Hi everyone, company recently got ransomware'd and they sought out the NAS backups specifically before doing the actual ransomware.

I have been tasked with data recovery. I am pretty sure things are looking GOOD from what I see, nothing is wrong with the drives, however rebuilding the RAID with UFS Explorer and R-Studio is giving me problems (described below). Some other details: NAS was originally RAID5, but was formatted to RAID0. Does this make adifference in the recovery? I am just moving forward with the recovery and the RAID5 settings (64kb stripe).

UFS Explorer: I have tried building the RAID in multiple ways:
1. Build RAID with only the detected "data" partition (3.64TB). I select 64kb stripe, and the rest default settings for RAID5 in UFS Explorer. Pressing "Scan for Lost data" does indeed find a barely there XFS directory structure, ROOT-Folder$00000001-Folder$00000000[a,b]-File listing of only OLD partial backups. With the 64kb stripe size, and the RAID built with the data partitions only (I drag the partitions at sector offset 50008064) into the RAID, but going through in the provided hexviewer utility, I can see all of the backups I need. Unfortunately, because of thewhole RAID thing, a 150gb backup is intact up until it gets thrown somewhere else on a different hard drive, right in the middle of the backup, and starts what I believe to be filesystem based fragmentation.
2. Build RAID with the entire drives, rather than just dragging the storage partition. I get the same results as above, but the found files in the XFS directory structure do not display properly. The sector offset for the RAID for this is 0.

R-Studio:
1. I have tried building the RAID with just the storage partitions, and also the entire drives, and R-Studio doesn't seem to make any distinction between the two. The fast partition search in R-Studio is indeed very fast, and finds a nicely formatted XFS structure from when I look on the block list diagram of the scan (lots of XFS Superblocks, directory strucutres, etc.), but when I explore the newly found filesystem (R-Studio places the partition at sector offset ~23gb or so), I only have "Extra found files" in the XFS listing. Lots of these files are not well formatted, so I believe offsets are incorrect (whole drive versus just the data partition. One thing to note: there is a basic .txt file in the XFS directory structure that is NOT being previewed correctly by R-Studio, so I most definitely must have the offsets wrong.

Pretty much, I can see all of my nice, nice backup data, I just can't for the life of me get these tools to render the XFS filesystem properly! Please, any help would be appreciated. I am currently about to try doing an "Advanced RAID5 Layout" with R-Studio, and change up the block order and all of this nonsense that probably isn't necessary and won't work -- I've just ran out of ideas!

So I checked, and UFS Explorer actually has a different RAID5 grid layout. I had to make a custom RAID layout for R-Studio which I am trying now. Fingers crossed.

Just for anyone landing here from Google (obviously this stuff is not 100% accurate or I wouldnt be posting here):

UFS Explorer settings: RAID5, 64kb stripe size, everything else default for RAID5, the files will parse correcly if I create the RAID with only the data partitions from each drive
R-Studio settings: Custom RAID layout, 64kb stripe size, files are obviously not working because of offset issues, I have tried creating the RAID with both the entire RAID drives, or just the storage partitions (R-Studio seems to still use the entire disk, rather than like UFS Explorer having offset sector 0 be the storage partition start versus the start of th edisk)

RAID5 custom layout (taken from UFS Explorer):

A B C D
1/ 1 5 9 PD
2/ 2 6 PD 10
3/ 3 PD 7 11
4/ PD 4 8 12

would you give remote access to look?

Sure!

Telegram: @DUK3NUKEM
E-mail: pwnbugs@gmail.com

Name is Mike! Thanks so much man!!

Dude im a dumbass. I misspelled my Telegram username

@DUK3NUK3M

All of the "e" letters are a "3".