Our client in this WD MyBook Duo data recovery case came to us with a Western Digital external hard drive that was displaying an ominous blinking red LED light. Western Digital’s external devices use the coded flashing of an LED light to denote their status. For the WD My Book Duo, a slow, steadily blinking red light is not a good status. In fact, it’s just about the worst status the external drive could have.
Their computer corroborated the external drive’s assessment. When the client plugged the drive in, they got an unpleasant error message. “Your device has RAID configuration issues,” it said. The WD Drive Utilities software gave further details, saying that the RAID volume had errors and the data was inaccessible.
There were a few very strange things going on with this WD MyBook Duo external drive; in our quest to recover our client’s data our RAID data recovery engineers here at Gillware would make some interesting discoveries.
WD MyBook Duo Data Recovery Case Study: RAID Configuration Issues
RAID Level: RAID-1 Mirror
Drive Model: WD40EFRX-68WT0N0 (x2)
Total Capacity: 4 TB
Operating/File System: Windows NTFS
Data Loss Situation: Steadily flashing red diagnostic light—cannot access data
Type of Data Recovered: Photos and documents
Binary Read: 100%
Gillware Data Recovery Case Rating: 10
The error message our client saw in this WD MyBook Duo data recovery case should rightly bewilder anyone who is even vaguely familiar with how RAID-1 works.
MyBook Duo external hard drives support two levels of RAID. One is RAID-0, which combines two or more hard drives into a single logical volume by “striping” them together. In a RAID-0 setup, each individual drive only has fragments of the whole. All of the data you write to it gets chopped up and redistributed. If you look at each individual drive separately, all you see is garbled gibberish.
The RAID configuration keeps track of how all that data is distributed. If the configuration has issues with a RAID-0 array, it’s easy to see that this makes your data look like it’s been fed through a paper shredder.
But RAID-1 is different. A RAID-1 array takes two hard drives and “mirrors” them, making one an exact duplicate of the other. There’s no striping, no data redistribution. You should be able to pull one drive out of a RAID-1 storage device and look at it as an individual and see the exact same stuff you’d see if you kept the drive in its enclosure with its twin. Here, the RAID configuration shouldn’t matter all that much.
Had something gone wrong with the hard drives or the MyBook Duo enclosure to make the RAID configuration “forget” that the drives in this device enclosure were set up as a RAID-1 mirrored array?
Our engineers’ evaluation didn’t show any severe issues with either hard drive in the MyBook Duo enclosure. In fact, we could successfully create 100%-accurate forensic images of both drives.
Our engineers found one interesting thing right off the bat, although it wasn’t the cause of the RAID configuration issues. Both hard drives, when looked at outside of the MyBook enclosure, were fully encrypted. The encryption looked similar to Western Digital’s SmartWare encryption seen in its other MyBook and My Passport external hard drives.
In a normal RAID-1 data recovery case we image both hard drives in the array, see which one has the most recent version of the user’s data, and send the data back to the user. This encryption added an extra wrinkle to our case—we had to figure out how to decrypt the drives as well.
It’s worth noting that this encryption could stymie a home user of the WD MyBook Duo. If the enclosure broke down, the user might remove one of the drives, hoping to hook the drive up through a USB-SATA adapter cable and copy files over from it. This is a viable approach for many other brands of RAID-1 enclosure if the enclosure itself fails. But without the portion of the enclosure managing encryption, the drive would show up as RAW and inaccessible. This would lead the user to believe that the hard drives might be broken, when in fact the fault lay in the enclosure and not the drives themselves.
To solve this WD MyBook Duo data recovery case, our engineers had to take a close look at where the device stored its RAID configuration data. External RAID enclosures typically pick one of two places to keep this data. They use either a portion of the back end of each disk, or some type of memory chip in the enclosure itself.
Our engineers found the RAID configuration data resting in neither of those places. Rather, the data lived inside the firmware found in each hard drive, along with the encryption key.
Hard drive firmware behaves as the drive’s “operating system”. When you power a drive on, the first thing its read/write heads do is seek out the firmware. And if the heads can’t do this for whatever reason, you can’t access anything else on the drive. It’s a very secretive part of the drive. It lives on the hard disk platters, but it doesn’t show up if you look at the contents of a hard disk drive through a sector editor. Few people know it exists, and even fewer have the tools to fix it if it develops a glitch or bug.
The vast majority of IT and computer repair professionals, in fact, would be incapable of finding the RAID configuration in a MyBook Duo. The tools to explore and repair a hard drive’s firmware typically rest in the hands of two types of people: hard disk drive designers and data recovery experts.
Taken in combination with MyBook Duo’s hardware encryption, the result is a relatively closed system which few people outside of Western Digital itself (or a professional data recovery lab) would have the means to recover data from when things go belly-up.
This was a challenging data recovery case. In our data recovery lab, we had to find some way to get the hard drives to work in a real WD MyBook Duo enclosure, because it was the only way to decrypt the data. Even though the hard drive encryption looked somewhat like SmartWare, it was its own beast; our usual method for decrypting SmartWare wouldn’t apply here. Yet we also had to make sure that any replacement enclosure we used understood the RAID configuration data.
Something had gone wrong with the RAID-1 configuration data in the hard drives’ firmware. However, we couldn’t do anything to alter the RAID configuration data, as it was protected by a checksum. A checksum is a means of ensuring that data you’ve transmitted or copied hasn’t been altered in any way. If we changed the configuration data, the checksum would let the enclosure know that the configuration data had been changed, and the enclosure would have rejected the “new” configuration.
Our engineers solved the dilemma in this WD MyBook Duo data recovery case through some creative manipulation of the firmware modules and user data areas on the client’s hard drives. Our hard work paid off; when we reinserted the customer drives into the MyBook Duo enclosure, we could extract all of the customer’s data. When all was said and done, we had a completely successful WD MyBook Duo data recovery case on our hands.