How do I mount a multi-disk Windows NTFS RAID/logical drive on Linux?

7

0

I have two 500GB hard drives from an old Windows laptop at my workplace. My boss has asked me to copy the contents to the file server if possible, with the caveat that absolutely no data may be lost.

Normally, backups would suffice for this, but this was from the earlier days of the operation when stuff like backups weren't kept more strictly, and this guy was notoriously poorly organized, so I'm not sure whether the backups have the most up-to-date (or even reasonably up-to-date) contents.

First thing I did was to produce images using ddrescue. The drive that has the partition table copied without errors, and the other drive lost ~150 KiB to errors. The images were mounted read-only to /dev/loop1 and /dev/loop2 using losetup. fdisk -l shows the following:

Disk /dev/loop1: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/loop2: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x87afa6ad

Device       Boot      Start        End    Sectors   Size Id Type
/dev/loop2p1            2048   31459327   31457280    15G 27 Hidden NTFS WinRE
/dev/loop2p2 *      31459328   31664127     204800   100M 27 Hidden NTFS WinRE
/dev/loop2p3        31664128 1191071167 1159407040 552.9G  7 HPFS/NTFS/exFAT
/dev/loop2p4      1191071168 1953533951  762462784 363.6G  7 HPFS/NTFS/exFAT

The partition sizes seemed to suggest that this was a RAID array or Windows logical drive, and a quick check with blkid showed that the drive types were isw_raid_member. Attempting to assemble the array with mdadm -v --assemble /dev/md0 /dev/loop2 /dev/loop1 produced the following output:

mdadm: looking for devices for /dev/md0
mdadm: Cannot assemble mbr metadata on /dev/loop2
mdadm: /dev/loop2 has no superblock - assembly aborted

Other things I tried either to mount the drives or get more information were:

  • mount /dev/loop2 <mount point>: Failed with unknown filesystem type 'isw_raid_member'
  • mount -t with NTFS and exFAT: Unable to find file system
  • mount /dev/loop2p[1234]: Special device <dev> does not exist
  • mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/loop[21]: States that /dev/loop2 appears to be part of a raid 0 array with no devices and a creation date of 00:00:00 Jan 1 1970
  • mdadm -E /dev/loop[12]: States that no md superblock was detected on /dev/loop1 and prints out the partitions and MBR magic number of aa55 for /dev/loop2
  • file -s /dev/loop1: prints /dev/loop1: data
  • file -s /dev/loop2: spits out a block of text basically saying it's a DOS/MBR boot sector and the gives raw numbers for partition offsets/sizes.

  • mount -t ntfs -o ro,offset=$((512*2048)) /dev/loop2 /mnt/partition1:

    NTFS signature is missing
Failed to mount '/dev/loop3': Invalid argument
The device '/dev/loop3' doesn't seem to have a valid NTFS

    No, I didn't mistype that 3. No clue where it came from.

I also looked at Recovering a failed software RAID, but that seems to be for already working Linux arrays being recovered on Linux (not to mention quite a bit goes over my head).

Is there anything I can do to get these images mounted safely?

awksp

Posted 2016-08-19T14:48:57.873

Reputation: 173

Please let me know if this should go on a different SE site. I considered Server Fault, but this seemed like it could happen in non-business settings, so I chose here. – awksp – 2016-08-19T14:49:43.563

As far as I can tell LOOP2 is the 1st disk from the laptop and LOOP1 the 2nd disk. Looks like the laptop only had disk 1. Disk 2 was added and (guessing now) both disks were changed to dynamic disks in Windows. Then C: and D: where extended with space allocated on the 2nd disk. I don't know if there is any way to make sense of this from within Linux. If possible I would place the disks back in the original laptop (or one that is very similar) and boot into Windows. Copy the data from there. Keep the images you made to fall back to a pristine start situation in case Windows trashes the disks. – Tonny – 2016-08-19T15:00:25.470

@Tonny Your guess sounds reasonable. I was hoping to work with the images and use the disks as originals, but now that you mention it the other way works too. Only thing I would be concerned about is the bad sectors on the 2nd disk. IIRC dd errored out due to those sectors around 10GB in, but everything else was fine. Would that interfere with restoring the disk with the image? – awksp – 2016-08-19T18:14:49.503

Putting the image back to the same disk is probably not a very good idea. Writing to that disk may even make it worse. (If you see bad sectors the disk has already used up all its spare sectors. It is beyond dead already.) Just get another disk of same size or slightly bigger. I would recommend NOT to let Windows chkdsk the system on 1st boot, but just boot and copy data. After that is done let it chkdsk and see if you can then recover more data. – Tonny – 2016-08-19T20:02:17.440

@Tonny Right, you have a point. I don't think we have any 2.5" drives or USB adapters sitting around, so if other methods fail I'll go down to the local computer store and try what you suggested. – awksp – 2016-08-19T20:48:31.240

@KamilMaciorowski The mount commands fail with unknown filesystem type 'isw_raid_member', unfortunately. – awksp – 2016-08-19T20:55:49.107

@awksp How about forcing NTFS by adding -t ntfs option to those mount commands? – Kamil Maciorowski – 2016-08-19T21:19:58.260

@KamilMaciorowski Pasted the full results to the bottom of the question. The summary is that mount seems to be trying to access /dev/loop3 and failing. – awksp – 2016-08-19T21:47:19.243

@KamilMaciorowski Holy moly that's complex. It's going to be a bit until I can try this, though; the server on which the images reside isn't visible from outside the office. – awksp – 2016-08-20T01:54:52.553

@KamilMaciorowski Changed comment chain into edit to bottom of question. tl;dr: dmsetup succeeds, but can't figure out how to mount anything, even with an offset argument – awksp – 2016-08-21T19:52:29.600

@awksp It looks like this is a wrong way then. I'm sorry I couldn't help. – Kamil Maciorowski – 2016-08-21T20:04:58.813

@KamilMaciorowski :( That's too bad... Thank you for your help though! – awksp – 2016-08-21T20:18:26.010

@awksp Check this. Looks like dmraid may be useful to you. It's just a clue, a lead. I think isw_raid_member indicates Intel Software RAID. Do research.

– Kamil Maciorowski – 2016-08-22T12:48:09.467

Idea out of left field: Have you tried to start a windows VM and thrown copies of two images at it to see if M$ magic can just figure it out, then samba it out? – Peter Berbec – 2017-10-02T18:12:22.590

@PeterBerbec That's a intriguing idea. Unfortunately, I don't have easy access to the images at the moment, but I'll give that a shot next time I do – awksp – 2017-10-28T08:07:12.087

@KamilMaciorowski idk if you're still around, but I was trying your instructions again and I actually managed to get the thing to mount! Only difference was I used a different number of sectors (19553531904 instead of 1953546336) and a chunk_size of 256. Not sure what exactly I did differently this time, but I'm just glad it worked. Post an answer, and I'll accept! – awksp – 2018-07-16T20:34:19.430

@KamilMaciorowski Also, consider posting an answer here; this guy seems to have a similar issue. He seems to have found a workaround, but posting a proper answer hopefully wouldn't hurt

– awksp – 2018-07-16T20:35:23.317

@KamilMaciorowski And looks like your original number of sectors works too (and is actually more correct, because I can actually mount the 4th partition this way). Not sure why things didn't appear to work earlier – awksp – 2018-07-16T21:04:29.880

@KamilMaciorowski Done! Sorry it took so long – awksp – 2018-10-25T18:49:12.200

Answers

3

Note: I'm writing this answer after the OP got help via comments, trials and errors. Having other users in mind, I'm making the answer broader and little more generic.

If these two disks worked together, they might be

  1. mirrored, RAID1-style;
  2. or concatenated, JBOD-style;
  3. or striped, RAID0-style.

The cases are ordered starting from the easiest to deal with. I will instruct you how to tell them apart and how to deal with them to mount the partitions eventually.

Mounting should be done with -o ro first, until you're sure you got it right. In some cases mount may succeed and give you access to mangled directory structure and/or scrambled files. Insane data and/or metadata indicate you didn't get it right. Mounting read-only ensures you won't harm the image(s).

1. mirrored, RAID1-style

In this case both disks should contain the same data, if healthy; they both should contain the same valid partition table. Only the image you have as /dev/loop2 reports a partition table. This may be because

  • they were not mirrored in the first place,
  • or these errors you mentioned on the other disks occurred where the partition table is (in case of DOS partition table it's MBR, i.e. at the very beginning, sector number 0).

There is however one big clue that makes RAID1 hardly probable in your case: fdisk says there are exactly 976773168 sectors on a single disk, but the last sector of the fourth partition is 1953533951. This is almost twice as much, it suggests the partition layout spawns on two non-mirrored disks.

But let's say your disks were twice as big and the above clue didn't apply. If you believe you may deal with mirrored disks then work with the image obtained without errors, leave the other image alone. Try to mount the partitions like this:

mount -o ro,offset=$((512*2048)) /dev/loop2 /mnt/partition1
mount -o ro,offset=$((512*31459328)) /dev/loop2 /mnt/partition2
mount -o ro,offset=$((512*31664128)) /dev/loop2 /mnt/partition3

etc. You may even not use losetup to get /dev/loop2 but provide the file path directly, mount should create a loop device on its own and handle this just fine:

mount -o ro,offset=$((512*2048)) /path/to/the/image2.raw /mnt/partition1

2. concatenated, JBOD-style

If disks building JBOD use MBR to store the partition table, fdisk will find it only on the very first disk. Other disk(s) may report nothing or some insane partition table(s); the probability of getting a partition table that looks sane from not-the-first disk is very low, but even then this partition table means nothing.

If disks building JBOD use GPT to store the partition table, tools like gdisk will find the primary table on the very first disk, the secondary (backup) table on the very last one.

You have two images, one of them reports a DOS partition table (i.e. a partition table in MBR), the other reports no partition table. Should they create JBOD, you know the one corresponding to /dev/loop2 goes first.

In your case the partitions 1 and 2 are small enough to entirely fit into the first disk of JBOD. You can try to mount them with appropriate offset from the sole /dev/loop2. If this gives you access to sane filesystems then you will know JBOD is probably the right setup. To access all the partitions you need to concatenate images.

This answer of mine provides a way to concatenate images without writing the result to disk. In your case the procedure may be:

  1. dmsetup create mydisk
  2. type 0 976773168 linear /path/to/the/image2.raw 0 Enter
  3. type 976773168 976773168 linear /path/to/the/image1.raw 0 Enter
  4. hit Ctrl+D

The resulting device should be /dev/mapper/mydisk. Try to mount any partition from it with appropriate offset=….

To destroy the device invoke dmsetup remove mydisk.

3. striped, RAID0-style

Similarly to JBOD, if disks building RAID0 use MBR to store the partition table, fdisk will find it only on the very first disk. Other disk(s) may report nothing or some insane partition table(s); the probability of getting a partition table that looks sane from not-the-first disk is very low, but even then this partition table means nothing.

If disks building RAID0 use GPT to store the partition table, the situation gets complicated. Depending on how big the stripe size is, you may or may not get the primary partition table from the very first disk, you may or may not get the secondary (backup) partition table from the very last disk. You should get a legacy MBR from the very first disk (unless a read error occurs).

You have two images, one of them reports a DOS partition table (i.e. a partition table in MBR), the other reports no partition table. Should they create RAID0, you know the one corresponding to /dev/loop2 goes first. What you don't know is the stripe size. In general there is no firm way to know it, you should try common values and analyze the results.

The procedure to interleave your images and to create a virtual device is as follows:

  1. dmsetup create mydisk
  2. type 0 1953546336 striped 2 256 /dev/loop2 0 /dev/loop1 0 Enter
  3. hit Ctrl+D

The resulting device should be /dev/mapper/mydisk. The number 256 means the stripe size of 128 KiB and it must be guessed right. In general, regardless of possible troubles with GPT before dmsetup, now gdisk -l /dev/mapper/mydisk should return a valid partition table if you guess the stripe size right. If you guess it wrong, the partition table may or may not be valid. If it looks valid, try to mount all the partitions from it with appropriate offset=… values.

In your case the partition table will certainly be the one you got from /dev/loop2.

Beware that even with a wrong guess you may be able to mount but the files will be scrambled. In this case umount, invoke dmsetup remove mydisk and repeat dmsetup create… with another value instead of 256. Numbers to try: 8, 16, 32, 64, 128, 256, maybe other powers of 2. If possible, read files with verifiable content (media like MP3, do they play without jitter?) or formal structure (like PDFs, do they open without errors?) to tell if your guess is right. Files smaller than the right stripe size may not show that your guess is wrong, so you should rather use an avi of 700 MB, not just a text file of few KB.

To destroy the device invoke dmsetup remove mydisk.

Kamil Maciorowski

Posted 2016-08-19T14:48:57.873

Reputation: 38 429

The third option was the one that worked in my case. Thank you for your help! – awksp – 2018-10-25T18:48:53.563

Asked: 2016-08-19T14:48:57.873

Viewed: 3 377 times

Active: 2018-10-25T18:46:29.110