QueTek
  
  
Back to Cyrus's Blogs
Deleted VHD files on an iSCSI device

Hardware and RAID Configuration

There were 4x3 TB drives in a RAID 6 setup, taken from a Linux server. The storage was partitioned into several logical volumes and iSCSI files which appeared as individual physical disks on client computers. Each iSCSI file was partitioned into several virtual disks in VHD format.

Problem:

While creating a new VHD file, the customer accidentally deleted existing VHD files.

Diagnosis:

  • The analysis confirmed the RAID 6 configuration and the status of the component drives. No drives were stale. All four drives could be used in the recovery.
  • A typical RAID system has two layers of virtualization: the RAID and the file system. In this case, there were 5 layers: the RAID layer, two LVM layers, the VHD layer and finally the file system.
  • The LVM configuration data was still accessible but scrambled. The challenge was to distinguish the current logical volumes from many defunct definitions.

Solution:

  • The upper-layered LVM was used to locate the iSCSI files.
  • The remaining VHD configuration was used to locate many fragments of each VHD.
  • Advanced file carving techniques were used to locate the other VHD fragments whose configuration data was lost when the VHDs were deleted.
  • Advanced file carving techniques were used to assemble the fragments into the original VHD files.
  • Once the VHD files were restored, the user data contained inside was easily extracted using File Scavenger®. This program fully supports all popular virtual disk formats including Microsoft's VHD (fixed, dynamic and differencing) and VMware's VMDK (flat, sparse and delta link).

Result:

Files were completely restored with the original name and folder structure.


Back to Cyrus' Blogs