Useful Tips in Data Recovery

Case Study 5 – HP Smart Array controllers typically use delay parity

Recently we have worked on a recovery case that included 8 disks of 146 GB from the HP Smart Array P400 controller. We were informed that a client used a RAID6 configuration; however, automatic RAID6 recovery did not bring the configuration.

In such cases, we always start with the disk partitioning schemes analysis and then continue with the RAID analyses. Disks and partitioning schemes looked like that:

We can see that Disk 4 and Disk 10 differ from the others: one of them is the first disk in the set and the other stores P parity given that we deal with a RAID6.

Having analyzed the number of zero sectors and entropy, we see that the disks really belong to the same RAID array. Furthermore, parity analysis shows that this is an 8-disk RAID6 array where P parity is calculated for 6 disks and Q parity is terminal since this scheme is the only possible which gives 1/N parity for any disk excluded. In our case it is 1/8=12,5%, and we see exactly this in the analysis result. You can read more on how to interpet parity abalysis at this page.

Then we launched the entropy analysis.

We see that the block size should be decreased by 4 times, since we see 4 peaks. So, we set 256 KB block size:

Do not forget to analyze entropy not only at the beginning of the disks, but throughout the volume as well. We see there are no significant differences:

We see that the peaks look like RAID6: there are two plateaus and they rotate evenly. It proves again that we deal with an 8-disk RAID6 and the disk ring is 3-4-5-6-7-8-9-10.

With the available information about the disk set, we specify parameters for the automatic RAID recovery:

However, we did not manage to recover the configuration so we stepped back and analyzed disks and configuration again. We remember that HP Smart Array controllers use delay, although in this case it is difficult to notice because the block size based on the entropy analysis is rather small - 256 KB. Nevertheless, usually delay includes 16 blocks, so we should try 256/16=32 KB block size.

We set new parameters for the automatic analysis:

And we get a RAID recovery solution:

We scan the second partition (722 GB) and see the good folders tree and files:

The preview shows us the correct VHD file, which should start with "conectix" signature.

Now let's set the parameters manually for experiment, using only RAID analyses data. So, from the entropy analysis we use the disk ring order 3-4-5-6-7-8-9-10 and block size 16 KB. Then remember that the partition table was found on disk 4 and disk 10, so we conclude that one of them is the first disk in the set. In our case this is disk 10 since according to the parity blocks distribution from the entropy analysis this disk is the last one. This disk order assumes the left array but we should still try synchronous and asynchronous array types. The correct configuration is a left asynchronous:

We can see partitions on the manually reconstructed RAID:

We open each partition in the disk editor and see a correct NTFS boot sector:

Conclusion: we convinced once again that if we recover data from the RAID created by HP Smart Array controllers, we deal with 16-block delay, even if it seems that the block size is too small for delay. If RAID configuration cannot be detected in the automatic mode (sometimes there is not enough data to get a statistically correct solution), you can try the options with the delay parity in the manual recovery mode.