All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 3rd, 2018, 21:53 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
I've inadvertently deleted the virtual machine files, including the virtual disk storage (.vhdx) file for our entire mailserver using Shift-Delete. Shift-Delete of course skips the Windows recycle bin.
I immediately attempted recovery with GetDataBack. However the .vhdx file shows up as 0 bytes.

I've also created an image of the drive using GetDataBack.

GetDataBack email support indicates the files within the .vhdx cannot be recovered from the host system:
Quote:
Data residing in a virtual machine can not be recovered this way, you would possibly be able to recover the container, a recovery of the data inside is only possible while being inside the virtualization. I am sorry I could not be of more assistance.

However for some reason using the "level 3" scan setting I am nevertheless able to pick up the NTFS filesystem that was inside the .vhdx file.

However this recovery will be very painful as the file attributes (system, hidden etc.) and file permissions do not appear to be preserved by GetDataBack.

I would much rather recover the .vhdx file if that is possible, so I'm seeking the advice of those wiser than me regarding recovery options for recovering the actual .vhdx file.

Please advise - thanks in advance.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 9:41 
Offline

Joined: October 16th, 2013, 13:21
Posts: 717
Location: Brazil
- try with Recuva or R-studio
- Have you look at Shadow Copies to see if there is one ?


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 14:35 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
I checked - there are no Shadow Copies available.

File info from Recuva:

Code:
Filename: Exchange (North Pennsylvan).vhdx
Path: S:\?

Size: 288 GB (309,074,067,456)

State: Unrecoverable

Creation time: 7/3/2013 05:52

Last modification time: 3/3/2018 00:11

Last access time: 7/3/2013 05:52

Comment: File's data could not be found on the disk.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 14:43 
Offline

Joined: October 16th, 2013, 13:21
Posts: 717
Location: Brazil
Possibly you restarted the machine, or it was already low on space and reused the space.
Do you have any backups ? Maybe it is easier to go back to them than lose time hunting for a file that may not be recoverable anymore.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 15:13 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
The host system has not been restarted. This drive is used exclusively to store virtual machine files.

The deletion occurred when I accidentally included the mail server VM folder while intending to delete just the other virtual machines which are no longer needed.

All VMs on the drive were shut down at the time of deletion.

The most recent backup I have is from June 2015.

I appear unable to recover the container .vhdx file but seem to have recovered the internal files.

So I am attempting to attach the recovered Exchange Mailbox database (.edb) to a copy of this 2015 backup.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 18:57 
Offline

Joined: October 16th, 2013, 13:21
Posts: 717
Location: Brazil
You made the clone of the whole drive with GdB, right ?

When trying the recovery, did you enable Deleted Files recovery ?

Also, have you look if GdB didn´t put your file in one of those [Folder$1234] entries ?


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 4th, 2018, 20:43 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
rogfanther wrote:
You made the clone of the whole drive with GdB, right ?


Yep.

rogfanther wrote:
When trying the recovery, did you enable Deleted Files recovery ?


Yep - showing size 0.

rogfanther wrote:
Also, have you look if GdB didn´t put your file in one of those [Folder$1234] entries ?


Yep - not there in any of the located file systems.

According to eseutil.exe which is Microsoft's tool to check the status of the Exchange Mailbox Database and transaction logs, the transaction logs are corrupt.

I am running repair on the database without the logs now, but at this point I have no confidence that it will succeed.

Latest from GetDataBack Support:

Quote:
The software will not recover the data showing up with 0.

We unfortunately do not offer any automated software solution for this incident.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 8th, 2018, 18:00 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 146
Location: France
Did you try R-Studio ? (Make sure you check the .vhdx file type in “Known File Types” options before you scan.)

You could manually scan the whole image (using WinHex or similar) with a constant and specific enough fragment from the .vhdx header, but if the lost file was fragmented it will be “virtually” impossible to recover it in its entirety – and it's unlikely for a 288GB file not to be fragmented, especially if it's a type of file that grows and shrinks while being used (I don't know if it's the case with these).

What's surprising here is that Recuva does give you a size, which is apparently correct (you'd have mentioned it otherwise, wouldn't you ?), but still doesn't let you extract the data, I haven't seen that yet.
But I just made a test with a recent version (1.53.1087), on a 100GB partition of my SSD : indeed I get the same result for some (large) files (MP4 video files downloaded on that partition which were transfered and deleted weeks ago), either in quick scan mode or in deep scan mode : the names, sizes and timestamps are all valid, but I get the same « File's data could not be found on the disk » comment ; and there's no header whatsoever.
I don't know what it means. Normally, when MFT records are found by a data recovery software, even if the former data has been overwritten it's still possible to extract the corresponding clusters, although the resulting file will be garbage (either unreadable or readable but with a different content). And normally, with Recuva, if the file's actual data appears to have been overwritten, there's a comment saying that « This file is overwritten with "X:\Path_of_the_file\Name_of_the_file.ext" ».

I then scanned the same partition with R-Studio : surprisingly, it doesn't even display the names of those files which Recuva deems unrecoverable (I even tried the “Find/Mark” function to verify if they could be somewhere else in an “extra found folder”, to no avail).
Does anyone have a clue ? How could the free Recuva get at least those names and attributes, when the heavy-duty R-Studio couldn't find any remnant at all ?

{The following method won't work, I let it as part of the thought process, it may contain hints to a possible working solution...}
You could run nfi.exe on the whole image :
Code:
nfi X: >Y:\Drive_X_nfi.txt

then open the report and search for the name of the file you're looking for, which might be in several places – but apparently in the MFT, and in nfi's report, a large file can be refered to either by its regular name, or by its short 8+3 name, I'm not sure how it works exactly.
Then, if no recovery software can detect the file, but if you're still lucky enough that all its fragments are intact, and if you manage to get a complete list of the clusters it formerly occupied, you may be able to use the painstaking method I detailed here. That's a long shot ! :)
=> I made the test : extracted the whole nfi report for the 100GB partition, opened it, searched for the names of several of the files which « could not be found », there's no trace of them... so you can probably forget about nfi, which only reports information about files currently allocated, and the aforementioned “rebuild” method – unless you have somehow saved any file which could contain the clusters location information before the deletion ! (In my case I had saved several reports because I knew those files had bad sectors. And I shouldn't have needed that tricky method if I had made sure that the whole MFT was extracted before attempting to recover those files.)
But there must be something left in the MFT, if Recuva gets the names and attributes...

I then scanned the MFT with WinHex for a part of the name of one of those files (in Unicode) : the name does appear, the timestamps appear, but I can't find the cluster location data (it must be coded somehow).
I then scanned the whole partition : it also appears in the $Logfile, and also in (what used to be) the parent folder. Nowhere else (and nothing is found if searching in ASCII).
I don't have a deep enough knowledge of the MFT / NTFS structure to analyze this further.

Oh, by the way : if this was stored on a SSD, with the Trim command enabled as it should be, you're almost certainly SOL, sorry...


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 9th, 2018, 4:18 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
Quote:
Did you try R-Studio ?


I had to set aside the idea of recovering the mail server for a while. Most mail servers will try to deliver mail for up to 48 hours before bouncing it back to sender. I didn't want to lose incoming emails, so I started up the June 2015 backup I had.

What was great is that it turns out most of Exchange Server's settings are stored in the Active Directory, so I did not have to recreate user mailboxes etc.

I also made backups of all the user's emails in Outlook on their systems - that represents a big chunk of the emails that I was able to rescue.

Now that I am up and running again I'm turning my focus back to recovery.

I'm running R-Undelete now. It sees the .vhdx file and size, so fingers crossed that whatever it copies is usable. If not I'll try R-Studio itself, though I'm not sure the result will be different.

Quote:
What's surprising here is that Recuva does give you a size, which is apparently correct (you'd have mentioned it otherwise, wouldn't you ?)

Yes correct - Recuva does show the right file size, but also indicates "File's data could not be found on the disk."

Quote:
If this was stored on a SSD, with the Trim command enabled as it should be, you're almost certainly SOL, sorry...


Oh yeah - this is why forego the performance boost of SSD and still use HDDs. Actually this volume is on an old 3Ware 9650SE-16ML with the drives configured as RAID 1 arrays.

Thanks for the advice - I will let you guys know if R-Undelete succeeds.


Attachments:
Recuva.png
Recuva.png [ 5.73 KiB | Viewed 3414 times ]
Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 9th, 2018, 4:59 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
rogfanther wrote:
try with Recuva or R-studio
abolibibelot wrote:
Did you try R-Studio ?
So far the .vhdx recovered with R-Undelete looks intact! I was able to attach it to a new Virtual Machine and boot it up.
Thanks so much for both your advice! :good: :good:


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 9th, 2018, 9:05 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 146
Location: France
I made a search with the expression "file's data could not be found on the disk", I got some explanations :
https://forum.piriform.com/topic/36987- ... ecover-it/
Quote:
If it's more than 4 gb (or was, and I guess an image file could well be) then Windows erases the file cluster adresses on deletion. The data is still on disk but the entry in the MFT no longer points to it.

Quote:
I think that Recuva has, in the last release or two, changed the way large files are reported. Previously, deleted files over 4 gb in size would be reported as zero bytes, and unrecoverable. Now it appears that the file size is reported, but with the comment that 'File's data could not be found on the disk.'
Although NTFS zaps both the file size and the cluster run info in the $Data attribute in the MFT record, the original file size is still available in the $File_Name attribute (although not necessarily accurate). Perhaps this is where Recuva finds the info.
If the file is under 4gb but in many extents then it may have forced the $Data attribute to become non-resident, i.e. to be held in a second MFT record for the file. In this case NTFS will, on deletion, zap the cluster run info in the MFT extension record, so the file is unrecoverable. It appears that Recuva also reports these files as 'File's data could not be found on the disk.'

https://forum.piriform.com/topic/38062- ... -and-more/
Quote:
I have found, from experiment and from comments elsewhere, that NTFS manages deletion of files larger than 4 gb differently from those smaller than 4 gb. In the smaller files the entry in the MFT is (relatively) simply flagged as deleted, and the dataruns - the fields that hold the address and number of clusters for each extent - are untouched. This is how Recuva can find and recover the file data. In files larger than 4 gb the dataruns are overwritten by NTFS. Although the file size is still available, the addresses of the data are not, and Recuva will show the Data not Found on Disk message. In this case no recovery programme can recover data from information in the MFT.
This also happens in smaller files which are in many extents. If the list of extents is too long to fit into a single MFT record it is placed in a MFT extension record. These too are erased on file deletion, leaving the file data unrecoverable.


Top
 Profile  
 
 Post subject: Re: Deleted .vhdx for Exchange 2010 Mail Server
PostPosted: March 9th, 2018, 20:46 
Offline

Joined: February 14th, 2013, 21:57
Posts: 11
Location: USA CA
Nice - Wonder how r-studio was able to do it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group