I've got a 3 drive RAID 5 recovery with 2 partitions. Client seemed pretty sure it was RAID 5, but they also thought it was SATA instead of SAS that it actually is. Client said they were getting failure warnings on drive 2 and 3. The array was new and had only been in production a couple of weeks.

Anyway, he brought in the whole unit, an HP StorageWorks RAID. Only 3 drives in the RAID, in slots 1, 2, 3.
I was not able to get disk 2 to recognize in the computer, but drive 1 and 3 imaged fine.

I've been examining the hex and I don't see any obvious parity information. Drives 1 and 3 both have a normal looking MFT at sector 0, so there is no offset. I found the NTFS boot sector on drive 1 at sector 1024. The first record in the MFT was found at sector 1040 on drive 1. However, there were only 4 records.

Much further into the drive at hex offset 60080000 (not sector) there is the start of another MFT. This MFT does show FILE0 and $MFT just like the other, however this file table is far larger.

Drive 1 shows FILE0 records all alone from offset 60080000 to 60400000. These have a regular pattern of record numbers 00 00 through FF 00, then a break in sequence to 00 02 through FF 02, a break in sequence, then 00 04 through FF 04. It proceeds like that all the way to offset 60400000. In this same location, Drive 3 seems to show file names as though part of a file record, but there is no FILE0, just the windows and dos filenames "example1.jpg" and "EXAMPL~1.JPG" in the usual location.

At offset 60400000 the pattern changes slightly. Drive 1 continues its pattern: 00 1C to FF 1C, then 00 1E to FF 1E, etc. At this point though, drive 3 starts showing file records in this same pattern; 00 1D to FF 1D, break, then 00 1F to FF 1F. This pattern continues back and forth between drives 1 and 3 starting at offset 60400000 through 60680000 when I stopped looking. File records 00 1C through FF 30 all accounted for between just the 2 drives. At no point in this fairly large swath of information did I see what appeared to be parity data.

From this there are a few things I am sure of.
The offset is 0.
Disk1 is the first disk.
It is NTFS.
The stripe size seems to be 256 K.

Everything else, including what kind of RAID it is, and if it is a RAID 5, what order the stripes go in and how it could be so messed up is up in the air.

FYI: I have tried setting up a virtual RAID 0 in R-studio. I was actually able to read some large (over 1 MB) photos perfectly, but many other pictures I tried did not open up properly.

Any ideas would be helpful. Thanks!
Steve

Check partition size in Boot , find next boot (or its copy at the end) , summarize and you will know total size of array. AFter that you will understand what type of array it was.

Also, XOR blocks always easy to recogize if you have expirience with them.

_________________
Angel Data Recovery

There were a couple errors in the log when R-studio was listing the contents of partition 1 but partition 2 showed up fine. There were far fewer files in partition 2. Just backup files that I wouldn't be able to open. It's possible the whole file table fit on one drive for partition 2. I was able to copy 60 gb of files off partition 2 without errors. I don't have the ability to check those backup files to see their integrity. Might be meaningless.

I'm away right now but will be back by the drives in a couple hours. I can tell you that there were 2 partitions evenly split. The customer said it showed as a 2 tb drive and I remember r-studio showing that both of the working 2 tb drives each showed 2 500 gb partitions.

I think that it might have just been set up as RAID 0 and drive 2 was never actually used because I looked at several MB of the file table and there was a pretty regular pattern of every record with an even number it the last digit of the file record was on drive 1 and the odd ones were all on drive 3. I thibk it must be RAID 0 because of this.

I'll check into your suggestions in a couple hours.

Thanks for your help.

r-Studio cannot easily recover this RAID...

It looks like WinHex is the way to go. I just need to upgrade to the specialist license, not the whole Forensics, right?

specialist license is enough

Also, here is the sector 0 and sector 1024 info if someone cares to take a look. Raw binaries are saved with .txt extension...

Please?

Thanks for the reply cleanroom, ordering it now.

Looks like it might be an HP RAID 5 possessing 512 sector size with a delay of 16. 1-2-3 Rotation.

Data coming off under these settings looks good so far... About double the data of the R-studio attempt. Also, all of it is readable so far. I'll confirm these settings shortly in case anyone was looking for "standard" settings for an HP Smart Array P212 controller card.

Thanks for your help all. Fingers still crossed...

It should be correct configuration for your array

_________________
Angel Data Recovery

Those settings were indeed correct. All data was recovered. Thanks very much to hddguy and DR-Kiev and cleanroom for helping me out.

I learned something new today!