How to recover data from a virtual environment

As discussed in our previous blog: ‘What are the causes of virtual system data loss? ’, the main causes of data loss from a virtual environment are hardware issues, formatting, metadata corruption, and user errors. Data loss can cause a large amount of stress and downtime for an organization; it is, therefore, essential that a reputable data recovery company is contacted as soon as a data loss occurs.

So, what should you do if your organization finds itself in a situation where it has lost its virtual data? The good news is that there are a great many ways to recover some and, in many cases, all the lost virtual data.

Storage level

The first point of entry is at the storage level. It can be possible, in some cases, to directly recover data from physical drives by taking an image of the drives and reading what raw data might be available on the disk.

LUNS or RAID

The next option is to attempt to recover data from the logical volumes (LUNs) or RAID. If the RAID controller is available, it can be used to track down the many slices of data spread across virtual disks. By determining what the configuration should be, engineers can virtually rebuild the array and gain access to the storage. If the RAID controller is corrupted, it may be necessary to emulate the RAID controller and rebuild what is missing.

Host file system

The next level up, with each representing a higher degree of recovery difficulty, is the host file system level. In VMware, this would be VMFS and in Hyper-V, NTFS or ReFS. In many cases, data isn’t available directly at the storage level. But if the right tools are used, recovery experts can trace data from the basic storage data blocks, map it to the host level and recompile it. If that process doesn’t provide an adequate recovery, additional tools can be employed to extend further into the guest file system level. By investigating the virtual file system, data recovery specialists can sometimes find data that would otherwise be lost. Finally, it is possible to reach into the guest file-level and access data lurking in application files such as SQL, Exchange, SharePoint, Oracle, Office files, ZIP files and more.

Storage architectures

What it takes is an understanding of each level and knowing what might be available where. Those well-versed in storage architectures can track down data that seemed lost by finding pieces of it in one level and other parts in another level. This is perhaps best understood by looking at a RAID example. It is a fact of life that drives will eventually fail. If RAID 1 or greater is being used, a new drive can be installed and the data storage map rebuilt without data loss. But what if the drive failure exceeds the redundancy capacity of RAID? To recover data in this case, it is usually necessary to bypass any physical failures that may have occurred, reconstruct the RAID file system, and assess the various layers and complexities of any virtualized architecture that may exist.

This often makes recovery extremely challenging and time-consuming. However, with the right provider, in many cases, recovery efforts can be successful. Make sure the provider has the tools and expertise, as well as direct partnerships with storage vendors.

Virtual machine data recovery by Ontrack

With over 30 years of global experience in data management, data recovery, secure data erase, ediscovery and computer forensics, Ontrack has recovered virtualized data for thousands of enterprises.

Engineers image drives and reads raw data on the disk, determine what the configuration should be and then virtually rebuild the array and gain access to the storage. To do so, Ontrack has developed tools such as those that emulate the RAID controller and rebuild what is missing. The company has also developed a wealth of additional tools to accomplish such things as to prevent further writing of data onto volumes, address the complexities of virtualized files systems and more.

Ontrack’s development team continually updates its tools for the latest virtualization platforms and storage environments. Thanks to its knowledge of the various storage media, operating systems, and underlying storage architectures, Ontrack offers comprehensive services for data recovery, as well as follow up services for intelligent backup and data management.

Let’s take a look at a few examples:

Accidental wipe of a NetApp system

A Korean Managed Service Provider (MSP) had a client with a NetApp FAS8060 system containing 161 x 900GB SAS HDDs. They were arranged in two separate aggregates (68 drives + 93 drives). The client presented three 468GB Fibre Channel LUNs from each aggregate to a production Sybase server. Six LUNs in total were combined into a single disk pool with three logical volumes carved out of the pool. An engineer at the MSP attempted to make configuration changes to the NetApp filer. However, he inadvertently started a wipe command on some of the LUNs, effectively wiping 45 GB of data from the Sybase server. The MSP potentially faced the loss of a client contract and possible liability costs.

Ontrack was brought in via phone consultation. Within 12 hours of the data loss event, the MSP was instructed to bring the aggregates offline to avoid any further overwrite damage. The client was instructed to present all 161 HDDs from both aggregates to a single Windows machine. This system was then connected to Ontrack’s Remote Data Recovery server. As both aggregates had the same name, it was not possible to easily rebuild them. As a result, the drives had to be sorted into aggregate groups and manually rebuilt to a point in time as close as possible to the time of the incorrect wipe command.

At that stage, another problem arose. The logical volumes were used as raw storage by the Sybase server. This arrangement made it impossible to extract the internal data directly. The workaround was to extract all six LUNs as flat files and coordinate with NetApp support to present these LUNs back to the Sybase server. The recovered logical volumes passed integrity checks and were made operational with no loss of data.

Data loss due to reformatting of VMware

The IT team for a food production company based in Singapore mistakenly removed a VMFS datastore LUN from the VMware ESXi host and attached it to a Windows server. That led to the LUN being reformatted to the NTFS file system. This action corrupted frontend VMFS metadata, which brought about the loss of all virtual machines in the datastore. The company called Ontrack for help. Our engineers were able to rebuild the VMFS structures to regain access to the VMs stored on the system. Several VMs were recovered intact, while others required additional repairs to the internal guest file systems and extraction of the resulting data.

Deletion of VMs

A health services provider in Australia mistakenly deleted seven thin-provisioned VMs from a production datastore. Due to the sensitive nature of the lost data, the company immediately called Ontrack and requested that our engineers come directly onsite. Once they arrived at the data center, they were able to recover all of the VMs, though some damage was apparent. At that point, additional repairs were performed to the guest file systems of each VM using Ontrack’s proprietary tools. This process enabled more critical internal data to be extracted to external storage. Although there was some data loss, the bulk of the data contained in the VMs was recovered.

Conclusion

Virtualization may save time and eliminate complexity from the user's view. But it comes with a unique set of challenges, one of which is a rising incidence of corruption and data loss. Whether through volume corruption, deleted volumes, ransomware, deleted or corrupted virtual backups, RAID and hardware failures and deleted or corrupt files within virtualized storage systems, data loss is a reality for anyone managing virtual systems.

Backup is necessary to safeguard enterprise data, but it is far from foolproof. As the world’s leading data recovery supplier, Ontrack stands ready to provide comprehensive data recovery services for virtual servers and storage. Ontrack Data Recovery Services can:

Recover data from virtually any type of data storage device – from hard drives, flash and SSD drives to servers, NAS, SAN, tape and virtual systems.

Minimize downtime through fast turn-around times, emergency service options and the industry’s only global lab-quality remote data recovery service.

Report all recoverable files and the condition of each file as part of the evaluation before you pay recovery fees.