| Author | Message | ||
     staffan Username: gasaren Registered: N/A |
Hi guys! My first post here and I am looking for some advice, as we all do I guess... Anyways, I work with data recovery and I just received two SAS drives from a HP Proliant ML350 G5. They are supposed to be a part of a three disk RAID 5 on a HP E200i controller. The third drive is long gone and there were some bad sectors on the two drives I have. I have imaged the drives perfectly and mounted the images. Here is my problem: In Forensics, I tried to assemble the raid. I have tried all methods that are predefined with 128 (and 256 and 64 for good measure) sectors stripe size, i all drive orders. I suspect that the header size is the problem unless the controller messed up the drives before we got them. I did a RAW recovery on the separate drives and the contents is similar, even though no files above ~60kB works (of course). I tried to mess around a bit with the delay but I read that it should be 4 or 16. Anyone happens to know the header size? I tried 1088/1087 for both drives as well as the placeholder but no go  Well, I hope someone out there has some input  Thanks in advance, people! | ||
| isaias@digitalrecovery.com.br Username: isaias Registered: 8-2003 |
Hello Gasaren, In our experience the SAS Drives in HP don't start in 1088 sectors. Try: - Level 5: HP Compaq b delayed - Stripe size in sector: 128 - HP/Compaq delay: 16 - You need put 3 drives in components. Mark the missing the hard drive that you don't have. I don't know if is possible to send my email here. If you want other thing my email is: isaias@digitalrecovery.com.br | ||
| Corrie Theron Username: corrie Registered: N/A |
The HP compaq ones provide interesting challenges Biggest of them being the Hp/Compaq partition in the beginning of all the drives. There are a number of ways to try it. Easiest being to clone to two similar working drives and add an empty one in the missing one's place, recreate the volume on the controller and directly after that, pull out the "missing" drive and scan the drive for NTFS partitions with your favorite utility or you can determine where the HP partition ends on the drive and data volume starts and clone from there into a new image files for both drives and try again to reconstruct the RAID. If your boot sector is still in place you should be able to mount the volume that way. I have only succeeded once though. Otherwise start with 128 on the Xways preset for Compaq(try other as you did if not working) and clone the reconstructed volume to a new file and scan again. Usually best option to use the controller though with HP | ||
| staffan Username: gasaren Registered: N/A |
First of all, a big thanks for your kindness! I tried all mentioned settings but still just scrambled crap Maybe getting hold of the original controller somehow is the only option left. I scanned one of the drives and found a NTFS start at about 50,000,000 sectors. I used that as offset for fun and the partition is found by Forensics instantly. Too bad it still won't work. I guess I have to talk to the owner of the drives because this is getting frustrating. I see fragments of the same files, pictures anyways on both drives so they should match somehow  Is it possible that the header size differs between drives? I have assembled a load of raids during my time as a recovery dude but this one won't play nicely ;P Thanks again! | ||
| John Ahearne Username: jahearne Registered: 1-1997 |
The E200 and P400 are LSI chipsets and don't follow the delayed parity rotation of the typical SmartArrays. RAID controller metadata is on the back. Search for keywords HPSA_RIS and the first hex character of that sector will spell out the order of each drive. First off it's a Forward parity rotation usually 128 sectors starting at sector zero and not 1088. Also, partity starts on the second component and not the first. So you came to the right place because WinHex is the only tool that can help you rebuild one of these! Good luck, John | ||
| John Ahearne Username: jahearne Registered: 1-1997 |
Anytime you are uncertain about how a RAID is constructed or rather how to reconstruct a failed RAID array ask questions at your favorite forum and research the manufactures' website. That's the quickest way but no guarantee. Guaranteed way is to purchase the controller if you are lucky enough to know the manufacture and model number. Research the manufactures website to find a compatible RAID controller that uses the same chipset in the case of an E200 that is built-in you have to buy the server, but a P400 is compatible add-in card but still cost a few hundred bucks. Make sure you have the required cables. Have a few compatible hard drives, four small ones at minumum, wether they be SAS, SATA which works on SAS controllers or SCSI. Then build a few different RAID arrays. Start with the default RAID-5, take note of the stripe size. Boot into the host's operating system. Create a script that writes the sector number at each stripe size block. For example on a 64kb stripe write every 128 sectors a number begining with 0, 128, 256, 512, 640... 4096, etc. or 1, 2, 3, 4... and so on. Then place the newly created array after running your script onto a card that supports JBODs. View each drive individually in WinHex until you start to see patterns. Write down a large sheet of paper where those numbers were written to. If you don't recognize a number that's parity! Soon a parity rotation will start to emerge. Build several arrays using different stripe sizes and different RAID configurations. Agian on JBOD card such as a Promise SATA card or an Adaptec SCSI card, in WinHex from the View menu select "Synchronize & Compare" and look for differences in the metadata/header that might give you clues as to member order, model number, serial numbers, stripe size, etc. and take notes, print out those sectors, hightlight and compare. Pretty soon you start to build a hex library and a greater understanding in RAID technology. The older RAID controllers such as PERC4 or Adaptec 2200 patterns in the metadata are easy to spot after a while. More modern cards such as a PERC6 or P400 those patterns are a lot more cryptic. I have been very successful using this method. This process is very expensive and extremely time consuming, but it works and you start to understand why data recovery is so very costly. Or you can take out a Dell or HP Engineer out to lunch... cheaper to buy the server! http://www.accs.com/p_and_p/RAID/LinuxRAID.html |