Analyzing RAID parity

  Last time I discussed how to find the RAID data offset for a SNAP OS 4.x RAID handler.  To put it briefly it was just a simple matter of finding Cylinder Group zero on the first drive in the array and back tracking 48 sectors.  Once the RAID data offset is established we can plug those numbers into our RAID Diagnostic Toolkit and begin analyzing the parity. 

  The main objective of the parity check is to make sure that:

  1. We do not have a stale drive in the array

  2. We do not have a drive in the array that does not belong

  3. All RAID data offsets are correct.

  Lets take each item from one to three and explore their impact.  Item one basically means that there is a drive in the array that has not been functioning for a certain period of time.  Normally an alarm goes off, an email may be sent, there is some sort of notification that a drive has dropped out of the array and now the RAID is running in a degraded state.  When the technician who is administering the array does not get a warning it is usually because there has been some type of hardware malfunction that, although the drive is out of the array, the RAID BIOS does not sound the alarm.  A second reason is that the alarm stops working.  The little speaker on the RAID card that sends this terrible shrill through the server room is malfunctioning and nobody hears it.  Another reason might be that the original RAID administrator may have shut off all alarm notification flags during configuration and never turned them back on.  There are a lot of other reasons but the fact of the matter is that a RAID administrator may have a RAID that has been degraded for a year and not even be aware of it.

  Item two is rare, however, it happens enough to where you need to be concerned if you are trying to recover your RAID.  This item also is not very common in the SNAP line of servers as it is in DELL.  There are times when a RAID is configured as ‘X’ drives, and one hot swap.  The RAID admin who is now working for the company you are trying to recover the data for sends the RAID he tells you it has four drives when it is really three drives and one hot swap.  He may not know the original configuration.  He may not know how to get into the RAID BIOS to look to see how it was configured.  There could be a hundred and one reasons as to why you get a hot swap drive sent to you along with the rest of the array.  The point is, be aware that it can happen.

  As a side note, DELL has configure many of their RAID models to have two mirrored drives for the OS, and 3 to X drives as a RAID 5.  I have received all the drives from a client with them ’swearing’ that all of these drives are in the array.  Once I have analyzed the parity, and look at the drives through a hex editor I come to the realization that I have two RAIDS on my hands, not one.  Once again, be aware that the client may not know their exact configuration.

  Finally item three.  Sometimes, not often, actually this was the first time with a SNAP server, the RAID data offsets are staggered.  In my next installment I will explain what happened with this particular job, and why it happened.  Until next time.

Click here to Download the RAID Diagnostic Toolkit. Be sure to read the instructions on the page as well as follow the links to the instructions with screenshots. You may also visit our page: RAID Configuration and Parity Check for more information.

Finding SNAP OS 4.x RAID Data Offset

If you are in this business long enough you will see everything, or will you?  Two weeks ago I received a SNAP RAID OS 4.x for recovery.  I have done a lot of these and I am pretty familiar with the data offsets, how the drives are setup, and where to begin the virtual RAID for my software.  Having said that, these are the steps I normally take, and the results from those steps.

First thing I do is to make images of all four drives.  These were four identical Seagate Barracuda ST380011A hard drives, so I made sure I had at least 320GB of space on one of my partitions on my server and, using WinHex dumped the images.  Once I had done this I put the clients original drives in their bin hopefully not to use them again.

Next step is to use WinHex and eyeball the beginning of the RAID data.  With SNAP OS this is a simple matter of looking for the first cylinder group on the first drive then subtracting forty eight sectors from that.  The assumption is that the block size is 8192 bytes, or sixteen sectors.  If we were to look sixteen sectors before the first cylinder group you would see the file system superblock.  If we skip back another 16 sectors you see another super block.  Finally, another sixteen sectors and there should be a null sector.  Sometimes I see data in there but that is usually because the drive has somehow been corrupted.

So, once again, to find the beginning of the RAID data segment you find the first cylinder group and subtract forty eight sectors from that.  The sector offset derived from that formula is the beginning of the RAID data segment of each drive.  They will be the same on all four drives or at least I thought that until this particular recovery.

Next step will be to check the drive parity which, in this case, was unusual. This step will be in the next blog titled “Analyzing RAID parity“.

For more info on RAID Data Recovery or SNAP Data Recovery

Slave A Laptop Hard Drive To USB

This article and video will show you how to use a USB enclosure to slave a laptop hard drive. Many times laptop - notebook hard disk drives come in here that we are able to recover with data recovery software. This video will help you use a USB enclosure to get data off of a failing laptop hard drive.

Hard Drive Recovery Video Series - How To Slave a Laptop Hard Drive

If you have a clicking hard disk drive chances are you need hard drive recovery and slaving your laptop will not help you get your files back. This method is for hard drives that are still recognized by the BIOS, they just don’t show you your data, or let you access it.

The software that you need to recover your data is dependent upon the Operating System that was on your laptop.

• For Windows XP or Microsoft Vista with NTFS File System use DART XP - this program will scan your laptop drive and show you the files that can be recovered before you actually buy the software. You can download the demo version for FREE without having to sign up for anything. DART XP Data Recovery Software. If the scan shows you the data you want, you can purchase it right through the software interface.
• For All other types of Windows or for external hard drives that are running NTFS, FAT, FAT 32 or FAT 16 you will need Recover It All. The Demo version also is FREE and will show you the data before you buy it. You can save the scan and purchase the sofrtware off of our website. Like all our products you don’t have to register it to get the demo and will receive the full version within seconds of purchasing it. Click here for the demo of Recover It All Data Recovery Software.

All of our data recovery software is guaranteed to work or you get your money back. Just like our data recovery services which are No Fix No Fee, we will show you your data before you buy!

DTI also has extended software support. Our software support people work right here in Florida. We don’t outsource anything ever! Our support phones are answered from 9 AM EST to 10 PM EST at 727-345-9665, if you are calling after normal business hours choose the software tech support option with your phone.

Remember if you need hard drive recovery DTI has the best support in the business, a class 100 clean room and a strict no data no charge policy on hard drive recovery. When it comes to laptop data recovery, DTI Data is second to none!

Samsung Spinpoint Being Mass Produced

Last week Samsung announced that it will be mass producing their high capacity laptop hard drives. Their Spinpoint series has either high capacity or high speed, whichever is more important to the individual consumer.

Some day soon they will have the best of both worlds by introducing a high capacity laptop hard drive that has the large capacity that most users require in their laptop hard drives as well as high speed for those of us into gaming and media.

DTI Data Recovery has been doing research and Development on Samsung’s laptop hard drives in preparation for the data recovery and hard drive repair that will be required by these new hard disk drives.

If you happen to fall victem to a hard drive crash and have data that needs to be recovered, DTI has the skills and tools to perform hard drive recovery on even these new high capacity hard disks.

Spyware, Viruses, Malware (Part 2)

Spyware, Viruses, and Malware - What you may not know.
(Part 2 - How they work and how to locate them.)

 
                Welcome back to my series of articles that pertain to Spyware, Malware, and Viruses and what you may not know about them. In my first article, I gave you and overview and some information on the history of these 3 nasty applications or bots that infect most computers at some time or another. There is a TON of information availible on these subjects on the Internet, so if there is anything more specific that you are curious about or that you didn’t understand from this article you can usually go to http://www.google.com and you can reference it there. In this article, I am going to be  discussing what Viruses and Spyware are, and how you locate them on your PC.

                The first thing that you have to understand is how these malicious applications get onto your systems. Studies show that the number one way to catch a virus or to obtain Spyware on your system is through P2P (Peer to Peer) file sharing applications like Napster, Limewire, Bit Torrent, and any other program of that variety. You may think you are downloading a harmless MP3 file, or you may think you are getting the latest MPEG for free, but the fact is that over 40% of all files that are transferred through P2P programs are actually viruses or Spyware and key loggers that are camouflaged as the file you are looking for. Remember this ONE rule about the Internet, if you only remember ONE thing from this article, and that is there is NO SUCH THING as FREE on the P2P applications. No matter how perfect or scamless the situation may seem, if it is FREE and on the P2P programs than you can guarantee that there are strings attached. So try to stay as far away from P2P programs and applications as you can, because no matter how hard you try and no matter how much protection your system has, you are bound to override your protection to view a file that you shouldn’t because of infection, and you will sooner or later end up destroying your system.

                I’m sure as you are reading this article you are thinking that you are probably secure, and that you have Antivirus and Antispyware software on your system, so none of this applies to you. But remember this, those programs are only good if you do updates to their data files at least once a day, and they can only stop what you tell it to stop. So if you try and access a website that you THINK is safe, and your Antivirus software tries to tell you it is not, and you bypass your antivirus software and access the site anyway, then you may have just let a Trojan or key logger onto your system and your Antivirus software can now do nothing about it. Understand that protection software is only as good as it owner. It also only takes ONE piece of Spyware or Malware to get onto your system to corrupt your Antivirus or Antispyware programs so that they cannot detect future attacks against your system. The first thing a virus or piece of spyware does, is look for the services and applications that run your Antivirus software, and disable them, or even worse, cloak themselves so that your antivirus software thinks everything is running smoothly when in all reality, your system is being destroyed one piece at a time.  A lot of viruses and Trojans will disguise themselves as system services and then they become nearly impossible even by a trained professional to remove from your PC without formatting the computer. There are so many different variations of spyware, Trojans, key loggers, malware, and backdoors that can attack your system, that you have to be on the lookout for strange occurrences at ALL times when surfing the Internet.

                Your best bet for protection is to follow the steps in my next article and try to stick to the rule of Internet thumb, and that is if you don’t know the website or file your are downloading and cannot verify its integrity, then DON’T  go to that site or download that file. It is a very simple rule, but end users seem to forget it a lot, I myself am included in that statement.

So check back later this week for my last installment of, “Spyware and Malware protection and removal and what you MAY not know!”, which will explain how to understand, locate, and eliminate spyware, malware, and viruses.

Until then, take care, and if you have any questions or comments about the articles please leave a comment or send an email to my address below.

Richard Correa, MCSA, MCPS, MCSE, MCNPS, MCDBA
Senior Network Engineer
Lead Web Programmer and Developer
DTI Data – DTI Networks
Office :: 727.345.9665 ext.206
rcorrea@dtidata.com

http://www.dtidata.com
http://www.dtinetworking.com

Spyware and Malware

Spyware and Malware protection and removal and what you MAY not know!

I have had the luxury of being in some sort of IT Industry in one way or another for the last 17 years of my life. I have worked in fields from standard PSTN Telecom, to basic PC building and repair, to Corporate Network Design and Infrastructure Integration, down to Web Design and Programming. I would say that over the years I have seen MANY drastic transitions in technology, some greater than others. I watched as I saw a standard telephone line connected to one personal computer at a time sending messages and files through a BBS (Bulletin Board System), develop into the large scale high speed data network we use now known as the Internet. One thing that has ALWAYS held true in the communications and data networking industry is that there is always someone out there trying to make a quick scamming buck or to take down systems of the masses by playing on the end users lack of knowledge on how to protect and secure their computers. Since the early days of BBSing, I remember even in the late 80’s and early 90’s, there were Trojan viruses and infections that were in place for NO other reason but to annoy and destroy file systems. Anyone who remembers Wildcat and Oblivion BBS’s and was ever struck by the Michelangelo or Jerusalem viruses knows exactly what I’m talking about.

Since the inception or communications, there has always been the need to secure and prevent hackers, warez freaks, and script kiddies from getting into your computers. The only thing I have seen change over the years, is that it is no longer just a 12 year old kid slurping down mellow yellow until 4 am that is hacking your system and corrupting your files, or even worse, stealing your personal information. Now it has become a multibillion dollar BIG BUSINESS for companies which I won’t mention in this article to install Spyware, Malware, and Scamware onto your system so they can collect information about your personal life, your personal preferences, your web surfing habits, and even your credit card and social security number so they can store your information into a database and sell your information off to the highest bidder.

Now please understand, I am not a conspiracy theory type of guy, and I don’t think that big brother is trying to get me, but I am a realist and I know for a FACT that EVERYONE that is reading this article has at some point in time in one way, shape, or form has had a virus, a Trojan, some Spyware, or Malware on their system. So that is not a conspiracy, it is the plain and cold hard truth. We as a community of Internet surfers and knowledge seekers have to be able to protect ourselves and our family’s against the unwanted bots, programs, and software that is being installed onto our systems and is invading our privacy without knowledge. So my next few articles are going to explain a few ways on how to spot the malicious software and viruses on your system, and a few of the best tools to protect and guarantee your computers and family’s safety from these devious applications.

So check back later this week for my next installment of, “Spyware and Malware protection and removal and what you MAY not know!”, which will explain how to understand, locate, and eliminate spyware, malware, and viruses.

Until then, take care, and if you have any questions or comments about the articles please leave a comment or send an email to my address below.

Richard Correa, MCSA, MCPS, MCSE, MCNPS, MCDBA
Senior Network Engineer
Lead Web Programmer and Developer
DTI Data – DTI Networks
Office :: 727.345.9665 ext.206
rcorrea@dtidata.com

http://www.dtidata.com
http://www.dtinetworking.com

Starting Exchange Server with a blank Information Store

Starting Exchange Server with a blank Information Store

There are some situations where starting Microsoft Exchange with a blank database may be necessary. In my line of work, I run across a large amount of businesses that have had their Exchange Private Information Store corrupted and the whole organizations Email capabilities halted as well. Quite often, getting the users back up and running takes precedence over getting the data back. Don’t get me wrong; the data is still extremely important, however not having email capability can stop some businesses day to day operations dead in their tracks.

In a perfect world, there would and should be a backup Exchange server just waiting to take over in case of a catastrophic event. But in reality, that is rarely the case. Rather than wait a complete day or two, or even longer, for the systems administrator to get the Exchange database recovered, a viable alternative is to restart the information store with a blank database and import the data back in when it is recovered.

There may be other reasons for wanting to create a blank database as well. You may have an Exchange server that is years old, with tons of residual data from users no longer at the company. You may need to free up disk space on your server. You may have a database with minor corruption and decide to ExMerge your data out and import it back in to a clean corruption-free database. Whatever the reason, make sure you have a complete plan of action and be sure to backup your data in case you run into difficulties. The following article explains how to create a new database with Exchange Server.

To start Exchange Server with a blank Information Store:

1. Locate the Exchange database directory and transaction log directory
   1. Open Exchange System Manager
   2. Navigate to Administrative Groups->First Administrative Group->Servers->servername
   3. Underneath servername click First Storage Group and then Action->Properties
   4. Transaction Log location will be listed on the General tab. Note this location (Image 1d)
   5. Navigate under First Storage Group to your Mailbox Store and click Action->Properties
   6. Click the Database tab to note the Exchange Database and Exchange Streaming Database locations (Image 1f)
   7. Do the same for the Public Store

Image 1d	Image 1f

2. Stop the Exchange Information Store (IS) if it is currently running
   1. Click on Start->Programs->Administrative Tools and then on Services or you can go to Computer Management by Right-Clicking on My Computer and choosing “Manage”

      i. If using Computer Management, drill down to Services and Applications, and then Services underneath that

   2. In the right window of the Services or Computer Management console, locate Microsoft Exchange Information Store
   3. If it’s status is listed as “Started”, Right-Click it and choose “Stop” (Image 2c)
   4. It may give you a message stating that dependency services such as Microsoft Exchange Event will need to stop as well. Choose “Yes” to continue stopping the IS

Image 2c

3. Rename database and transaction log directories and create new ones
   1. Rename the database location MDBDATA directory to MDBDATA-old (Image 3a)
   2. Create a new MDBDATA directory
   3. Rename the transaction log MDBDATA directory to MDBDATA-old (if location is different from the database location)
   4. Create a new MDBDATA directory for the transaction logs (Image 3d)

Image 3a	Image 3d

4. Start the Exchange Information Store service
5. Create new data files
   1. From Exchange System Manager navigate to Administrative Groups->First Administrative Group->Servers->servername->First Storage Group
   2. Click on the Mailbox Store and then on Action->Mount Store (Image 5b)
   3. You will receive a message stating that mounting this store will force the creation of an empty database, choose “Yes” to continue (Image 5c)
   4. The Store should mount, give you a message stating it successfully mounted and the data files should be created in the MDBDATA directory. (Images 5d1 & 5d2)
   5. Follow the same steps for the Public database

 

 

Image 5b
Image 5c
Image 5d1	Image 5d2

6. Test and Verify
   1. Verify the data files were created in the MDBDATA directory
   2. Check the Event Log for any errors
   3. Test connection to the Exchange server from Outlook

MFT Data Recovery

   Over the years I have recovered many drives configured with NTFS.  One of the leading reasons that data recovery is performed on these hard drives is an anamoly developed in the Master File Table.  This area of the drive is the single most important set of data stored on your system.  The Master File Table houses all attributes, as well as cluster placement for every file on your system.  It contains security attributes, file name attributes, date and time signatures, and a mini FAT called a run list that points to every cluster where a  particular file is stored.

  In addition to the infomation stored in the Master File Table it has been my experience that if a previous copy of the Master File Table had been saved off into a file onto a remote site I could have easily imported that file and used it to recover the data.  In other words, it is rarely the occasion that an entire file system gets totally wiped out.  It is usually some small piece of information either corrupted or omitted from the Master File Table that causes the problem.  Even a restore disk used on a hard drive that totally destroys all remnants of a file system cannot keep a backup copy of the Master File Table from recovering some data.

  How, you may ask can this be?  Well grasshopper, read on and see.  Imagine a book.  A reference book preferably.  Now, let us define the attributes of a reference  book.  Lets see, there is a forward where the author may offer a few remarks so we know how intelligent he is.  There is a table of contents that give you a general idea of what is in the book and where it is located. There is the body of the book, the actual information.  Last but not least, an index.  A detailed description, with page numbers that tell you exactly where the data is that you are looking for. For illustration purposes we can  say that the index of the book is the Master File Table, and the body of the book is the data on your hard drive.  If the index of the book is ripped out of the back, how would it be possible to find the information you are looking for?  I suppose you could wade through the entire book and possibly, after several hours of searching, find the answers you are looking for.  I have done that with some of my older books where the back, and the front of the book have disappeared.   A book may have 200, 300, 400, maybe even 500 pages to look through, and if the information is important enough it is worth the look.  However, wouldn’t it have been easier if I would have just photo copied the index and placed that in a nice safe place.  Then, when the book gets old, and I lose the index, I have this nice copy that I have kept to help me find my information.

   Leafing through a 500 page book may be time consuming but it is feasible, however, apply that same logic of the index and the book to a hard drive.  Who wants to scan through 234,000,000 sectors looking for data.  If the data is fragmented then the data is probably lost.  Wouldn’t have been nice to have a copy of the Master File Table to use and find all of your old tax returns, or doctoral thesis, or the only pictures of your grandsons birth?  I would say, “Yeah!! It would’ve been nice!”. 

  Please don’t get the wrong idea.  This is not the same as entire backup, on another set of media.  There are holes to this system.  First, if the drive actually goes bad, then it will be difficult if not impossible to get the data back.  Secondly, any thing that writes to the data portion of the drive will make the Master File Table useless. However, it takes a long time to destroy a 250 GB  hard drives data area.  Lastly, I have not been able to find a piece of software that just dumps the Master File Table to a remote site.  Looks like someone should write one?

Windows Explorer: Un-Hide Files

Windows Explorer: How to change files from Hidden

In my last windows explorer tutorial I explained how to open Windows Explorer, now I will start showing some of the functions people need to know. A lot of time a file we are looking for just doesn’t seem to be where we think it should be. This may be attributed to the fact that the file is hidden. In order to unhide these files here are the steps.

1. Open windows explorer (please see my other tutorial)

2. Click on “My Computer” in the left hand window.

3. Select one of your hard drives. In this case I have selected the “C” drive.

4. Now go up top to “Tools” and select “Folder Options”

5. Now click on the “View” tab along the top and you should see “Folder Views” and “Advanced Settings”

6. Scroll through the advanced settings until you come across something that says “Hidden Files And Folders” and under it should be radial buttons to allow you to select “Show Hidden Files” (see picture below)

7. Now just click the OK button. You may get a warning from Windows that this could be dangerous, because now you will have access to system files. If you think this is bad idea because you may delete them then I recommend that you don’t unhide these files.

That is all there is to it. In the next Windows Explorer tutorial I will go over how to see all of your USB mass storage devices this way.

Windows Explorer: How to Open It

A lot of times when I am speaking to customers I need them to make changes to their files or look at their files in a specific way. I will often tell someone to open Windows Explorer and tell me what they see. In many occasion I have had customers open Internet Explorer instead. Because Windows Explorer is a valuable tool that I think everyone should understand and know how to use, at least at a beginner level, I have decided to take a few weeks and write about it.

Click on Start then Accessories and then two from the bottom is Windows Explorer.  Click on it and you will then be given the following program. 

Windows Explorer defaults to the “My Documents” Directory. As you can see all the files and folders you have in your My Documents folder are now displayed.

Below that is “My Computer” clicking the plus sign next to it will now display any mass storage devices Windows sees connected to the machine (i.e. your C drive and CD-Rom drive). From here you can also see your Control Panel, Mobile Devices, as well as Shared Documents and your My Documents folder again. We go further into the Control Panel and Shared Documents in a later blog, for now we are just trying to see what we are able to look at in Windows Explorer.  You will notice you also have access to your Recycle Bin and any folders that reside on your desktop. (Note: You now have full access to your files, if you delete from here it will be sent to the Recycle Bin.)

To Be Continued…

Next Page »