36 hours, a production accident, dynamic disk deletion, volume partition loss, data recovery case

Time:2020-9-23

All are dry goods and actual combat, not on the home page is not natural

 

1、 Source of accident

On September 3, a 50g disk was expanded on the alicloud server, and then the newly expanded 50g volume of disk 2 was expanded. It was found that disk e changed to 141g. No, I wanted to expand the capacity of disk F. then I made an operation that I regret. I pointed at the small square to delete the volume. The pop-up confirmation box instinctively clicked OK, and then it turned into the following figure It shows. E disk is gone!!! The e-disk is originally the place where the frame is framed as shown in the figure below. It’s a dynamic partition across disks. Partition table is missing. Originally, we thought this was just an ordinary accident. When the partition table is lost, the data is still there. We can restore the data by restoring the partition table.

 

Then the facts give us a loud slap in the face. Let’s talk about the difficulties first.

1. Using DiskGen can not directly restore the partition table, because it is a dynamic disk. The data behind the 50g partition recovered directly through the tool is 0 million million, that is to say, only half of the data is available, especially for our database files. The last half of the data is 0 million

2. Disk 3, the disk, has been compressed and expanded for many times, causing the data recovery technician to directly say whether your disk has been adjusted many times, and I can’t recover at all. The original disk 3 was 100 g allocated to disk F. our operation and maintenance found that other disk space was not enough, so we compressed the volume of disk F, and then allocated disk D and disk e four times through dynamic disk, and the time was too long. He remembered that 25g was given to e disk, 1g to e disk, 10g to D disk, 15g to e disk at a time. And here he is very determined to say that I always calculate 1024 to calculate the entire G space, there will never be a decimal point. This wrong information has led to our subsequent restoration information being misled again and again, including technicians who are also misled by this information, so they can’t restore the data. This is not the case.

 

 

Don’t write!!!! Don’t write!!!! Don’t write!!!!

Dynamic disk must not be confident to restore partition table!!!! Dynamic disk must not be confident to restore partition table!!!! Dynamic disk must not be confident to restore partition table!!!!

 

2、 Repair ideas

Why should I mention the source of the accident and say it in such detail? In fact, it is to let the latecomers judge whether my accident is similar to my own accident, and whether there is something to learn from, rather than looking at it for a long time and finding that it does not apply to me at all.

 

In fact, reference 2 refers to the idea of restoration. According to the LDM database of the dynamic disk, recover.

LDM database can be viewed by using WinHex tool. However, WinHex downloaded from the Internet generally does not contain the template of LDM. This template source is mentioned in reference 1. Thank the author of reference 1 for providing the template and principle.

 

Through the information given by LDM database, we can know the composition of e disk. Then we can use R-Studio tool to create virtual disk for combination, and then recover a complete logical partition of e disk, and then export the file to another disk by using this virtual disk.

 

3、 Actual operation

3.1 disk analysis

First use WinHex to load the disk. If you can’t do this, it is recommended to find a professional data repair personnel.

First go to the end of Disk2 disk and search for hex with WinHex. The search content is actually the keyword of LDM database, the hexadecimal code of tocblock. This can be done by using the online string to hexadecimal tool.

 

 

It was found quickly, indicating that there is a LDM database at the end of the disk. The disk here refers to the physical disk, not all of which are behind each partition. This TOC didn’t really work.

 

 

Next, I can see the VMDB data. This has not played a substantial role in the process of using it.

 

 

You can find this place by going down a little bit or searching 56424c4b.

 

I’m sorry, I can’t do the actual combat, because when the technician backed up the disk image for me, they ignored all the 0000 in the back, so I have no real data to demonstrate here. I can only explain it by referring to similar figures in the references

 

Note that the number 04 and 05 in my box is the serial number of vblk. Starting from 4, each vblk will have this serial number. I counted 17 disks at that time. It is very clear in reference 1 that the principle is to enable LDM to describe various situations such as raid0, RAID5, etc. See the references for details.

 

Then pay attention to the types of vblk mentioned in box 34 and 35. Different types of vblk have different data. Then call different templates of WinHex according to different types.

Vblk of component: 0x32 
Vblk of partition: 0x33 
Vblk of disk: 0x34 
Vblk of disk group: 0x35 
Vblk of volume: 0x51

 

For example, the vblk with serial number 04 in the figure above is 34, so press Alt + F12 to open the template management and select the template 0x34 inside.

PS: here is a small detail. The cursor must be positioned on the first character of the first byte, that is, 5 of 56. Otherwise, the data parsed by the template will be confused.

 

 

 

It looks like this

 

Then I used Excel to record a total of 17 vblk records, including 3 disk type records, as shown in the figure below, which were all recorded from the template.

 

 

 

Then there is the record of the volume, which is the template volume structure of 51. This is what it looks like when you open it with a template.

 

I recorded a total of three volumes, the volume is very important, is our drive e disk, I found him, his size is 91.0341.

 

For the above record, I would like to say in particular that the length is hexadecimal. You can use a calculator, click to view, select programmer type, then select hexadecimal, paste in, and then convert to decimal system to get a number of 190912512. This is the number of sectors, and a sector is 512b. Therefore, for 190912512 * 512 / 1024 / 1024 / 1024 / 1024 I get his size is 91.0341g, which is exactly the size of my previous e disk. So this method has a play.

 

 

 

Next, there are 33 types of partition information, very important information. We use this information to partition

 

I found a total of seven partition information. This number is actually in the LDM at the beginning. Here, we can say that the starting position, 7c1, is converted to decimal system in 1985. However, according to the previous experience of looking at other disk repair, we found that the sector of 55AA is 2048, which is just 63 different. So I tried both 1985 and 2048, and found that 2048 is actually used It can splice out accurate data. The principle here is not very clear. It is the result of experiment. At that time, I used the end of division 2 to go to the beginning of division 3. I found that as long as 63 was added to the starting position of No. 3 partition, their data would be continuous and regular, and it would not feel right to the fault without adding 63.

 

With this information, plus all the information we have at the beginning, we can speculate. Our e-disk should be

49.99G+24.41G+0.99G+15.62G=91.034G

 

And we can get the same order based on the volume offset. If you don’t know the order, we can also get this conclusion by arranging the volume offset from small to large.

 

It is added here that at the beginning, the operation and maintenance personnel firmly said that I am 25g + 1g, which led us to mislead and detour in the first attempt, until I made this table, and then he even found a screenshot from the Alibaba cloud work order, which confirmed this conclusion. This is the picture below. PA.

 

 

3.2 r-stuido recovery data

Next, with the starting position and length of each partition, you can easily configure R-Studio.

Locate disk 2 and select Create area

 

Input the starting position and size in turn, and select the sector for the latter type. The starting position is equal to the data found in LDM database + 63. The experimental results show that the principle is not clear, which has been discussed before.

 

 

Repeat the above steps, and then click disk 3 to create regions respectively, and create three regions of 24g, 1g and 15g.

  

The virtual volume set is then created

 

Then, on the right side, add the area 0 and area 1 that you just added to make sure that the order is correct.

 

 

 

Then go back to the left. At this time, there should be a direct volume under the virtual volume group 1. Double click it. After a short load, you can see our directory

 

 

The catalogue is out

 

 

Open a DB and have a look

 

Pull to the end, the data is all there, everything is like a dream. My data came back through my own ability.

 

 

In a simple open a TXT file, found that the position of the line is not misplaced, indicating that our splicing partition is right. Before that, we have tried using R-Studio many times. Every time we open this conf file, there are some log logs in it. The reason is that we were misled by the positive value of 25g. The disk file records that the file is at the 15W position of the disk offset. In fact, we find the contents of a log file. As long as we can accurately restore the beginning and size of the partition, we can reassemble the data back. This is why do not do write operations, because write operations will damage the original location of the data, resulting in the recovery of the data is somewhat different. Do not rebuild the partition table, because the original LDM database may be rewritten, resulting in the inability to restore the corresponding sector location of each partition.

 

 

 

4、 Thank you

Finally, I would like to thank my colleagues who have accompanied me in the past two days. They have accompanied me to work overtime until 12 o’clock. They have accompanied me to analyze possible reasons, help me find various articles, listen to me constantly ask various questions, and accompany me to analyze various principles. From the beginning, reference 2 is like a Book of heaven, to today’s skillful operation of WinHex.

 

I also want to thank the technical personnel of DiskGen. I looked for him after reading the advertisement on the tool. At the beginning, he helped me recover the data, and after success, he gave me money. Others paid first and then worked. When the first attempt failed, I kept looking for him. Later, I paid a deposit of 1000, and he helped me to do it for the whole afternoon. However, he helped me to get it the next morning. Although it was still unsuccessful, he kept his promise to give me back 700 yuan. And do the disk image download back, ready to go on the big trick fragment analysis.

 

I would also like to thank references 1 and 2 for their great help. In particular, the vblk template provided in reference 1 is really not found in the whole network. It is also found in the forum, which can only be entered after paying for registration.

 

The main purpose of this article is to let everyone know that data recovery is no longer mysterious, and you can succeed by studying the principle carefully. And then give a little help to the latecomers.

 

At the end of the day, don’t ask me to recover the data. I’m not sure.

 

5、 Routine

At the weekend, I thought of some additional information at home. As for the routine of this line, when the data could not be found, we also looked for a third-party data recovery company. After that, I felt that he was obviously using me, based on our anxiety and ignorance of the data.

1. If you find a data recovery company of a certain army, the company should answer that it will definitely be recovered after receiving the phone call without knowing the basic information. You should believe in the strength of our army.

2. First payment and then remote payment. If you fail to refund, this step is only a small amount of 2000-3000 yuan, which also supports Taobao. Payment, remote.

3. Copy two software on the server after remote operation. Unlike the previous DiskGen technicians, he did not further understand the structure of the disk and the history of our previous operations. After a scan, a phone call came.

4. It’s hard for you to recover. You’ve installed an R-Studio and destroyed the disk data. I replied that we did not install the disk with the missing partition. We installed it on disk C. This does not affect it. The other side said, I won’t tell you about this, OK. Anyway, there is only one way for you now. Disk image can be recovered offline. You can go to the market to inquire about the price and come back to me for quotation after inquiry. The strength of our army is here. The previous 3000 will be refunded to you now. If you apply for a refund, I will refund it to you in seconds.

5. Then 3000 yuan will be refunded. The new trap is 9500-10000 yuan.

 

Why is it a routine? If I have not done disk recovery, I have always read some articles on disk recovery. If I violate common sense, I say that my write operations on other disks have affected the recovery of lost partitions. This is the first point. Second, how can a technician who really wants to recover data not be interested in the state and operation records of the customer’s disk, and how can you recover data without this information. Third, in the process of remote operation, only two softwares were copied and scanned. I can understand the scanning results. I just didn’t do anything. There was no technical content at all.

Although you can’t use the technology of a certain company to finish a series of operations, you can’t flatter the customers if you don’t know how to use the technology in front of you.

 

 

The whole network first, reprint please keep the link

https://www.cnblogs.com/JangoJing/p/13616106.html

 

reference:

Detailed explanation of LDM (important, all depends on the vblk template provided in this article, which can not be downloaded from the whole network)

https://blog.csdn.net/qq_40890756/article/details/89526212

 

Recovery example of dynamic disk expansion volume loss

https://www.dgxue.com/huifu/120.html