Deleted File Recovery Case Study: Western Digital RAID-1 Mirror

This client had two 500 gigabyte Western Digital WD5003ABYX-01WERA1 hard drives linked together in a RAID-1 array. Important database files had been erased from the array, and the client needed our deleted file recovery services.

A RAID is a “redundant array of independent disks”. Hard drives are put into RAID arrays to provide greater capacity, more efficient data read/write speeds, data redundancy in case of hard drive failure, or some combination of the three.

RAID-1 is the simplest type of RAID configuration, as it only uses two hard drives and simply takes the contents of one drive and mirrors it on the other drive. This doesn’t improve the speed at which data can be read or written to the array or increase the storage capacity of the array. It does provides its user with the peace of mind of knowing they are protected if one drive in the RAID-1 array fails.

RAID Level: 1
Total Capacity: 500 GB
Operating System: Windows
Situation: Backup files from between July and December 2015 were deleted
Recovery Data Needed: TRO Database Backup Files
Binary Read: 100%
Case Rating: 9

Data recovery from a RAID-1 mirrored array is often very similar to data recovery from a single hard drive. After all, the point of a RAID-1 array is to have two hard drives with exactly the same data on both of them.

There is one type of data loss RAID-1 cannot protect its users from: file deletion. All of the changes made to one drive in the array are reflected onto its mirror. Unfortunately, this also includes the removal of files.

In this data recovery case, the client found that a great deal of backup files with the TRO extension for their database had been deleted from the array. The missing backup files spanned from the end of July 2015 to the end of December of that same year.

Deleted File Recovery Process for a RAID-1 Mirror

Our in-house, proprietary data recovery software, HOMBRE, was designed with some very robust tools to help us recover data that has been lost as a result of logical damage to a hard drive, such as file deletion. Deleted file recovery cases make up one field where HOMBRE particularly shows its strengths.

In the process of imaging a hard drive, HOMBRE will be constantly picking up files that have been flagged as deleted. It also picks up file signatures that are no longer associated with any filesystem on the hard drive. That’s not to say HOMBRE does all the work: it’s a smart program, there’s no doubt about that, but like most software, it’s only as smart as the engineers using it.

Deleted file recovery results in the RAID-1 mirror.
Deleted file recovery results. Red files could not be recovered because their extents had been overwritten.

Our logical data recovery engineer Dan used HOMBRE to comb through a selection of various backup files on both of the Western Digital hard drives comprising the mirrored array. Comparing the deleted files’ file headers, he was met with promising, consistent-looking results. These results suggested that very little file corruption had occurred.

However, a few recovered files showed up in HOMBRE with red icons. This is HOMBRE’s way of saying “I know this file exists, but I haven’t read it yet.” But we had a 100 percent binary read on the data on both drives in the RAID array. One may wonder how such a thing is possible.

On Windows machines, the file definitions are contained in the master file table, or MFT. The MFT keeps a record of the names and directory locations of every file on the disk. Files small enough to fit into a single cluster of data can be found and read just from the MFT alone. If a file takes up multiple clusters, though, it has extents which point to the locations of the clusters taken up by that file.

Since none of the MFT had been overwritten, our engineers had the names and directory locations of all of the files on both disks. But because the extents for some of those files had been overwritten, the actual files themselves were gone. It’s the data recovery equivalent of looking up a business on Google, getting their address, and going there only to find a bulldozed lot.

When data has been deleted, every new bit and byte of data written to the affected drive can chip away at the “free” spaces on the disk where that deleted files still live. Our engineers did note that a handful of new files had been created in between the client contacting us and their hard drives arriving at Gillware, and that the user did have some deleted file recovery software installed. This is generally a bad omen for logical data recovery cases. Running software after any files have been deleted can compromise the deleted files.

A few of the user’s deleted files had been lost. But overall, the results of this deleted file recovery case looked very good. We had recovered a huge amount of deleted backup files for the client. We rated this case a nine on our ten-point scale.

The temptation to Google a deleted file recovery program to install and get your files back right away can be overwhelming when you accidentally delete critical data. But even running a program, let alone installing new software, writes data to your hard drive that can put the integrity of your recently-deleted files in jeopardy. If your critical data has gone missing, trust the professionals to recover your deleted files.

Will Ascenzo
Will Ascenzo

Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Digital Forensics, and a staunch advocate against the abuse of innocent semicolons.

Articles: 213