DTI Data Recovery received a RAID 5 a few weeks back that had several VHD files on it. The one VHD file location that had all of the client’s data in it had been deleted so there was really no way to find the data, especially since the VHD was ‘virtual’ and not ‘fixed’. For those who do not know what a ‘VHD’ is, it is Microsoft’s answer to VMWare. In VMWare we have ‘vmdk’ files in Windows we have ‘vhd’ files. VMWare has two types of files one is called ‘thin provision’ the other called ‘thick provision’. They correspond to the ‘virtual’, and ‘fixed’ types for Microsoft. In order to recover a ‘vhd’ that has been deleted, it important to understand the method used as well as the file structure. The following is a brief explanation of both.
The method normally used for finding deleted files is ‘scan looking for specific file markers’. What this means is that a search of the entire drive must be done in order to test each sector for a set of markers that will indicate a file type. As an example, if we were looking for ‘JPEG’ files then it would be imperative that we know what the on-disk format of a ‘JPEG’ file is. That being said, each ‘JPEG’ file in the beginning of its header has the letters ‘JFIF’. When scanning for a ‘JPEG’ we look for those letters and upon finding them we know that we have found the beginning of a ‘JPEG’ file. At the end of every ‘JPEG’ is what is called a footer, or a terminator, this is the hex numeric value F9h. So it is really quite simple, we look for a header with ‘JFIF’ and save the data until we see an F9h. There are problems that can arise, such as fragmentation and random data looking like a header or a footer, but for the most part this works very well.
Now, we take a look at the VHD Hard Disk Image Format and we can see the same basic file structure. In looking at the on-disk format we can see that there are ‘magic’ numbers that indicate a VHD image. Just like in a JPEG it is ‘JFIF’ in the ‘vhd’ it is ‘conectix’. If you continue to inspect and study the on disk image format you will see that there is a great deal of information that can help us determine the size of the ‘vhd’, when created, the type, so on and so forth.
Once this is found it is a simple matter of converting all of the header information into something readable in English, copying off the entire ‘vhd’ as a file, renaming it something like ‘test.vhd’ and then mounting that in Windows using the Disk Manager. This sounds like a lot of work, and it truly is if you are not familiar with hex editors, fragmentation, mounting a ‘vhd’ file and the like.
So, to help those of you who want to recover your deleted ‘vhd’ from the VHD file location but are not that experienced in the data recovery business, I wrote a piece of software.
The software will scan for headers and will display the size, data file type, and most importantly the file sector offset. The software is on our website and can be downloaded from there. It is pretty straight forward in its use so I did not see the need for documentation. If there are any questions please leave a note on the blog and I will try and get back to you. If I get too many questions about how to use it I will write a quick how to.