[sleuthkit-users] Has anybody tried sleuth to recover a NTFS partition a broken raid?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Has anybody tried sleuth to recover a NTFS partition a broken raid?
|
From: Edmundo C. <ean...@gm...> - 2005-05-11 20:31:52
|
Hi, guys!
I've been working with this raid at the office. It's a 5-disk raid
that since a power outage, hasn't wanted to "come back to life"
anymore.
Before the IT guys decided to reset it (you know, the M$ way ;)), I
made images of four of the five disks by extracting them ffrom the
rack they were in (it's a HP netserver rack storage/12) and putting
them on a different computer.
I even made a program that "rebuilds" the whole logical information of
the raid in a single image. When I do fdisk on the result file:
# fdisk -lu discoa1
You must set cylinders.
You can do this from the extra functions menu.
Disk discoa1: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units =3D sectors of 1 * 512 =3D 512 bytes
Device Boot Start End Blocks Id System
discoa1p1 63 142175249 71087593+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=3D(1023, 254, 63) logical=3D(8849, 254, 63)
It's complaining because that file I ised here is just the first chunk
(second, actually. I think the raid controller reserves the first
chunk of the disks) of the first image of the raid. But when I did it
on the whole
<i>rebuilt</i>image, It was OK.
The problem showed up when I mounted that partition. I got a ntfs
index problem. I know there are issues that I have to work on. If i'm
not using the same algorithm of the controller, I might get the data
back..... but the chunks won't be ordered the right way.
What algorithm was used by the controller? I think it's a left one.
But i'm not sure if it's simmetrich or not. :'( And so on.
I think I'm doing the right thing.... but I can't do much if I can't
study the resulting image in case the linux ntfs say it's wrong. I
guess I could use sleuth to analyse the result. Maybe you know of
other people who have tried.
I'd appreciate any help you could provide.
Bye!
PS The other thing I tried was bring up a software raid using
the four images plus a faulty one... but I wasn't able to do it either
( I even tried with a brand new one to see how the whole thing
worked.... but couldn't do that either). Maybe you know of someone who
has tried that before.
Here is a URL to a forum I started on linuxquestions.org about it:
http://www.linuxquestions.org/questions/showthread.php?s=3D&threadid=3D3193=
56
Another thing that I might try is study the first chunks of the images
to figure out the order in which they are logically placed one after
another. Then I could figure out the order of the images, and of
course, the algorithm used. What do you think? Could sleuth help me on that=
?
Well... thanks for reading anyway! :D
Take care
|
