Switch to full style
Anything related to computer forensics (new section!)
Post a reply

VHD chain broken in XenServer

June 27th, 2021, 15:27

Hello gurus,

I'm having a rather tricky problem here...

We have two windows VMs in a XenServer hypervisor. Those VMs disks are VHD stored on an underlying NFS share (hosted on netapp cluster).
Each VMs contains 3 virtual drives:
- System (no problem)
- Data1 (problem, see below) 2TB
- Data2 (no problem) 2TB
Data1 and Data2 are using a microsoft "Dynamic" drive ("SDS") to form a virtual disk of 4TB.

Those two VMs were only one VM installed ~4 years ago (with thin-provisionning enabled) and then link-cloned shortly after to have 2 VMs.
For each disk, there is a VHD tree:

--- Child
--- --- Few more childs
--- --- --- Disk of VM 1
--- Child
--- --- Few more childs
--- --- --- Disk of VM 2

Due to a full filesystem on the underlying storage, we tried to removed orphan VHD files, and the parent VHD of the "data1" chain got identified as orphan by mistake and deleted.
It was only discovered few hours later so it was too late to recover data from the storage. (written over)

One of the two VMs were restored from backups successfully, but the other one is missing this specific disk in our backup system :(
For information, our backup system is based on byte-exact snapshots of VMs disks, so we have the exact disks for one VM.

Since all bytes written on disk since 2018 would by in childs VHD filed, we think all useful data is still here somewhere on the other VM...
(I also forgot to tell that, due to thin provisioning, all VHD files are sparse files, so harder to work with!)

We already tried to:
- Create a empty VHD file and use it as parent => Missing partition table
- Create a empty VHD file and write first GB from VM restores from backup => Disk recognised but windows says dynamic disk is not available
- Use some recovery tools on the specific disk => They all report that the found NTFS partition is bigger than disk (due to dynamic disk I think)

We haven't tried yes:
- Use the backup of the disk from the working VM as parent => Not enough space right now on the cluster, we are currently moving stuff away to be able to test
- Use a low-lever file recovery tool on the disk => We keep that as a last resort because directories structure would not be recovered

Does anyone here have another idea to help us? Or may a tool that could help with microsoft SDS partitions?
Post a reply