In this installment we will explore the practical use of XORing within the context of a RAID 5 recovery. Although the use of this math function in and of itself does not constitute RAID recovery, there are attributes of the mathematics that lend itself to data signatures that can then be used to acquire the RAID 5 configuration. In order to apply the XOR operation we must first understand the format of the Master File Table (MFT), the very crux of the Microsoft NTFS file system.
File systems, like most database handlers, use a simple flat file, index method to do look ups and quick displays. The flat file being the MFT, and then INDX record used for fast lookup and displays. Each has its own use within the file system and to a large part are dependent upon each other.
Since the INDX record is not used in the context of RAID 5 recovery for this particular grouping of tutorials we will dispense with its use within the NTFS file system architecture.
Let us leave it to say that in a more advanced context the INDX record does have its uses when assessing a RAID 5. The MFT however offers the clearest path to drive order and stripe size when using the XOR operation. The figure below (Figure 1) is a generic RAID 5 with three drives. The MFT is exposed using the utility WinHex in order to better illustrate how we use XOR to find the parity block within a RAID 5.
Figure 1
Figure 1 is a partial MFT record from three different drives, each marked from left to right respectively Drive 0, Drive 1, and Drive 2. Each depiction shows the same sector for each drive. In other words the sector being displayed for each drive is the same. In a RAID 5 configuration this is considered the ‘stripe’, and although this is not the entire stripe, it does offer a better understanding within the context of this figure. That being said, there are also three red rectangles enclosing the upper left hand corner of the MFT record. For Drive 0, and Drive 2 the word ‘FILE’ is highlighted. On Drive 1 there are only four dots being displayed. This particular part of the MFT record is called the header and in the header is a ‘magic’ number that identifies the record type within the NTFS file system. The magic number is ‘FILE’ for an NTFS 5 MFT record. The question is, why do records on Drive 0, and Drive 2 display the word ‘FILE’ and the record on Drive 1 does not. The next installment of this series will give a clearer explanation of why Drive 1 does not display the magic number ‘FILE’ and how we can use that to determine stripe size and drive order.
