Useful Tips in Data Recovery

Case Study 1 – Why it is important to verify MD metadata

One of the main tasks in logical data recovery is to determine what is damaged – RAID configuration, filesystem metadata, or maybe data was just overwritten. Obviously, you can easily distinguish the cases with explicit metadata damage – it is either there or not, or the metadata records look incorrect. Much more difficult is to deal with the cases where, at first glance, metadata looks normal but the recovery doesn't bring the files. Since you are at the stage of file recovery and RAID metadata looks plausible, it seems reasonable to suspect filesystem recovery especially when it comes to something newfangled like btrfs.

Today we want to draw your attention to some tests (quick and simple), which should be done before embarking on a long analysis. The tests are intended to determine whether md-metadata is correct or not.

If you have an md-RAID, start with checking its segments using the content and entropy analyzes built in ReclaiMe Pro. Because the segments are used to create the RAID, in the content analysis you should get, in case of a RAID5, 100% parity on the full disk set and about the same number of zeros and entropy values over the member disks. Next do the entropy analysis – peaks should correspond to the block size and the number of disks and should not overlap. Check several areas – in the beginning of the disks, 10%, 20%, 50%, 70% into the disks.

For example, in this case, at first glance, md metadata looks good:

However, the content and entropy analyzes reveal that there is no parity and the peaks overlap.



Having all this information, we need to move to a level below, namely start working with the Linux RAID partitions on which md segments are created. Select the Linux RAID partitions and do the entropy and content analyzes on them.

Look at the screenshot, we have a good picture in the entropy analysis. Then do the RAID5 recovery on the partitions to get a correct RAID configuration.

Filesystem recovery on the reconstructed RAID5 from the Linux partitions brought healthy files and folders.

The conclusion – when you deal with md-raid metadata and filesystem recovery doesn't bring correct data from, ignore md metadata, rebuild the RAID, and launch filesystem recovery on the rebuilt storage.