Deadbolt Recovery -Mount Raid 0 for data recovery (PhotoRec?)

Kingsley Tech SF

New Member
Joined
Feb 25, 2022
Messages
3
Reaction score
0
Credits
38
Hello,

I have a client that was a victim of the Deadbolt ransomeware. It was on an Asustor NAS. The configuration was 4 disks RAID 10 (2 in RAID 0 then mirrored to another 2 in RAID 0). I hope that's right. I was able to use recovery software with only one disk and got a ton of information. Obviously since there was a RAID 0 some of the files are not complete. All I used was EaseUS recovery software and I was able to get non encrypted files back. Not sure how but I'm guessing when the files changed or were replaced the file system put them on another part of the HD to delete and I was able to search that "Deleted" part and get the non-encrypted files?

My question:
Would it be possible to mount the RAID 0 drives and use recovery software like PhotoRec to get at hidden files? I have done a search on mdadm and I do have an Ubuntu machine
 


OP
K

Kingsley Tech SF

New Member
Joined
Feb 25, 2022
Messages
3
Reaction score
0
Credits
38
Hi I just wanted to clarify. I'm not looking to get a RAID mounted on Ubuntu to "just" get the files that I can see. I want to get it mounted to use recovery software to access the hidden/deleted/etc files. Thank you so much and this will help out tons of people if we can work to find a solution.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
6,455
Reaction score
5,719
Credits
51,944
I think all any of us here could really do is suggest you try it. It may work, assuming the files weren't encrypted along the way. Otherwise, you're just recovering files that haven't got much value without the decryption key.

It's worth checking for your client's sake. If nothing else, it'll confirm that the files can't be recovered even with the additional steps.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,792
Reaction score
3,444
Credits
34,918
I think your client deserves better than you asking for data recover possibilities on a forum since it seems you are a providing a service they are paying for. How about looking into a professional data recovery company?
 
OP
K

Kingsley Tech SF

New Member
Joined
Feb 25, 2022
Messages
3
Reaction score
0
Credits
38
I think your client deserves better than you asking for data recover possibilities on a forum since it seems you are a providing a service they are paying for. How about looking into a professional data recovery company?
Hello, they have already tried that and paid for nothing didn't recover any data other than the actual encrypted files. Aslo they messed up disk 0 Using Testdisk to try and rebuild what they thought was a lost partition but wasn't. I was able to get all the encrypted data too. Just with software. I do data recovery and have for many years just not with RAID configs from NAS = Linux. I have RapidSpar, Stellar, have used Testdisk and PhotoRec, I'm proficient in micro soldering and have recovered TB of data successfully for clients from broken SD cards, water logged iPhones and more. I'm actually not charging them to see if this can be done. I would feel the same way you did not knowing all the details so no harm no foul. And the client doesn't have another $1400 (Going rate for RAID recovery) to spend to another company that might or might not get any data. I'm really just asking if someone can help me mount the logical volume in Ubuntu so that I can use Photorec to get the deleted files not just the files that are encrypted.
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
4,792
Reaction score
3,444
Credits
34,918
I'm really just asking if someone can help me mount the logical volume in Ubuntu so that I can use Photorec to get the deleted files not just the files that are encrypted.
With hardware raid you should just be able to boot from a live Ubuntu media, then Ubuntu should pick up the lvm configuration. Then you should be able to check the volume groups and volumes by running the following from a terminal.
Code:
sudo lvs
Under the LV colum are the available logical volumes and under VG are the available logical groups.
You can than mount them like this.
Code:
sudo mount /dev/mapper/vgname-lvname /mnt
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top