Shulou(Shulou.com)06/02 Report--

Brief introduction:

Due to the loss of the data files of the virtual machine in the MD3200 storage, the whole Hyper-V service was paralyzed and the virtual machine could not be used. The failure environment was Windows Server 2012 server, and the Hyper-V virtual machine environment was deployed in the system. The hard disk files and configuration files of the virtual machine were placed in the DELL MD3200 storage hosted by a hosting center in Chaoyang District. MD3200 storage is an array of four 600G hard disks that are used to store data files for virtual machines. A single 4T hard disk is used as a backup of virtual machine data files.

Fault:

Due to the loss of the data file of the virtual machine in MD3200 storage, the whole Hyper-V service is paralyzed and the virtual machine can not be used. Data detection is carried out with the following process:

Through the physical inspection of the MD3200 storage server, it is found that the storage does not have a physical fault, and the hard drives involved are working normally to check the operating system: no error process is found, and the data loss caused by the operating system BUG is excluded. Analyze the file system of the lost data hard disk: open normally, do not conform to the characteristics of virus destruction, at the same time, there is no virus detected by antivirus software. After a careful analysis of the file system of the hard disk, it is found that the metafile creation time of this file system is November 28, indicating that the creation time of the file system is November 28, which coincides with the time of data loss. Usually this failure indicates that the file system has been artificially rewritten, that is, the partition has been formatted. Check the system log: it is found that the system log before November 28 and the same day's system log has been emptied, but the audit log and service log have not been emptied. In general, this operation should be artificially caused. On the other hand, the operation of formatting the partition is only recorded in the system log, which is consistent with the above artificial destruction. Try to recover the system log: carefully analyze the underlying data of the hard disk and find that the system log that needs to be recovered at the bottom of the hard disk has been overwritten by the new log record and cannot be recovered. Analyze all partitions in the operating system: it is found that only two partitions in MD3200 storage have been rewritten to the file system. In general, formatting two partitions requires two separate processes, so this targeted operation should be artificially caused. Solution

Back up user data

Because all the data is in the Dell M3200 storage, you only need to recover the data in the Dell M3200 storage. Number all the hard drives in the Dell M3200 storage, then unplug them from the storage and give them to the hardware department to check if there is a physical failure. After testing that there is no problem, make a full mirror of each hard disk, and use a special tool (Winhex) to mirror all the sectors in the hard disk to a backup hard disk.

As shown below: use professional tools to back up all hard disk data

Reassemble disk array

After mirroring the relevant information of RAID 5, such as stripe size, stripe direction and other information. According to this information, the hard disk can be reassembled and the data on each hard disk can be analyzed. After analysis, it is found that 4 600G hard drives make a RAID5, and another 4T hard disk is used as data backup. This RAID can be obtained by carefully analyzing the data structure in 4 600G hard drives.

As shown below: reassemble RAID using professional tools

As shown below: it is the case of opening the hard disk array with professional tools

Scan for old file index entries

After careful analysis of the underlying data of the hard disk, it is found that there are still many directory entries and file indexes of the previous file system in the bottom of the hard disk. After careful checking, it is found that the data pointed to by the index of these files are all the contents of the files lost by the user. However, because the whole hard disk is too large, it will be very slow to search the file index manually, so write a Mini Program that extracts the file index entries, scan all the existing file index entries in the whole hard disk, and extract the file index entries of all files.

Parse scans to file index entry

After a detailed analysis of all the scanned file index items, it is found that the index items are discontinuous, and most of them are aligned with 16K or 8K. Under normal circumstances, the file index entries are continuous, with a fixed size of 1K, and each file index entry corresponds to a file or directory. On the other hand, these discontiguous and incomplete file index entries cannot be properly indexed to the contents of the file. Therefore, it is necessary to process the index items of the scanned files. Search for ".VHD" in the scanned file index entry to find a ".VHD" file record. Then the continuous file index items of this piece are extracted. Then check to see if the extracted file index entry has a record or H20 attribute that points to the next file index entry. If so, the next file index entry is matched according to the characteristics in the file index entry, and if not, the file index entry is skipped. According to the above methods, most of the file index items can be found. The missing file index entry fragments may be destroyed, but the missing file index entry fragments can be found from the data backup disk, so most of the file index entries can be searched.

As shown below: a screenshot of the file index entry

Compose file index entries into a complete directory structure

Find all the file index entries according to the above method, and then splice them into the entire directory entry structure according to the number of the file index entries. The following are some of the file index entries found. Because some of the file index entries are corrupted, only most of the file index entries can be found, but these file index entries are enough to splice into the entire directory structure.

As shown below: it is a fragment of the scanned file index entry.

Repair the file system

Replace the rebuilt directory structure with the directory structure in the existing file system, and then use professional tools to modify some of the check values. Then use professional tools to explain the directory structure and you can see the original lost data.

As shown below: it is a directory structure explained by professional tools.

To determine whether the data is correct, recover one of the latest VHD files. Then copy it to a server that supports additional VHD and try to attach the VHD. As a result, the attachment is successful, and check whether the latest data in VHD is complete. After everything is checked completely, all the data will be restored to a hard disk.

As shown below: all the recovered virtual machine data files

Validate all data

Set up a Hyper-V environment on a test server and connect the recovered virtual machine files to the server. Then the restored data is migrated to the new Hyper-V environment by importing the virtual machine. Then let the customer verify that all virtual machines are complete.

As shown below: it is the process of virtual machine import.

Migrate all data

After the customer verifies that all virtual machines are all right, copy all the data to the customer server. Then use the import method to import the virtual machine into the customer's Hyper-V environment. You need to import the virtual machine in the following way. After the import, there is no error. Try to start all the virtual machines, and all the virtual machines have no problem to start.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.