RAID Array Recovery Case Study: When a Blessing Becomes a Curse

Our client in this RAID array recovery case came from a medical clinic. One of the computers in their lab responsible for storing DICOM standard images of patient X-rays used a RAID-1 mirrored array to store data. A RAID-1 array takes two hard drives and makes them both exact duplicates of each other. Each drive has the same content as its twin, and whatever you do to one, you do to the other. It’s an easy way to maintain a local backup of your data—no muss, no fuss.

But as our client soon found out, this form of local data backup isn’t without its faults. When somebody performed a system restore on the computer containing the RAID-1 mirror, they accidentally purged the DICOM image data from the array as well.

Fortunately for this clinic, Gillware’s world-class data recovery lab and technicians, along with the security measures in place for our data recovery facilities, make us the perfect data recovery company for hospitals and clinics dealing with ePHI (electronic protected health information) such as patient records and medical images.


RAID Array Recovery Case Study: When a Blessing Becomes a Curse
Drive Model: Seagate ST1000DM003 (x2)
RAID Level: RAID-1 Mirror
Total Capacity: 1 TB
Operating/File System: Windows NTFS
Data Loss Situation: Ran a system restore on the RAID-1 array that stored the clinic’s images of patient X-rays.
Type of Data Recovered: DICOM X-ray image files
Binary Read: 100%
Gillware Data Recovery Case Rating: 8


The Downside of RAID-1: When a Blessing Becomes a Curse

The purpose of a RAID-1 array is to provide complete data redundancy. By duplicating every write command the user makes and sending the command to both hard drives, the array ensures protection of all of the user’s data in case one of the two hard drives has an accident. (And we here at Gillware know from experience that hard drives can and do have accidents—and frequently at the worst possible moments). This protects your data if one hard drive ends up with crashed read/write heads, or a seized spindle motor, or corrupt firmware, or a burned-out PCB board. You can just replace the drive, and the array will immediately go to work copying everything over from the remaining drive to its new twin-to-be.

But there’s a downside to RAID-1. It’s not immune to data loss, especially data loss in logical situations such as deleting files, reformatting the array, or (like our client here) running a system restore.

When you use your hard drive, you’re constantly sending write commands to it every time you need to change even a tiny amount of the data on the drive. Deleting files or reformatting a disk is also a write command! You are actually writing data whenever you erase data. And RAID-1, eager to follow its instructions, duplicates those commands just as well as any other write command. It can’t tell the difference between a write command you meant to do and one you did by accident. Constructive and destructive commands look the same to it. So you say good-bye to your data… on both drives.

Whoops.

This is where our RAID array recovery experts here at Gillware come in.

The Perils of a System Restore

System restores and O/S reinstalls can have a very powerful negative effect on the integrity of the data on your hard drive. When you delete files, your computer sends them to a sort of limbo state on your hard drive. The files still exist, but they’ve been marked as usable space. And that means that when you go to write new data, it can stomp all over the old data and destroy it for good. System restores, system updates, installation or reinstallation of software—these all write new data to the disks that can destroy your data.

When these data loss situations come to Gillware, our logical hard drive failure recovery technicians work hard to salvage the data left behind.

RAID Array Recovery Results

After fully imaging both hard drives in the array, our technicians could confirm that both drives were healthy and were, as expected, mirror images of each other. Any data recovered from one hard drive would be the exact same data recovered from the other. Therefore, our engineers only needed to devote their further RAID array recovery efforts to any one of the two drives.

Hard drives both keep a record of used and unused space on their hard disk platters. To find missing data, often our engineers have to pay special attention to “holes” on the disks where the hard drive claims not to have any data. By carefully scanning the “blank” spots on the disks, we could search for the characteristic file headers pointing toward the client’s lost patient X-ray images.

After running a raw scan for file definitions, our engineers uncovered over 5,500 fully functional DICOM X-ray images in total. Only 900 of the X-ray image files we had salvaged were either partially functional or completely nonfunctional. We ranked this RAID array recovery case an 8 on our ten-point rating scale. Our client at the clinic was similarly pleased at our level of success.

Will Ascenzo
Will Ascenzo

Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Digital Forensics, and a staunch advocate against the abuse of innocent semicolons.

Articles: 213