Recover data from single drive of a RAID 5? Myth???

[pcbananas]

There are documented cases where data has been retrieved from a single drive, even after it has been wiped. This is why in our company our PC drives are destroyed. I've not heard of an instance where someone was able to recover data from a single drive of a RAID5 array. If this is possible, please let me know and we can develop a procedure to protect our data.

Thanks.

Chris

 

[ring.of.steel]

Not possible.

 

[AMD_RULES]

Not possible.

second this....you could retreieve the data from RAID 1, but not 5.

 

[ring.of.steel]

Dont worry its impossible/next to impossible.

 

[supermen]

It is still possible to recover the information that is written to that drive. That information will be 1/x (x being the number of drives in the raid 5 array) of the total data. Depending on how sensitive the data is on the drive, you may still want to destroy it or at least wipe it using something like "Boot and Nuke". It may be possible for someone to recover social security numbers, credit card numbers, or other small amounts of data saved to that single drive.

 

[ring.of.steel]

Raid 5 doesnt work like that

 

[Verge]

we throw ours in our nuclear reactor out behind the office... no biggie



depending on your cluster size, and what type of data is on there, i would still destroy raid5... it isn't possible to recover anything of use, except random packets of data.. but if you are using large cluster size, it will

 

[supermen]

Raid 5 doesnt work like that

Like what? It writes data across all of the drives in the array. It breaks up the data based on the cluster size and then writes a parity to one of the drives. There is more than enough information on any one single drive for it to be a security risk. Clearly they are working with some sensitive data if they have gone to the lengths of destroying all desktop drives.

 

[ring.of.steel]

Like what? It writes data across all of the drives in the array. It breaks up the data based on the block size and then writes a parity to one of the drives. There is more than enough information on any one single drive for it to be a security risk. Clearly they are working with some sensitive data if they have gone to the lengths of destroying all desktop drives.

yeah it writes raw data not actual files.

 

[Nate7311]

In the right hands, depending on the size of the file and/ortype of file. LIMITED restoration of files, is theoretically POSSIBLE. But as ring.of.steel implies, highly unlikely. Ultimately, large scale restoration is impossible.

 

[ilkhan]

Any file under the stripe size is certainly recoverable. Beyond that you are only going to get chunks/pieces.

 

[Haleiwa]

If you are really worried about data security get one of these:
http://www.datadev.com/hdtd8300v1.html
Worked for a company that used one of these things. They are sweet! We would put peoples credit cards in them.

 

[munkle]

If you are really worried about data security get one of these:
http://www.datadev.com/hdtd8300v1.html
Worked for a company that used one of these things. They are sweet! We would put peoples credit cards in them.

$12k? It might just be cheaper to destroy the drives and buy new ones when they are needed.

Edit: Nvm, that machines totally destroys the drive, so they are just paying $12k to destroy drives which they are already doing.

 

[YeOldeStonecat]

I can't fathom how it would be possible without the other drives, above RAID 1...with the striping..there is a..hmm..forget the name, but the RAID controller pulls a file off of each drive that combines to be something called the "RIS" I think it's called..Raid Instruction Set. It tells the RAID controller about the drives and how they are configured..and how to deal with the striping. It's this file that allows you to take drives from one server..plug them into another server with a RAID controller of at least the generation/family of the controller of the first family (including newer and backwards compatible controllers)..and that server will boot up just fine. Without that RIS file from the other drives...and the data on those drives....I don't see how it's possible.

 

[supermen]

In the right hands, depending on the size of the file and/ortype of file. LIMITED restoration of files, is theoretically POSSIBLE. But as ring.of.steel implies, highly unlikely. Ultimately, large scale restoration is impossible.

Okay, you work in a high security environment. So high that you have made the decision that wiping the drives using something that writes randomly with 4-7 passes isn't enough. You have decided at this point to destroy the drives instead. Would you say not destroying drives from a RAID5 set fits correctly into this security policy? How are they ensuring that someone doesn't just grab all the drives from the RAID5 set? How do you ensure that the RAID1 sets are destroyed while the RAID5 are not?

The only logical conclusion is that they should not break from their current process and should destroy these drives too. If an attacker has the equipment and knowledge to recover a randomly wiped drive as described earlier, they will have little trouble at least restoring parts of the data set which may contain important information. Plus, if they are capable of doing this attack, they aren't going to need the whole file to have a damn good idea what is contained in it.

 

[shade_star]

Wrong Raid 5 can be recovered

Clive:Thank you for contacting Seagate Recovery Services. This is Clive, how may I help you today?
You: Is it possible to recover data from a raid 5 array with one disk
Clive: We can recover the data from that drive


Seagate is one of the best in the business and I talked to their case mgr about this on the phone not just in the chat window - it can be recovered but its a huge cost because of the time it would take to recover.

Unless you have 10k plus and its mission critical data then accept your loss.

 

[Nate7311]

Okay, you work in a high security environment. So high that you have made the decision that wiping the drives using something that writes randomly with 4-7 passes isn't enough. You have decided at this point to destroy the drives instead. Would you say not destroying drives from a RAID5 set fits correctly into this security policy? How are they ensuring that someone doesn't just grab all the drives from the RAID5 set? How do you ensure that the RAID1 sets are destroyed while the RAID5 are not?

The only logical conclusion is that they should not break from their current process and should destroy these drives too. If an attacker has the equipment and knowledge to recover a randomly wiped drive as described earlier, they will have little trouble at least restoring parts of the data set which may contain important information. Plus, if they are capable of doing this attack, they aren't going to need the whole file to have a damn good idea what is contained in it.

Agreed. Any operation thzat has the $$ to run a security protocol THAT tight, isn't going to be concerned with a few thousand $$ worth of hard drives. Physically destroy them, then incinerate them and be done with it...

 

[Nate7311]

Wrong Raid 5 can be recovered

Clive:Thank you for contacting Seagate Recovery Services. This is Clive, how may I help you today?
You: Is it possible to recover data from a raid 5 array with one disk
Clive: We can recover the data from that drive


Seagate is one of the best in the business and I talked to their case mgr about this on the phone not just in the chat window - it can be recovered but its a huge cost because of the time it would take to recover.

Unless you have 10k plus and its mission critical data then accept your loss.

Without knowing any methods, I'd call "uninformed/underinformed/gotta make the sale Sales-weasel bullshit" on the Seagate people... Now, mind you, I'm a seagate fanboy for the most part, I won't use any other drives. But, EVERY company has those unscruplulous salespersons.

 

[Monkey God]

you cant recover data that isn't there, period.
its like CSI where they zoom in 10,000 times on some janky security camera to read someones Kanji Tatoo or something, bullshit

 

[shade_star]

Without knowing any methods, I'd call "uninformed/underinformed/gotta make the sale Sales-weasel bullshit" on the Seagate people... Now, mind you, I'm a seagate fanboy for the most part, I won't use any other drives. But, EVERY company has those unscruplulous salespersons.

Agreed which is why I spent some time and called. I talked to a case mgr who is like the project mgr for the recovery. They are very straight with you if they tell you they can recover raid 5 data and dont you pay nothing and they just wasted their time trying to recover it. So I dont think they have an incentive to try and sell you when it couldnt be done in the first place.
Just relaying the info passed onto me from the people that handle that aspect.

 

[pcbananas]

I have been reading and sharing the responses with my boss. We had a general idea about RAID5 and the difficulties involving recovering data if ONLY one drive was available. It seems that anything is possible, but given these circumstances, the individuals looking to recover data must be highly trained and capable of spending a lot of time, effort, and money to obtain something specific.

We have concluded that we will allow HP to take the failed drive and we won't destroy based on the information known and provided here too. However, we did a risk assessment based on what information and personal data is actually stored on this particular scenario and we chose to take this minimal risk.

In the future, we will re-evaluate our standards of practice and consider alternative options which could include the complete disposal and destructions of any RAID5 drive based only on what information is stored in this hardware.

Thank you once again!

 

[goodcooper]

Wrong Raid 5 can be recovered

Clive:Thank you for contacting Seagate Recovery Services. This is Clive, how may I help you today?
You: Is it possible to recover data from a raid 5 array with one disk
Clive: We can recover the data from that drive


Seagate is one of the best in the business and I talked to their case mgr about this on the phone not just in the chat window - it can be recovered but its a huge cost because of the time it would take to recover.

Unless you have 10k plus and its mission critical data then accept your loss.

yea, you can recover the data FROM THAT DRIVE... but is that data usable is the question...

and the answer is, if you had a raid5 array of only 3 disks, your chances of getting useful data off of just 1 of them is a LOT higher...

the more disks you have, the harder it would be... but with 1 out of 3 disks, you'd have a third of the data, and another third of the parity....

it'd still be tough...

but filesize does have some to do with it, if you've got a lot of little files that each have sensitive data in it, it would be a lot easier to mine a third of that data...

but hey, why not just kill the last drive too?

 

[shade_star]

yea, you can recover the data FROM THAT DRIVE... but is that data usable is the question...

and the answer is, if you had a raid5 array of only 3 disks, your chances of getting useful data off of just 1 of them is a LOT higher...

the more disks you have, the harder it would be... but with 1 out of 3 disks, you'd have a third of the data, and another third of the parity....

it'd still be tough...

but filesize does have some to do with it, if you've got a lot of little files that each have sensitive data in it, it would be a lot easier to mine a third of that data...

but hey, why not just kill the last drive too?

Agreed

 

[LittleMe]

yea, you can recover the data FROM THAT DRIVE... but is that data usable is the question...

and the answer is, if you had a raid5 array of only 3 disks, your chances of getting useful data off of just 1 of them is a LOT higher...

the more disks you have, the harder it would be... but with 1 out of 3 disks, you'd have a third of the data, and another third of the parity....

it'd still be tough...

but filesize does have some to do with it, if you've got a lot of little files that each have sensitive data in it, it would be a lot easier to mine a third of that data...

but hey, why not just kill the last drive too?

Sorry, but if you had 1 disk of a 3 disk RAID 5 array, you'd have 1/2 of the data or the parity of each file. In a 3 disk RAID 5, 2 disk hold data, and a 3rd disk holds the parity. But the data and parity are across all 3 disks, so you wont always have only the parity or only part of the data, you'll have a mix of it. What you say of having 1/3 the data or the parity is ture of a 4 disk RAID 5 set.

 

[bealzz]

Sorry, but if you had 1 disk of a 3 disk RAID 5 array, you'd have 1/2 of the data or the parity of each file. In a 3 disk RAID 5, 2 disk hold data, and a 3rd disk holds the parity. But the data and parity are across all 3 disks, so you wont always have only the parity or only part of the data, you'll have a mix of it. What you say of having 1/3 the data or the parity is ture of a 4 disk RAID 5 set.

hate to keep beating a dead horse, but the data and parity are shared equally across all disks, in a 3 disk array, the drives would be 2/3 data 1/3 parity each.

http://en.wikipedia.org/wiki/Image:RAID_5.svg

 

[LittleMe]

hate to keep beating a dead horse, but the data and parity are shared equally across all disks, in a 3 disk array, the drives would be 2/3 data 1/3 parity each.

http://en.wikipedia.org/wiki/Image:RAID_5.svg

And is that not what I said in a lot more words?

 

[pcbananas]

"Discussion Thread
Response (David Parker) 12/19/2007 05:28 PM
Dear Christian,

Thank you for contacting Seagate Recovery Services.

I have had the opportunity of reviewing your email. It is my understanding that the hard drive has gone faulty and you are looking to get the information recovered from it. Having assessed the issue, I have established that the issue described will need an in lab effort in order to recover the information. We do have the technology to be recovering data in such scenario. You will need to ship the drive to a Seagate facility near you in order for us to do an evaluation of the media.

However, since the case seems to be complex, I would request you to provide me with your contact number and geographical location, so that I could arrange for a call back from our case manager to assist you further.

Please write back to me with any further queries, you can also call our toll free number at 1-800-475-0143.


Regards,

David Parker,
Seagate Recovery Services "

 

[Cyrilix]

And is that not what I said in a lot more words?

No, it is not, as parity is spread across all the disks, not placed on just one disk. It's a very different scheme. What you are talking about is RAID 4, which is not used and inferior for obvious reasons.

 

[archivalbackup]

It would be very easy to recover some data, that being data that is in the stripe size of the raid set. So say you have a 128k stripe size on your raid 5, one drive will have tons of 128k stripes of contiguous data which could be just enough to get an account number, password, etc.

Best way I have found to truly destroy all data on a failed drive is an open space and thermite. It melts the hard drive into one solid iron chunk, and the heat is so intense that all the magnetization is destroyed (as well as burned away). heh, you should bring up that option in the next meeting

 

[bealzz]

It would be very easy to recover some data, that being data that is in the stripe size of the raid set. So say you have a 128k stripe size on your raid 5, one drive will have tons of 128k stripes of contiguous data which could be just enough to get an account number, password, etc.

Best way I have found to truly destroy all data on a failed drive is an open space and thermite. It melts the hard drive into one solid iron chunk, and the heat is so intense that all the magnetization is destroyed (as well as burned away). heh, you should bring up that option in the next meeting

ahhhh, thermite.. who could have known that rust and aluninum would be so perfect together...

 

[LittleMe]

No, it is not, as parity is spread across all the disks, not placed on just one disk. It's a very different scheme. What you are talking about is RAID 4, which is not used and inferior for obvious reasons.

I know what the difference is between RAID 5 and 4 so I'll quote myself

the data and parity are across all 3 disks, so you wont always have only the parity or only part of the data, you'll have a mix of it.

Now, I'll agree, it's not worded that great but I did say that a single disk of a RAID 5 array will have a mix of data and parity.

 

[-(Xyphox)-]

"Discussion Thread
Response (David Parker) 12/19/2007 05:28 PM
Dear Christian,

Thank you for contacting Seagate Recovery Services.

I have had the opportunity of reviewing your email. It is my understanding that the hard drive has gone faulty and you are looking to get the information recovered from it. Having assessed the issue, I have established that the issue described will need an in lab effort in order to recover the information. We do have the technology to be recovering data in such scenario. You will need to ship the drive to a Seagate facility near you in order for us to do an evaluation of the media.

However, since the case seems to be complex, I would request you to provide me with your contact number and geographical location, so that I could arrange for a call back from our case manager to assist you further.

Please write back to me with any further queries, you can also call our toll free number at 1-800-475-0143.


Regards,

David Parker,
Seagate Recovery Services "

I think it can be done, i have done some data recovery before, it takes a long time but it does work