard drive and I could say you're 40 gigs and when I boot it It'll actually say 40 gigs everything will think it's 40 gigs. It'll actually respect that content So you're gonna use that for some various things Most of the time when you're cloning a desk that's damaged you can't find the exact same disc So you don't have the exact same geometry So this is a way that you can set it You can use the host protected area to physically set the size of the disc so that it matches and you can use it in Combinations with other things. So for instance, this is a NAS box This is a little C NAS box and there's no USB port or whatever now what you can see here is I had two drives These are the there was originally a 1 terabyte a Array whatever you want to call it here with this particular one So what ended up happening is I had the 500 gig that was good and I had a 500 gig that was bad I took a 1 terabyte and I actually cloned the 1 terabyte But now when I put it back in I need the system with this custom board with whatever they did because my whole point Is make my life as easy as possible. I could probably do this in software But why not let the hardware if it's still functioning do the job? So I cloned this drive in reverse using some special tools like DD rescue to actually clone a drive in reverse Then you set the HPA to the same size of the original drive Which you can look on the label and actually just in the software. There's a tools There's several tools that will set HPAs. So one of them is called mhdd So mhdd is a free boot disc you can boot on plug the drive into the ATA controller And you can basically type in from the label what your size is and it will make it that size So I put the one terabyte drive in here and now it's a 500 gig and the two drives got bound back together again in the Raid array and I was able to actually copy the stuff off Physically without having to do any other work. So make sure that you're paying attention things like that If you're dealing with ZFS and XFS, which will all come after the fact like if you've repaired a raid zero Raid five you may still have XFS or something to deal with There's really only two ways that I know of right now that you can actually deal with there's one It's called test disc which is basically for repairing partitions and they've added XFS support to it They currently I do not think have ZFS, but he adds things all the time So test disk is your one way to actually say read all the files repair partition structure write it back So keep test disk in mind. The other one is a commercial product, which is slightly more than a hundred dollars It's called UFS Explorer and it does XFS and there's a current version that actually supports ZFS So it's one of the only ones I know of doing ZFS So as you start running into new rate arrays that have ZFS you may need something like this And you can see right here This was a buffalo terror station that we actually mounted and we were able to display and actually extract all the data After we corrected the physical problem with the disc So that's enough of those other types. So let's talk about raid zero. I know All right, so raid zero just real quick Basically what you're looking at with raid zero is you have two or more drives and their bakes broken up into slice sizes Now there's some defaults that the controller will normally do but you know you tech guys Every time I go to deal with one somebody goes Hey, wouldn't it be nice if it was 8k this week and they go into controller and play with the sizes So it's almost never the standard size or whatever you were thinking it was But most of the motherboards and stuff that are locked down You're gonna end up with standard sizes where you'll have a slice size and it rotates between the two slice sizes with your data If one drive is dead and you cannot repair it You cannot physically go through the process of my previous stuff. You will not get anything worthwhile out of it You're gonna get basically like a bunch of thumbnails You're not gonna get anything that's gonna be really valuable except depending on the slice size So if you have 32k slice sizes, well 32k is gone from every file every other 32k So you end up with nothing So raid zero does not have any redundancy at all. So I try not to call it raid zero. I try to call it AIDS So it is a ray. It's gonna suck And suck it does man. I'm just telling you it's it's terrible So and you try to explain this to people they're like, oh, well, I had two drives and it was raid Why can't I get those back? Well? You know, it's a mess Now here's the bad thing you can have a raid zero array with more than two drives Most people think that there's only two drives in the raid zero But that's not true. You could go up to like I've had a raise in that had 14 drives in them now Now you're talking just crazy talk because I mean it's like it's Now you don't have an order to the drives. You don't know the order of the drives There's no signature written in most cases you have to go through a process of guessing or looking for data that you might be able to guess in order and Yeah, that is those for some reason photographers. They don't get this they like oh look I've got a Mac and I can do software raid So I got six drives hanging off a USB over here on if you're not backing up. It's over. It's game over so So you can usually figure out which drive is the first drive So if you have two drives, yes, you can figure out pretty quickly, you know It doesn't matter how many drives you have in most cases you can figure out what the first drive is It's the rest of the drives that you have a problem with because most of the time you're gonna end up because the majority of drives You're still looking at like NTFS or something if you've got Linux or something You've got other things to deal with but you usually have an MBR So at the MBR at the beginning of the disc is kind of got kind of give you an idea Hey, I'm number one or you know if you're dealing with NT or something You'll actually have like an NTFS signature at sector 63 So you can actually figure out almost right away and most software once you've actually figured out how to repair the physical side of The disc and get it running again Even if there's some damaged sectors they will actually tell you that this is the first disc and they'll show you a disc signature So we can figure that out as well So so this is just kind of my my quick steps. I have more stuff on the slides that are online So you'll get more detail if you go and download those but ultimately what we're gonna do is we're gonna mount the images We're gonna review them. We're gonna look at the sizes and basically play with each one starting with a default We're gonna scan for some pictures then we're gonna extract them listen, you know look at them some MP3s We're gonna listen to them Your goal is basically to look at something like this if you know nothing else about the drive You're gonna start with slice sizes So you have a variation of slice sizes that can go from 2k all the way up to two mags Most of the time I'm dealing with things that are between 512 and 32k in the majority of them The standard for most of them is around 64k, but you can have drives that I've seen several of them, especially The manufacturer chose some special stripe size if you bought it from somebody else and ends up being something like 512k So you can go through the variations of looking at pictures and samples in between each of the sizes So your goal is while I'm processing the data find a picture that looks like it's between 32k and 64k Look at it and see if it looks complete and then move on through each of the steps until you actually rotate it through them So as you're rotating through them you can see some things and it starts to make sense when you've seen enough of them So I've seen a thousand raids at this point. So it's like every time I look at one I can just gas most of the time, but so here's some of the samples so Now as convenient as it is that her head. I mean, uh, well anyway It's not going to be very convenient for the photographer or somebody that needs to get it back So in this particular case, you're actually missing a stripe So you either have a disk that's actually gone or you're missing a big chunk of the data itself Then you got stuff like this. That's very small file. So typically these are going to be, you know, you're You know, this is not, you know, I don't know why they had stick porn on their stuff But either way it's less than 32k and you extract it and it looks intact. It looks okay There's nothing nothing special about that But here's a file that most of you should recognize or two files that most of you should recognize So right off the bat, you know that this is there's windows on the box and these are the sample files They're next to each other and there are slice sizes that are wrong But if you look at it, this particular one came off the drive and said it was 140k So as you divide this up, you could start to see hey look I'm looking at maybe a 64k stripe size So you can almost tell right away if you actually have to now if you had crap and it wasn't a jpeg Or wasn't a BMP or something that was next to that you would actually just get down to here It would stop and you just get crap from here on so wherever it is you're gonna get crap So we can actually use the crap to analyze things So at the start of most of the pictures, you'll usually have a thumbnail that's stored in the picture So you'll look at something and you'll look because they'll still look to your software as it's extracting the data It'll still look like a jpeg. It'll just be a small one So in this particular case, this was a thumbnail. It was a small thumbnail at 64k So that thumbnail came out But the original picture that was larger than that actually looks like this so again you start looking at it going Hey, I could start to tell what the stripe sizes are or you start looking at things like this This is a thumbnail that came off the drive again It was this one's like around 80k or so and you can start to see it's intact down to you to the spot that actually Starts to look like it's around 64k stripe sizes. You start getting big pictures. They start to look like this You start getting like a little chopped up thing So this is the kind of thing where like anybody seen Greg Conte talk before So Greg Conte does all these like I'm doing analysis of data and I do it visually and he like takes packets and throws Them up and you can tell what's going on. Well, that's the same kind of thing you start to see here You start getting well I know that now I've got these blocks of stripe sizes that are the same and then I've got this rotation That's actually moving and you can start to see as you're looking at pictures and images like okay So right here this is part of her face. Is it actually in the picture? Does it belong? It actually is part of the picture and it's rotated through the slice So in this case we're looking at things that might have an arrangement order a problem with the arrangement Because the content actually belongs Then you get to like really large files like 10 meg files And so you start seeing these chopped up things as they come from different segments of different pictures So it starts to make sense. So once you finally get that you'll actually get something that looks like this so So your goal is obviously to get to a spot where you can actually see the picture So I'm going to start here on raid 0 raid 0 and raid 5 are fundamentally the same from a standpoint of figuring this Part out other than the actual arrangement itself So I'm going to start with an mp3 sample and then I'm going to do the demo actually on raid 5 after we cover raid 5 So here's my here's my mp3 So if you have files and most of us have like itunes directories and stuff that are on our box If the files are next to each other when you extract them They do a similar thing that the jpegs do they'll play a chunk And then they'll play another chunk and the chunks won't be together and they won't make sense But it'll come off as one file. So if you happen to have 70s porn on your hard drive or something like that and you were to play it This is the kind of stuff you'll get and it it'll sound like a long sample, but trust me. It's only like 40 seconds It'll be enough A relaxed ass is a happy ass But if it's a tight and un-relaxed ass, it's an unhappy ass All right, so that's pretty much the way that goes you'll get a lot of anybody know who that last one was Come on. You guys know Ron Jeremy. Don't act like you don't look at porn. Whatever. You're all in this talk We know what's going on Try not to admit that I Told her she's gonna be really popular And we'll put her phone number up now All right, so let's talk about raid 5 for a minute. This one's a little drier But let's get this out because it's that's the important part so So basically the first thing is controllers It's really helpful if you know what your controller is but fundamentally there's two different types of controllers that you have to pay attention to and One is whether or not you actually have a host controller or a discreet controller If you have a discreet controller It basically means I have a processor on my raid controller because there's gonna be all this math that the functions Actually have to be done to actually make this array work if you have a host based controller, you know people think oh host is great I can take like eight of my IDE hard drives and I can add them all up the more drives You add to a host based controller the more CPU power It's using from your CPU to actually do these calculations Whereas the host the the discreet controller actually is able to do the calculations for you to produce that content So that it's not actually impacting your your system and we're gonna try to do all this in software So the whole point is the more drives you have in your raid array the slower and the longer It's gonna take to do these mathematical calculations in raid to produce it. So we're gonna talk about those in a minute So the whole point of raid 5 obviously is that you want to keep your server up You want to have some time where my data is redundant and that my system continues to run I have a drive this died and then I'm gonna replace it If one of the drives dies, but my system continues to run But now the reason that you're seeing the raid array in for some kind of recovery is usually one of these The guy had one drive go bad and the alarm goes off and the boss is walking by the door and he goes What the hell is that damn alarm turn that crap off? That is so annoyed and they turned it off Think and then what happens? Everybody knows what happens after that right six months later drive number two dies Then you have a problem and that's why it's in for recovery now Here's your big problem when you're dealing with this If you have two drives that have died in a radar a so radar rays typically you have to have a minimum of three drives So usually one drive can die and you'll be fine So however many drives you have in your radar a one drive can die You'll be fine. You can do this reassembly and do whatever two drives die Which drive do you have to have? The one that recently died The first the last the last one is the one that has to be there because that's the one that has all the data That sink to it the oldest one that died is completely worthless So if you don't know which drive died because where are the log files for where the drive died? on This is a great reason to actually copy all these log files made periodically But I'm gonna backup tape somewhere or something anyway But you need to know which drive died last or you're kind of screwed because you're gonna rebuild two drives You're gonna spend twice as long actually getting this dot job done So the less you know the worse off you are so basically it looks a little bit like this You've got a stack of drives and data parity is basically rotating through the drive So there is no parity drive. I hear that all the time like raid Bob got a parody drive No, it's distributed across all the drives so you could put an X on any one of these drives and it would be completely dead and It would be fine. You have all the data that you need to do the calculation So when you have a system and it's all plugged in and basically let's take a simple one like these three drives here You'll actually have the parody distributed. So now this talk doesn't lend itself very well to animation, but I have some All right, I just have this one nice fancy one All right again now this is the If I can make it fit all right there we go When you talk about porn you got to always make it fit. All right, so This is the executive summary version, okay So again take this with a grain of salt and this is the one you want to show your boss and try to say I'd like you to buy a fancy radar a and in the old days We used to have to actually convince people people remember like 2000 2001 You had to say we need a radar a on our server and the boss like why do we need one? Well, this is the sample that you want to give him because it makes it very easy for an executive to understand Why you have to have one? Okay, okay, so the deal is is that this is not the exact formula you guys should all know that by now It's not the exact formula that it follows But your boss can understand this he can get that down Maybe even photographers but Ultimately what you're looking at is that at any point in time if you took this formula and you have 1x people can figure out What's supposed to be in that 1x from the data that exists? So what you actually are doing is an exclusive or arrangement on these so that you can actually produce that parity But it's a much more complicated process and requires a very high-speed processor to do it So this is why having a discreet controller is going to be a much better deal than a host-based controller Host-based controllers because they're cheap. They'll do just about anything They're they're a mess to deal with but if you're dealing with a discreet controller You spent more than $300 on the controller, which means there's documentation somewhere and it didn't come just maybe from China I don't know but you know at least you've got something that you can read Hopefully and find out what your arrangement is or if they did anything strange like an offset or something so So that's my executive summary version Okay, so this is the simple formula if you're dealing with this you actually have an exclusive or that's actually going to be between the Drives to produce the parity so the exclusive or is the function that we're trying to deal with from that standpoint. I Just said this about the other so This is the hard part with dealing with raid 5 you've got so many x's Besides just the fact that you have an x which drive died You actually have these other x's which will become unknown and hopefully you can eliminate two of these so you can try To guess what the other ones are because you'll end up with a disc order. That's unknown That's the easiest one to solve in most cases because all you have to do is make sure that the guy who knows that the array is dead Wrote a number on the box before each drive is removed That's the easiest one to deal with so if you can convince people to do that before they ship them to you You might be able to figure something out without having to spend a lot of extra time Then you've got your variations and your slice sizes now Sometimes that configuration stored on the disc themselves and maybe you can't read that or you can't get into the card Or you can't see the card so you don't know what that is So you're gonna have to guess and then you've got the arrangement the arrangement is usually not something you can specify or select It's usually something that the manufacturer chose There's basically five or six different types of arrangements and so those arrangements It's important if you know which discreet controller it is you can look them up And then you have fragmentation fragmentation is gonna impact you in this demo that I'm gonna do all together But fragmentation as most of you know you you've just got to deal with fragmentation So what you're gonna do is you're gonna check multiple pitchers You're gonna have some that are corrupt no matter what because of the way that the layout is so when you click on them You're not gonna get anything But as you click through a dozen or you know 20 of them You'll figure out which ones you can view and which ones make sense and just ignore the others that are bad That you can't do so they start to look like jigsaw puzzles So we have something kind of similar to this from that standpoint We actually have the same thing with raid zero same basic slice sizes that you've got to deal with But there's some extra things that you can do to try to figure out the steps So here's kind of my extra slide. This is the bonus stuff You don't have to do this to do it once you've actually done enough views of the drives You can figure this out by sight But here's one thing you can do anybody ever done a manual carve of JPEG files. How many people done that? Yeah, okay, so for the people that haven't it sounds like some big mystery all these friends It's guys are doing or manual carving whatever all it means is I copied the hex crap out of the drive That's all it means so what ends up happening Let's just say I go and I look up the JPEG standard and the JPEG standard You got FFDA FF is basically what your file is going to start with so you're going to end up with the JPEG header It's always going to begin with FFDA FF and it's going to end with FFD D9 so you'll be able to go from beginning to end and cut something out So if you go in to a hex editor and you just look at the content you do a search for FFDA FF So when you actually get to that spot the first thing you want to do to find out is whether or not you've got a false positive Is this a false positive? No because the easiest thing you can tell right off the back as you got some exit of information So there's data that's actually stored in the picture about the picture So you'll get things like the camera dates and times and stuff like that that stuff It's very valuable to help you figure out in the rate array how to reassemble it because this is probably the beginning of The picture is probably going to be a JPEG So if I extract this data even if I can't view the actual file The JPEG is typically going to be smaller than my slide size so I can see the the thumbnail itself So if I extract it and I just save it to a directory The picture itself won't open the picture is complete and utter crap You can't see anything But I'm just going to use Explorer by highlighting over the picture and it'll tell me what size that the dimensions are supposed to be But you can see it says it's 8k. I mean that's a pretty small thing So that's not the real picture But you take these numbers and you can go to a website and it'll calculate for you What the actual size is supposed to be you plug them in and you come down here to what your JPEG Process is going to be and you can figure out I mean most photographers are going to save it somewhere in the hundred percent range most of the time So you're going to end up with like a two mag file So then you can actually take the files as you extract them and you go through the process You can kind of break it down you could say look it's supposed to be a two mag file So what is my slice size and so you just start dividing until you actually look like you're starting to get a slice Size that's contiguous and what that slice size is contiguous is most of the time the actual correct slice size Even though in this particular case we may have a rotation in order or we may have slices They're out of order so I have drives out of order, but I can still tell that this is probably going to be a 64k slice size So you have other things to look at which are do these other slices belong to the same picture So this is where you're going to resolve two X's at one time if the picture has slices that are that look weird And don't fit in the picture then you've got an order problem also So not only do you have the slice size problem? You've got an order problem and either the arrangement of the Of the logical component of the drive is going to be wrong or the order of the physical drive that you have is wrong So I'll kind of give you a picture of that So if you look at this there's uh, there's basically four major ways that the data is arranged on rate arrays And uh, this is typically linux terminology when those has the same kind of thing But they call it stupid stuff like forward and backwards and dynamic and they just make other crap up But it's pretty much the same thing So you're looking at these orders So um, I'm going to focus on the first two because the first two are the most common So you end up with what's called the left asynchronous so you basically can tell where your slices are So you'll have like a strip that's good a strip that's bad and so on and so on as it rotates through And you'll have a second set that'll actually be different orders in the numbers And so you'll actually have content the picture will actually look fairly similar to this You'll actually get a picture that if once you've got the order of the drives correct that the content that's in the picture Rotates through in the same order and looks fairly similar So as you look through these slices then you start to go. Hey, which order is this one? I can pick them So this is the tool that i'm just going to use basically to show this so I can actually load my three drives up This is going to be the order of it and so this is one of the arrangements This is one of the other arrangements that I can deal with so you can start to see and do a comparison And then once you actually put them back together you'll actually get the complete picture itself So what are the steps that I would normally do to do this? I'm going to repair the bad drives. I'm not going to waste a lot of time That's like the first thing that I've seen so many people do like oh, we got seven drives in for for recovery They image the first six Like well, what about the bad drive because if you don't get the bad drive back Or the first five if you don't get the bad drive back You're not going to get the one that you actually need it won't matter How much work you do before that it's going to be all wasted time So I work on the bad drive first and sometimes you just have to start doing an image or something to test to figure out Which one's the bad one but most of the time you know pretty quickly Then you can actually deal with imaging the good ones and stepping through the process Test the data and then once you finally actually have them assembled you can go back now on the thing that I was talking about Let's try to do something free There is a pearl script out there that somebody wrote to try to help out with this and it's been used several times So it's functional and works So if you just do a search for mike hardy You'll actually find that there's a pearl script started written to kind of step through them and you modify it according to your array So you would still have to kind of know something about it All right So let's go through the process of what we're going to deal with with our our goals So our goal was let's use something that's less than a hundred dollars and Try to rebuild now. There's some tools that will rebuild raid zero But won't rebuild raid five so make sure that if you buy something that you know what you're doing Which one you're going to buy so I have two primary choices that I would use raid reconstructor from runtime.org is 99 bucks and then there's our studios From our tools and that that's actually a great buy because our our studio is 79 bucks or something for their standard edition And it does like all the file systems except for xfs and zfs But it does the rest of them so you can typically do everything all at once including mac os or whatever raid reconstructor I'm not going to show at the moment because raid reconstructor It guesses and if it's right it'll tell you if it's wrong What it will normally do is tell you what its entropy is and the trick with raid reconstructor is if there's an os Equals four if you see os equals four Those are the ones to try so there'll be a column that'll say os equals four And then you'll have four or five drives in the list out of 70 something drives It'll tell you which ones are the ones with the highest entropy Those are the ones to test but i'm going to show our studios. So that's what my demo is going to be on question okay All right, so hopefully this will be the right size for me to see Okay, so I don't so much care about the actual product yourself My whole goal is to be able to see what's manually going on to actually know what's going on So hopefully this is a big enough window for me to see all the buttons All right, so the first thing i'm going to do is i'm going to go to drives and i'm going to open image files So i've made dd image files I've made a pair of them. So this is a rate array that had three now If this is unknown basically you take your defaults and then you kind of work your way back from there So ultimately what i'm going to try to do is i'm going to take these dd image files of two of the drives that i've repaired and i'm going to try to see what the content is from there So since i have two out of a raid array that's supposed to have three drives I have to make a fake one so that the parity is calculated. So i'm going to highlight these and add it Now the first thing Which drive is number one? So you see right away that the software actually identifies in these two image files that i actually have a sector that actually identifies itself as ntfs So i actually have now this was a hardware raid and i broke it basically to do this demo and made these Image image files of that particular one, but i have two Two image files here i'm missing the missing drive, but i know which one's number one So what i'm going to do is i'm going to go and create me they they call it virtual block raid So this is going to be my raid five so i make kind of a fake set here Then i'm going to add each one of my drives to this so i right click and you'll actually see your drives and your partitions The drives are the one that's mattered because the partition is going to be at an offset And you don't want to use the offset. So i'm going to add the two drives i have Now right now i cannot see my boxes So i'm going to add my missing disk now if you have to change the order then you can actually drag the missing disk around And figure out what order it's supposed to be in To actually put it where it belongs And now i'm off the screen way off the screen They told me they were 1024 Okay, so i'm doing a raid five array and so now Sorry about this kind of thing. I actually tested this in the back with the same protector. They said this is what it's going to do I can't see all my boxes All right, so i'm going to go ahead and check this box that says apply changes immediately every time i actually change it It's going to actually dynamically him Changes them physically in the drives So this is what my order looks like and so i have array five I'm going to leave it as default which is almost always 64k and then you'll actually see that you have all those alternatives That i actually talked about right here Well, we're going to test this array and we're going to find out what it is that we actually have So after i've added them to the array i'm going to come back over here to my other box It'd be helpful if they use the same exact Projector so now you'll see i actually have my virtual array and then i've got my partition my first partition What i want to do is i want to scan for jpegs so i don't care about any of this other stuff So i'm going to right click and i'm going to say scan for jpegs So i get a box that actually asked me i know which os it is because it already gave me identifying information So i'm going to throw away all the other os's to make it faster. I'm just going to do ntfs There's all these other things that most of the tools if you actually use a scanning tool that goes and scans for Stuff you need to deselect all this other crap. We don't need anything else except jpegs So i would actually just go down the graphics and i would actually just go down and select jpegs add them to the table That's all i care about to find out and we're only testing this. We're not trying to waste 75 hours scanning and drive to figure out What i got that's what most of the tools do so we want to do it faster than that I'm going to leave detailed view on because there's a unique thing that our studios can do that most of the others Can't do while they're scanning and that's let you look at data So right now as it's going across in scanning if you hover over the ones that are color They'll tell you three of the files that i've picked are are coming up in this block and as you keep going They'll tell you specific documents you can click on them and it'll give you a little box It says well what kind of files that i find and even better than that I can click on the file and what i want to know is this a false positive That's what i care about in this whole thing except that now it's off the screen and i can't see it so Anybody think that this is a false positive Right so i've got data here that actually matters to me Well i did that and it doesn't thanks buddy appreciate that So we added 55 minutes to the presentation in our process here so It's all to do with resolution of the they have this projector in the back and i tried all this and they said This is the one you're going to be using. Oh really? That's the last time i listened to somebody in the What's wrong with demos we don't need to be adding to it This is all these damn porn pictures i got on the thing. I dang it Yeah demo fail it wouldn't have been it had been fine. All right, maybe all right Cool. All right, so uh, this is not a Now i still have the same problem i had before Now it may be worse Because i can't get to the Corner At least before i had that Yay Okay X so it is not a Now we're gonna we're gonna stop it. We don't need it to continue on scanning So we're gonna go ahead and stop it because i don't care about any of this other stuff All i want to know is i actually got a jpeg and that i actually have something that's not a false positive So i'm gonna go look at the file i actually have so i can actually go down in here and i can say Well, i'm gonna click on one now. This one says it's about 50k So now if you look at it you'll actually see hey This must have been a really really large picture and so that 50k is like way wrong But i've got a stripe there and i can do the same thing i said before where i can actually go and say Oh, i'm gonna go recover My actual picture and try to figure out what size it's supposed to be So you can go and actually just save it out and save out your thumbnail or whatever else you're gonna look at Go look at your thumbnails. So now this is the picture. This is actually what i'm gonna save So i can actually do and but you know from the size that we're looking at approximately a two meg picture And so if i click on it, then this is what i'm gonna get So if that's two mags If that's two mags and you're actually looking at this you're probably looking at again Is not going to be a 64k slide size. That's probably what the 64k is because that's what we asked for So we've got two stripes together So half of that is 32k right So that'll tell you right off the bat that you can actually tell just from from that content So i'm gonna i'm gonna close this I'm gonna delete this uh the scan that i just did because i don't care about it anymore I'm gonna go back to my radar a and now i'm gonna make my changes to hey i'm getting good at this So i'm gonna make my changes i'm gonna go ahead and set it at 32k Which is what it looked like visually to me than it might be So then i come back and i do the same kind of thing i can go to the partition i can scan And if i leave it the same it's going to be all the same details i already did Give me a couple of jpegs blah blah blah see if i have one that's not a false positive Not a false positive same kind of thing i did before Close that And we're going to stop again Go ahead and look at the same things we're going to look at our file itself Go into the files Okay, so now if you look at the picture It's a little dark on the screen, but if you look you start to have some contiguous stuff Does this actually look like it probably belongs? Did the same picture? Yeah, like this piece move over that piece move over Okay, so we know we probably have that but we have a wrong arrangement they look like they belong to the same picture So let's delete that Let's go look at our arrangement So we were using this arrangement, which is standard So that's the first one most rate arrays do not use or at least most of the ones I'm dealing with are not using right and ace and right asynchronous and synchronous So our second choice is going to be continuous, which is the rotation in the other side So now you can actually go back and do the same exact thing Again scan Go ahead For the sake of time i'm going to skip trying to do the Do I have a false positive? Then i'm going to go look at it Look at my pictures Look at the array And it's the same thing you just keep rotating through them The other thing that's uh, you can do really quickly if you wanted to to try to figure things out Especially in this tool is that there's a option for like taking a partition Let's say I went back and I like munged it up again Let's say I go back and I say oh look, uh, it's a 64k and I got something out of order again You can you can do a couple of quick things by site if you just know directory structures anyway So if you actually said Hey, I'm just going to delete on the I'm going to look at the partition and see what files it says I have Well, it's pretty not supposed to have you've got things that are missing You're missing your files or windows things like that as you rotate through the others You can actually start selecting just variations on directories when you get the right one It's going to be obvious you're going to have a documents and settings that actually has folders in it that are going to work correctly So you can step through all those So So demo fail work. How about that? All right, so And that's it. There you go