A client recently experienced a remote ransomware attack that resulted in Ontrack engineers being presented with one of their most extraordinary data recovery efforts to date: restoring 120 damaged HDDs within an IBM SVC Storwize v7000 system…with no backup to rely on. 

After noting the critical nature of the project, Ontrack’s data recovery experts proceeded with a comprehensive process to potentially restore the deleted data:

1. Consultation
   The Ontrack team was able to join the client’s team and scope the data loss event and the storage systems impacted. Based on the scope set forth, Ontrack was able to determine a project plan, set timing expectations and determine costs for data recovery.

    

2. Diagnosis
   Data recovery engineers used Ontrack’s proprietary tools to analyze the disks, determine the likely array configuration as well as detect evidence” of Storage Spaces and VMware structures within the data.

 

3. R&D Simulation and Software Programming
   After the initial diagnosis, engineers analyzed a minimal hardware setup of the IBM SVC Storwize v7000 as a means of detecting the layout of on-disk structures used to map Raid Arrays.

   
   Ontrack then began to work closely with the client’s IT department to get hardware running on a new setup of the IBM SVC Storwize v7000 system.
   

   Simulations were performed to see if the client’s environment could be recreated on the live hardware and if any structure could be found to possibly reconstruct the deleted data. All findings regarding the simulated structures were compared to the structures on the original hard drives.
   

   A positive prediction was formed based on the comparison of the structures, and Ontrack was able to move forward with the creation and modification of proprietary tools to extract functional storage systems and proceed with successful SAN system data recovery.



4. Data Recovery

With an enormous challenge ahead of them, Ontrack’s data recovery experts performed extensive research on IBM’s proprietary software which resulted in engineers modifying their recovery tools to allow for the virtual rebuild of the DRAID that was in use on the IBM system.


Figuring out the distribution patterns for DRAID proved to be the most intricate part of the recovery process, given that all of the data sitting on the DRAID6 MDisk was combined with a number of other MDisks and dynamically allocated multiple levels of both VDisks and Dynamic Disks.


Once the array was virtually rebuilt, the Ontrack team was able to virtually rebuild the volumes. After the rebuild the team was able to generate reports to show the directory structures and layout of the recoverable data to the customer. The team then completed the IBM Storwize data recovery.

 

A multinational client had fallen victim to the disappearance of crucial financial data and office files, with no backup data plan in place. After realizing the urgency of the data loss situation, they immediately contacted Ontrack’s expert engineers to help with recovery.

Given the importance of the lost data, the client expedited all media over the weekend via courier to an Ontrack engineer who happened to be on call. Per client request, Ontrack provided project updates every 15 minutes as a data recovery plan was being prepared.

A customer contacted Ontrack’s experts in need of help with Mac data recovery for a laptop that had been dropped and accidentally run over by a truck, causing its battery to combust. 

Ontrack’s recovery experts surveyed the Mac device damage and implemented a 3-step recovery process for data extraction which included:

• Decontamination – A thorough process in which all contaminants that adversely affected the damaged Mac laptop’s operability were removed.
• Micro-Soldering – A small soldering tool was used to replace a pool of damaged capacitors and resistors which were located near the burned battery.
• Diagnostics – The MacBook was placed in a special diagnostic mode where both Apple-provided OEM tools and Ontrack’s own proprietary tools were used to mount the internal storage device as a volume onto lab machines and process the copy out.

Once the process was complete, Ontrack was able to successfully extract and verify all data.

A client inadvertently ran a command that deleted critical files on a Dell/EMC Isilon storage array containing 270 disks totaling 2 petabytes (PB). 

After having the drives in question flown in, Ontrack’s recovery engineers began an in-depth evaluation and determined that the JIT* development team would be needed to assist in data recovery from this version of Isilon. Within eight weeks of working nights, weekends, and holidays to develop a proper solution, an initial set of data was delivered to the client. 

While the client was ecstatic to receive the recovered files, they also requested that subsequent tasks be done to prove that no stone was left unturned in their recovery efforts, per regulatory requirements. Ontrack’s JIT development team complied by combing through the 270 drives in search of files that matched regulatory requirements and implementing a process that would search, copy, and deduplicate specific files that were found across each disk.

After months of conducting a thorough secondary search, more than 300 million files and 13 terabytes (TB) of PDF and JPG files were produced. 

A ransomware attack of a company server encrypted the Microsoft Dynamics 365 data and demanded payment. Recent backups of the server were stored on multiple LTO-6 backup tapes, which had been erased by the malware. 

After assessing the extent of the ransomware attack, Ontrack representatives identified the company’s backup tapes as the best option for data recovery—even though the malware had erased them. 23 LTO-6 backup tapes from the backup library were sent to the Ontrack office in Böblingen, Germany. Working in conjunction with the R&D department in the United Kingdom, Ontrack developed a custom solution to recover the data from the erased backup tapes.

A flooded data center left a client’s servers and storage systems partially submerged in water.

At the center of the damage was a HP Storage Works EVA (Enterprise Virtual Array) 6000 containing business critical SQL database files as well as employee file shares. The EVA sustained substantial physical damage due to the flood water preventing access to the data. The severity of the damage from the flood was increased when an attempt was made to access the data by powering on the drives that were still wet. The customer contacted HP Support for help and they handed the project over to Ontrack.

The SAN consisted of 80 hard disk drives which were divided into 2 EVA disk groups; in total there were 18 virtual RAID volumes consisting of both VRAID1 and VRAID5.

A HP EVA system is fully virtualized and has a unique way to write data which adds to the complexity of any data recovery effort. It works with disk groups and virtual disks instead of normal RAID sets and logical drive volumes. The disk groups consist of physical drives organized in a proprietary manner. LUNs or Virtual disks (vDisks) in an EVA are then distributed over all of the installed HDDs.

Due to the physical damage, all of the drives were sent to one of Ontrack´s cleanroom facilities to be assessed.

Once the 80 drives were decontaminated and cleaned, 55 were found to be fully recoverable. 25 of the drives had severe water damage and were not recoverable. To regain access to the data on the damaged drives, the engineers needed to research how the EVA RAID and file system was structured. After the engineers were able to map the disk groups and determine how the vDisks were distributed, they had to rebuild the whole EVA system. To recover the data included in the vDisks, the R&D team and its software developers had to create completely new tools to extract the data. Once the development was complete, Ontrack engineers virtually assembled the disk groups and virtually rebuilt the vDisks which allowed access to the underlying file systems. The file systems were virtually repaired and the data extracted.