Du verwendest einen veralteten Browser. Es ist möglich, dass diese oder andere Websites nicht korrekt angezeigt werden. Du solltest ein Upgrade durchführen oder einen alternativen Browser verwenden.
I have a RAID 5 made up of (5) 1TB drives. I got a Blue Screen after doing a windows update and all the drives showed as failed. There must have been an error with the controller, there is no way all 5 drives failed simultanoeously. I changed the drives as "non-member" disks and recreated the array the same way it was before. I then ran testdisk to recreate the partitions. This worked fine, no data loss.
However, since then I have Trucrypted the entire Partition. The same issue happened to me again with all the drives showing failed. I figured I could just do the same procedure. I was worng. Testdisk does find a system parition but not the Trucrypted partition.
Testcrypt (automatic settings) does not find any Truecrypt volumes. I find it strange that Testcrypt only runs for about 20 minutes on such a large drive.
I am currently running GetDataBack to see what it tells me. Any ideas/help would be GREATLY appreciated.
Did you use pre-boot authentication with an encrypted operating system and a password entered before starting Windows? A screenshot of the system partition found in TestDisk could help to find the parameters needed for TestCrypt.
Biggunkief: I do not know German. I will use a translator if you like, but it does not usually work very well.
Simpson474, thank you for getting back to me so quickly. I am using an ASRock motheroard with an Intel Z68 chipset and RAID on motherboard (Intel RST). Yes, I was using pre-boot authentication on the system drive (not RAID) and I would automount the RAID array. Here is the testdisk config:
TestDisk 6.14-WIP, Data Recovery Utility, May 2012
Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org
Disk /dev/sdb - 4000 GB / 3726 GiB - CHS 486404 255 63
Current partition structure:
Partition Start End Size in sectors
1 P MS Data 2048 206847 204800 [System Reserved]
No FAT, NTFS, ext2, JFS, Reiser, cramfs or XFS marker
2 P MS Data 468992 7813566463 7813097472
2 P MS Data 468992 7813566463 7813097472
3 P MS Data 7813566464 7814078463 512000
In this case only the non-RAID disk is encrypted with the special TrueCrypt header for pre-boot authentication. The TrueCrypt volume on the RAID should start after the 100 MB partition although I do not understand why the 100 MB partition is on the RAID and not on the system disk. Try to enter the following range in the custom analyzer of TestCrypt:
206800 - 226800
The 100MB Partition is from a previous install where the RAID disk was a system Drive at the time (not encrypted). So it went like this:
- RAID Array was System drive (GPT), non-encrypted
- I added a new system drive and made a new partition on the RAID array for Data (non encrypted). I guess the 100MB GPT parition remained
- I Encrypted the new System Drive (pre boot Authentication)
- Then I Encrypted the RAID Array Data partition and set it up to Automount
I am running Tescrypt with the Range you gave me. It says it will take 5 hours to run. I will let you know what happens. Let me know if you have any further ideas or questions.
Thank You!!!
Ergänzung ()
I enetered the options you advised. After running for 5 hours I got the message "No Trucrypt headers could be found".
Any ideas?
Ergänzung ()
I enetered the options you advised. After running for 5 hours I got the message "No Trucrypt headers could be found".
Ergänzung ()
These are the settings I used. After running for 5 hours I got "No Truecrypt Headers could be found"
I ran test disk again and chose "Intel" as the partition type instead of GPT. It gave me a different structure, which makes sense. Now I remember I had 2 system partitions on the drive. One was a GPT left over from when it was a system drive. The second was when I created the partition for TrueCrypt and formatted it NTFS. I do not know how to convert these values to put into testcrypt.
TestDisk 6.14-WIP, Data Recovery Utility, May 2012
Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org
The Intel and GPT results are very similar and your last scan should already have been the correct one. Do you use an US-keyboard or another keyboard layout? If you used the favorite volume feature of TrueCrypt to automount a volume, the password has to be entered using the US-keyboard layout. You could also try to extend the scan range to the following range which should again take at least some hours and scans about 250 MB after the system partition:
206800 - 706800
Maybe I'm able to assist in recovery at physical layer. Let's try another tack: (lasts only a few minutes)
When re-creating the RAID array, the first sector of the RAID volume containing the protective MBR gets cleaned.
So we have to rebuild this one. Before doing so, let's check the RAID volume geometry.
The following GPT information at sectors 1-32 should be unchanged unless you boots up the Windows system when the RAID member are presented as single drives by the controller to OS - then Windows "adapts" the GPT Header at sector 1 from the size of the RAID volume to the size of a single member. In case of the resulting parity of disk 1 to 4 data results in a valid MBR same wrong things happens to the parity strip at member 5 disk.
Thus maybe the GPT header also needs adjustment.
Sometimes the connection order gets changed(this doesn't care as long as the RAID status is "normal" or "degraded" but essential at time of creation), so the volumes now can be in incorrect order, or the newly defined strip size does not match the previous one.
This may cause a disarrangement of the RAID volume data sector sequence, potentially resulting in a "not-found" condition of the truecryp header.
Fortunately the MSR partition was created and formatted non-encrypted, and this will help us to determine correct member disk order and correct strip size.
To figure out your problem
- install HxD from > this download link <. Don't play around with the option settings to preserve the defaults.
- Start HxD under userid with admin rights or rightclick/run as administrator.
- Menu: Extras/Open disk/ Physical disks/Hard Disk x - where x means Disk# plus one shown at "Disk Management" panel for the RAID volume. Don't remove the checkbox sign for "Open as Readonly"!
- please tell the displayed maxLBA (menu line, right side of the "Sector:" input field, showing "of ..."
==== now we'll extract content of RAID volume sector 0-3
- Menu: Edit/Select Block/start offset: 0 ,end offset: 7FF ,OK
- Ctrl+C (puts the marked content to the clipboard)
- Menu: File / New (a tab "Untitled1" appears)
- Ctrl+V (puts the clipboard to file) Popup "filesize change" OK
- Menu: File /save as... / select a folder and name the file "MBRGPT.bin" /OK
- Menu: File / Close (Tab MBRGPT.bin disappears)
==== extract NTFS Header of MSR partition
- Menu: Edit/Select Block/start offset: 100000 ,end offset: 1001FF ,OK (to avoid mistyping use ctrl+c/ctrl+v to transfer values)
- Ctrl+C (puts the marked content to the clipboard)
- Menu: File / New (a tab "Untitled1" appears)
- Ctrl+V (puts the clipboard to file) Popup "filesize change" OK
- Menu: File /save as... / select a folder and name the file "MSRHdr.bin" /OK
- Menu: File / exit (terminates HxD)
Compress these two .bin files into a .zip and append it to your answer.
Thank you for keeping up with me on this issue Simpson and Ernst@at. Simpson: I am using a US Keyboard and the option is checked in TestCrypt. And I know the password is correct and even select to view it to make sure.
Ernst@at: I think you are on to something here. I did as you asked (files attached). Also, after rebuilding the array disk 5 keeps showing as errored so the RAID is currently degraded. At this point, I don't know if there is really a problem with the drive as the controller is really giving me problems. So I have not focused on the RAID Array and just figured I would try to get the data off and then deal with the drives, etc.
Please take a look and let me know what you find. I really appreciate your help!!!
I also forgot you asked about the sectors: It is Sector 0 of 7814080512
7814080512 *512= 4.000.809.222.144 bytes is the size of the newly created RAID5 volume. So the mirror of the GPT Header should be located at the last sector 7814080511.
Mirror of PE entries(32 sectors) should start at sector 7814080479.
[FONT="Lucida Console"][SIZE="3"]Analyzing: \\Pc10\shareddocs\joeshook RAID5\MSRHDR.txt
===== NTFS INFORMATION ===== at LBA=2048
001001FE 55AA Boot signature='55AA'... valid
00100000 EB5290 jump around... OK
00100003 4E54465320202020 NTFS ID... OK
0010000B 0002 Bytes per sector: 512
0010000D 08 Sectors per cluster: 8 ==> Clustersize=4K
0010000E 0000 reserved sectors: 0
00100010 000000 always zero...OK
00100013 0000 not used...OK
00100015 F8 <Media descriptor>
00100016 0000 always zero...OK
00100018 3F00 Sectors per track: 63
0010001A FF00 # heads: 255
0010001C 00080000 # hidden sectors: 2048
00100020 00000000 <not used by NTFS>
00100024 80008000 <not used by NTFS>
00100028 FF1F030000000000 Total Sectors: 204799
. ==> Size: 100MB 0.10GB
. ==> NTFS Mirror at sector: 206847 ==> Sector placement: OK
00100030 5521000000000000 Cluster# of $MFT: 8533
. ==> $MFT at sector: 70312
00100038 0200000000000000 Cluster# of $MFTmirr: 2
. ==> $MFTmirr at sector: 2064
00100040 F6000000 Clusters/File Record Segment: 246
00100044 01000000 Clusters/Index Block: 1
00100048 43A09112DA9112B6 Volume Serial #
00100050 00000000 checksum
[/SIZE][/FONT]
The layout of this metadata seems to be valid, but with odd contents.
GPT Partitioning done by Windows tools shows other content of the GUID for the first 100MB MSR partition, yours is flagged as simple data partition.
The usual partition naming of "Microsoft Reserved Partition" for the first and "Basic Data Partition" for all other entries in omitted.
Between first and second partition entry we can find an unused gap of 128MiB, result of an earlier defined and lateron removed UEFI boot partition. So you searched at the wrong place for the truecrypt header, this starts at sector 468992.
NTFS Header of the first 100MB partition is intact and NTFS formatted, so we can check the correct member order and stripe size by inspecting the $MFT.
After
- inspecting the untouched old GPT Mirror(because protective MBR was removed at re-creation and therefore no GPT mount took place) at the end of the RAID volume
- verifying correct member order/stripe size
we can bring back full access to the RAID volume with a simple operation.
- Start HxD under userid with admin rights or rightclick/run as administrator.
- Menu: Extras/Open disk/ Physical disks/Hard Disk x - where x means Disk# plus one shown at "Disk Management" panel for the RAID volume. Don't remove the checkbox sign for "Open as Readonly"!
==== extract GPT/PE Mirror
- Menu: Edit/Select Block/start offset: 3A382CFBE00 ,end offset: 3A382CFFFFF , hex, OK (to avoid mistyping use ctrl+c/ctrl+v)
- Ctrl+C (puts the marked content to the clipboard)
- Menu: File / New (a tab "Untitled1" appears)
- Ctrl+V (puts the clipboard to file) Popup "filesize change" OK
- Menu: File /save as... / select a folder and name the file "GPTMIRR.bin" /OK
- Menu: File / Close (Tab GPTMIRR.bin disappears)
==== extract NTFS Header of MSR partition
- Menu: Edit/Select Block/start offset: 2255000 ,end offset: 2394FFF , hex, OK (to avoid mistyping use ctrl+c/ctrl+v)
- Ctrl+C (puts the marked content to the clipboard)
- Menu: File / New (a tab "Untitled2" appears)
- Ctrl+V (puts the clipboard to file) Popup "filesize change" OK
- Menu: File /save as... / select a folder and name the file "MSRMFT.bin" /OK
- Menu: File / exit (terminates HxD)
Compress these two .bin files into a .zip and append it to your answer.
If your RAID controller is supported, > HD Sentinel < can show the health status of each member disk. Install it and produce a report (Menu: Report/create HTML report) and append it to the answer.
What type of RAID controller is used? Intel or AMD onboard or a slot card?
Thank you for your analysis, it is EXTREMELY helpful.
The RAID controller is built into an ASRock Extreme 3 Gen 3 motherboard with an Intel Z68 chipset. I attached the files. Currently, the 5th drive is not even seen though it is plugged in and powered on. I do not want to reboot the machine/troubleshoot that if I don't have to right now as I don't know if this controller will fail the array again. At this point, it is very unstable so I am trying to leave it alone as much as possible.
Let me know what you find. Thank you so much for your help!!
- Stripsize is guaranteed same as before.
- if actual stripsize=64K or below then the volumes A,B,C,D,E are in correct order (even if one is offline)
- if actual stripsize=128K then only correct order for volumes A,D,E can be guaranteed, B and C couldn't be verified.
So, if your actual stripsize is 64K or below, we can go to the final step and reawaken the RAID.
Its simple - we have only to put a protective MBR on sector 0 of the RAID volume.
Please be patient, I need appx 30min to write the instructions
download and unzip the appended file MBRnew.bin
- Start HxD under userid with admin rights or rightclick/run as administrator.
- Menu: Extras/Open disk/ Physical disks/Hard Disk x - where x means Disk# plus one shown at "Disk Management" panel for the RAID volume. This time remove the checkbox sign for "Open as Readonly"!
The content of sector 0 must be completely filled with 00 - otherwise you are on a wrong disk - CANCEL this task.
==== restore MBR
- Menu: File/Open... and select the MBRnew.bin File
- Stg+A (marks all)
- Ctrl+C (puts the marked content to the clipboard)
- Menu: File / Close (Tab MBRnew.bin disappears)
- Menu: Edit/Select Block/start offset: 0 ,end offset: 1FF , hex, OK
- Ctrl+V (puts the clipboard to file) if popup "filesize change" appears - CANCEL
- Menu: File /Save (writes the change to the RAID volume)
- Menu: File / Exit (terminates HxD)
Then, in Disk Management, select Menu: Action/rescan disks.
The partitions of the RAID volume will be shown.
(sometimes a restart is necessary, if this doesn't work)
Now the partition should be mountable by Truecrypt...
It worked!! Actually, both tools/methods work. Now that I know the correct sector, TestCrypt was able to find/load the volume. In addition, rebuilding the MBR brought the paritions back and I was able to load it in TruCrypt properly as well. You were correct about the deleted UFI partition.
Great work gentlemen! Thank you so much for your help. It was invaluable for me to finally get this resolved!!
Now I have to figure out how to deal with this RAID. I have no faith in the controller anymore and not sure about Drive 5. But with your help I have 0 data loss. Very impressive!! Thank you again!!
The remaining 4 listed member drives in the HD Sentinel report are in excellent condition.
So, to bring the RAID back to full functionality, you only have to follow these instructions of the "Intel RST Guide" to replace one failing/missing member drive.
Such rare cases of error situations may occur, even a RAID5 doesn't protect against some types of malfunction. Therefore it's recommended to do periodic backups of the data and sync'ing daily changes to external drives/cases.
Simpson and Ernst@at, your help was invaluable in resolving this. With the proper range, testcrypt worked as well as rebuilding the MBR to get full access restored.
