Notifications
Clear all

Qnap array

16 Posts
4 Users
0 Likes
1,732 Views
(@bombone)
Posts: 62
Trusted Member
Topic starter
 

My friend has a Qnap server. With five disks. Last week his technician (not forensic) changed two disk.
But not solved the problem. Seems he did something remote. But with relevant result. My client has a lot of file, but not with the correct name.
I tried to acquire two disk using ftk imager, but after 24 hours of work, he was at 32%
Now, I have got the server with two new disk. I never switch on it… I want to be sure on the correct road.
What do you suggest me?
Thanks

 
Posted : 27/07/2013 12:06 am
(@bithead)
Posts: 1206
Noble Member
 

How is the RAID setup? With 5 drives it could be RAID 5, 6, or 10.
RAID 5, RAID 6, RAID 5+hot spare - 4-drive models or above
RAID 6+hot spare - 5-drive models or above
RAID 10 - 4-drive models or above
RAID 10+hot spare - 5-drive models or above

If it is RAID 5 and you had two drives fail you are in for a very difficult time recovering any data.

Have you read these two QNAP articles?
Redundant Array of Independent Disks (RAID)
Hot-swapping the hard drives when the RAID crashes

 
Posted : 27/07/2013 5:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Last week his technician (not forensic) changed two disk.

Possibly not even "technician".

Without further details (exact model, type of RAID, size ad type of disks involved, how the RAID was re-built - if it was rebuilt- etc.) there is no way you can have senceful advice.

The time you stated to image one (or two 😯 ) disks (and also it may depend on how exactly you did attempt to image them, like taking them outside the server and connecting to another machine - how - i.e. through which connection/bus, with or without a write blocker, etc.,etc.) is simply "crazy" and is usually a sign of malfunctioning hardware.

It is also possible that the Qnap "OS" or "firmware" is *somehow* corrupted and this caused *somehow* the corruption of the data.

jaclaz

 
Posted : 27/07/2013 3:39 pm
(@bombone)
Posts: 62
Trusted Member
Topic starter
 

Last week his technician (not forensic) changed two disk.

Possibly not even "technician".

Without further details (exact model, type of RAID, size ad type of disks involved, how the RAID was re-built - if it was rebuilt- etc.) there is no way you can have senceful advice.

The time you stated to image one (or two 😯 ) disks (and also it may depend on how exactly you did attempt to image them, like taking them outside the server and connecting to another machine - how - i.e. through which connection/bus, with or without a write blocker, etc.,etc.) is simply "crazy" and is usually a sign of malfunctioning hardware.

It is also possible that the Qnap "OS" or "firmware" is *somehow* corrupted and this caused *somehow* the corruption of the data.

jaclaz

first thanks all for answer. The model is qnap ts 509 pro. Actually I don't prefer to switch it on. I am thinking to put off all disk, then switch it on and verify all data.
The two disk where taked outside from the "technician". They are 1 terabyte disk. I used a wiebetech ultrdock v4 and ftk imager to acquire them.
I said the did something remote, maybe reconscruption. But I have don't have other data. I prefer to study a clear strategy and then act correctly.
May be extract disk and acquire each?
thanks

 
Posted : 27/07/2013 5:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

May be extract disk and acquire each?
thanks

Well whatever will the "next" step, BEFORE *anything* else, yes, you need to extract one by one and clone/image (dd-like or "forensically sound") each and every disk.

You will need 5 x 1Tb disks (or equivalent storage space) for the images AND most probably (or at least advised by me) 5 x 1Tb disks to test the recovery on the actual server (or only to understand how it is setup or "behaves").

But you just reported that you had issues in imaging one of them disks, it seems like one (or more than one) disk(s) are defective (hardware defect).

But still your report is (at least to me) not at all clear.

The "technician" either was physically on site (and extracted disks physically) OR it was "remote" and did somethng "remotely".

You have to ascertain, in any case, and before ANY further attempt, how EXACTLY was the server set up (there are BIG differences in both probabilities and ways to recover data from differently set type of RAIDs, being it a 5, a 6 or a 10 with or without hot-spare DOES make
a difference).

The actual model actual restricts (but enlarges 😯 ) the possibilities
http//www.qnap.com/en/index.php?sn=822&c=1655&sc=1656&t=1661&n=6707

Advanced RAID configurations, RAID 0/ 1/ 5/ 6/ 5+Spare and JBOD are all supported.

http//www.qnap.com/it/index.php?lang=it&sn=492&c=1789&sc=1790&t=1799&n=7022

Sono supportate configurazioni avanzate di RAID, RAID 0/ 1/ 5/ 6/ 5+Spare e JBOD.

You have to ascertain, in any case, what EXACTLY the "technician" did and WHY exactly disk(s) were (supposedly) extracted (I understand without being replaced on-the-spot 😯 ).

You cannot study *any* strategy (or at least a hopefully successful ones) without these info.

jaclaz

 
Posted : 27/07/2013 7:17 pm
(@bombone)
Posts: 62
Trusted Member
Topic starter
 

May be extract disk and acquire each?
thanks

Well whatever will the "next" step, BEFORE *anything* else, yes, you need to extract one by one and clone/image (dd-like or "forensically sound") each and every disk.

You will need 5 x 1Tb disks (or equivalent storage space) for the images AND most probably (or at least advised by me) 5 x 1Tb disks to test the recovery on the actual server (or only to understand how it is setup or "behaves").

But you just reported that you had issues in imaging one of them disks, it seems like one (or more than one) disk(s) are defective (hardware defect).

But still your report is (at least to me) not at all clear.

The "technician" either was physically on site (and extracted disks physically) OR it was "remote" and did somethng "remotely".

You have to ascertain, in any case, and before ANY further attempt, how EXACTLY was the server set up (there are BIG differences in both probabilities and ways to recover data from differently set type of RAIDs, being it a 5, a 6 or a 10 with or without hot-spare DOES make
a difference).

The actual model actual restricts (but enlarges 😯 ) the possibilities
http//www.qnap.com/en/index.php?sn=822&c=1655&sc=1656&t=1661&n=6707

Advanced RAID configurations, RAID 0/ 1/ 5/ 6/ 5+Spare and JBOD are all supported.

http//www.qnap.com/it/index.php?lang=it&sn=492&c=1789&sc=1790&t=1799&n=7022

Sono supportate configurazioni avanzate di RAID, RAID 0/ 1/ 5/ 6/ 5+Spare e JBOD.

You have to ascertain, in any case, what EXACTLY the "technician" did and WHY exactly disk(s) were (supposedly) extracted (I understand without being replaced on-the-spot 😯 ).

You cannot study *any* strategy (or at least a hopefully successful ones) without these info.

jaclaz

Thanks again Jaclaz. I am not sure what did other guy. Now I tried to acquire two disk. They changed it. Then I am not sure what they did something remote or in physical presence. Unluckly the owner of the server is not "easy to communicate", not speak well don't understand a lot of pc, and obviously is nervous! I will try to ask his "technician" to know eaxct configuration.
Thanks
ps those "technician", unluckly in a school where I worked… tried to put Back orifice on server and many other stupid things…

 
Posted : 27/07/2013 8:17 pm
(@bombone)
Posts: 62
Trusted Member
Topic starter
 

ok the answer is RAID 6

 
Posted : 27/07/2013 8:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

ok the answer is RAID 6

Which is on one side a good thing (there is more parity data when compared to a RAID 5 and in theory the array can be recovered with two disks failed in most configurations) on the other side there are more configurations possible and the recovery process/algorithm is more complex (and needs to be adapted to the specific configuration).
Still if the "technician" already attempted a rebuilding on the array and failed, this may have caused "damages", but more than that, your failed attempt at imaging might mean that a third disk had issues (and possibly this generated errors in the rebuilding initiated when the first two were replaced), and AFAICU three failed disks is "too much" to be able to recover the array, possibly only some data can be recovered if parts of the first "third failed" disk are still readable.

jaclaz

 
Posted : 28/07/2013 4:18 pm
(@bombone)
Posts: 62
Trusted Member
Topic starter
 

ok the answer is RAID 6

Which is on one side a good thing (there is more parity data when compared to a RAID 5 and in theory the array can be recovered with two disks failed in most configurations) on the other side there are more configurations possible and the recovery process/algorithm is more complex (and needs to be adapted to the specific configuration).
Still if the "technician" already attempted a rebuilding on the array and failed, this may have caused "damages", but more than that, your failed attempt at imaging might mean that a third disk had issues (and possibly this generated errors in the rebuilding initiated when the first two were replaced), and AFAICU three failed disks is "too much" to be able to recover the array, possibly only some data can be recovered if parts of the first "third failed" disk are still readable.

jaclaz

oh thanks. Now Ftk imager on all disk. E01 or dd?
bye thanks

 
Posted : 28/07/2013 9:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

oh thanks. Now Ftk imager on all disk. E01 or dd?
bye thanks

dd (and not E01) but why exactly FTK imager? ?

I mean, here you are dealing with data recovery, and not data forensics.

E01 makes no sense, the "dd" or "RAW" format is the "most compatible with any software" that you can have or that you will need, as it is a 11 as plain as possible copy.

Tools like ddrescue (or dd_rescue)
http//www.garloff.de/kurt/linux/ddrescue/
or equivalent for windows, example
http//www.datarescue.com/photorescue/v3/drdd.htm
i.e. tools designed for data recovery, are way more suitable to data recovery than "forensic" disk imagers because they have normally provisions for "weak" or "slow" sectors.

A tool may manage such issues differently from other ones, like making a "chunk copy" and skip an area or replace the unreadable sectors with blank ones, but in any case they are advised.

Such data recovery imaging tools have the capability of attempting reading areas "backwards" which often gives good results.

Specifically, you already tried FTK imager on one disk and it stalled, reaching 32% after 24 hours, don't you think that trying *something else* is the case?

jaclaz

 
Posted : 28/07/2013 10:15 pm
Page 1 / 2
Share: