Page 1 of 1

Partition von NAS wiederherstellen

Posted: 10 Jan 2018, 09:12
by xoreax
Hallo ich habe bei einem Kunden das Problem das er von einem Crypto Trojaner befallen wurde.
Dieser hat auch das NAS gecryptet. Die Daten konnten wir entschlüsseln das Problem an der Sache ist ich wollte auch die Backups entschlüsseln und zurück spielen.
Also wollte ich die Daten auf eine USB Platte sichern die an dem NAS hing. DA ich keine Schreibrechte hatte habe ich das Neugestartet - danach ging nix mehr.
Also NAS geholt platten ausgebaut und hier dran gehongen. Es war ein RAID 1 beide Platten sind die Daten Partitionen nicht mehr lesbar.
Nun habe ich mit Testdisk einen Depp Scan laufen lassen mit folgenden Ergebnis:

Code: Select all

Mon Jan  8 07:49:21 2018
Command line: TestDisk

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows 7 (7601) SP1
Compiler: GCC 4.8, Cygwin 1007.34
Compilation date: 2015-04-18T13:01:55
ext2fs lib: 1.42.8, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20120504, curses lib: ncurses 5.9
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=1000204886016
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=1000204886016
filewin32_getfilesize(\\.\PhysicalDrive3) GetFileSize err Unzulässige Funktion.

filewin32_setfilepointer(\\.\PhysicalDrive3) SetFilePointer err Unzulässige Funktion.

Warning: can't get size for \\.\PhysicalDrive3
filewin32_getfilesize(\\.\PhysicalDrive4) GetFileSize err Unzulässige Funktion.

filewin32_setfilepointer(\\.\PhysicalDrive4) SetFilePointer err Unzulässige Funktion.

Warning: can't get size for \\.\PhysicalDrive4
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=159934054400
filewin32_getfilesize(\\.\D:) GetFileSize err Unzulässige Funktion.

filewin32_setfilepointer(\\.\D:) SetFilePointer err Unzulässige Funktion.

Warning: can't get size for \\.\D:
filewin32_getfilesize(\\.\E:) GetFileSize err Unzulässige Funktion.

filewin32_setfilepointer(\\.\E:) SetFilePointer err Unzulässige Funktion.

Warning: can't get size for \\.\E:
filewin32_getfilesize(\\.\F:) GetFileSize err Unzulässige Funktion.

filewin32_setfilepointer(\\.\F:) SetFilePointer err Unzulässige Funktion.

Warning: can't get size for \\.\F:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\G:)=1024458752
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\H:)=5120196608
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\I:)=1048576
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\J:)=1048576
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\K:)=1024458752
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\L:)=984832000000
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\S:)=0
Warning: can't get size for \\.\S:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\T:)=0
Warning: can't get size for \\.\T:
Hard disk list
Disk /dev/sda - 160 GB / 149 GiB - CHS 165387 135 14, sector size=512
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512
Drive C: - 159 GB / 148 GiB - CHS 165275 135 14, sector size=512
Drive G: - 1024 MB / 977 MiB - CHS 124 255 63, sector size=512
Drive H: - 5120 MB / 4883 MiB - CHS 622 255 63, sector size=512
Drive I: - 1048 KB / 1024 KiB - CHS 121601 255 63, sector size=512
Drive L: - 984 GB / 917 GiB - CHS 119732 255 63, sector size=512

Partition table type (auto): None
Partition table type (auto): None
Drive L: - 984 GB / 917 GiB
Partition table type: None

Analyse Drive L: - 984 GB / 917 GiB - CHS 119732 255 63

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
check_MD 1.2
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
Current partition structure:
   P Linux md 1.x RAID        0   0  1 119732  86  2 1923500000 [UNINSPECT-EM4B1:2]

search_part()
Drive L: - 984 GB / 917 GiB - CHS 119732 255 63

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
     Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B

Raid magic value at 0/0/9
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
     Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B
Search for partition aborted

Results
   P Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B

interface_write()
   P Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
 
Write isn't available because the partition table type "None" has been selected.

search_part()
Drive L: - 984 GB / 917 GiB - CHS 119732 255 63

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
     Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B

Raid magic value at 0/0/9
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
     Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B

XFS Marker at 3741/185/29

recover_xfs
     XFS 4                 3741 185 29 243206   5 63 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=60110848, size=3846993920, end=3907104767, disk end=1923500000)

XFS Marker at 11224/252/37

recover_xfs
     XFS 4                11224 252 37 250689  73  8 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=180329472, size=3846993920, end=4027323391, disk end=1923500000)

SYSV4 Marker at 12984/131/9

recover_sysv4
     SysV 4               12984 131  9 12984 131  8          0 [ecŸ,¡]
     SysV4, 0 B
Partition not added.

XFS Marker at 18708/64/45

recover_xfs
     XFS 4                18708  64 45 258172 140 16 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=300548096, size=3846993920, end=4147542015, disk end=1923500000)

LVM magic value at 19371/163/44

XFS Marker at 26191/131/53

recover_xfs
     XFS 4                26191 131 53 265655 207 24 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=420766720, size=3846993920, end=4267760639, disk end=1923500000)

XFS Marker at 33674/198/61

recover_xfs
     XFS 4                33674 198 61 273139  19 32 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=540985344, size=3846993920, end=4387979263, disk end=1923500000)

XFS Marker at 41158/11/6

recover_xfs
     XFS 4                41158  11  6 280622  86 40 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=661203968, size=3846993920, end=4508197887, disk end=1923500000)

XFS Marker at 48641/78/14

recover_xfs
     XFS 4                48641  78 14 288105 153 48 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=781422592, size=3846993920, end=4628416511, disk end=1923500000)
     Sys=0C               50739  39  4 240234 180 30 3044246085
     FATX, 1558 GB / 1451 GiB
This partition ends after the disk limits. (start=815124495, size=3044246085, end=3859370579, disk end=1923500000)

XFS Marker at 56124/145/22

recover_xfs
     XFS 4                56124 145 22 295588 220 56 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=901641216, size=3846993920, end=4748635135, disk end=1923500000)

XFS Marker at 63607/212/30

recover_xfs
     XFS 4                63607 212 30 303072  33  1 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1021859840, size=3846993920, end=4868853759, disk end=1923500000)

LVM magic value at 65327/239/19

cramfs Marker at 68709/43/52

recover_cramfs
     CramFS               68709  43 52 68995 176 58    4602975 [êãĶpXë:•åÎˉ&]
     cramfs, 2356 MB / 2247 MiB

cramfs Marker at 68709/43/53

recover_cramfs
     CramFS               68709  43 53 68995 176 59    4602975 [êãĶpXë:•åÎˉ&]
     cramfs, 2356 MB / 2247 MiB

XFS Marker at 71091/24/38

recover_xfs
     XFS 4                71091  24 38 310555 100  9 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1142078464, size=3846993920, end=4989072383, disk end=1923500000)

XFS Marker at 78574/91/46

recover_xfs
     XFS 4                78574  91 46 318038 167 17 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1262297088, size=3846993920, end=5109291007, disk end=1923500000)

XFS Marker at 86057/158/54

recover_xfs
     XFS 4                86057 158 54 325521 234 25 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1382515712, size=3846993920, end=5229509631, disk end=1923500000)

XFS Marker at 93540/225/62

recover_xfs
     XFS 4                93540 225 62 333005  46 33 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1502734336, size=3846993920, end=5349728255, disk end=1923500000)
check_FAT: Bad jump in FAT partition

XFS Marker at 101024/38/7

recover_xfs
     XFS 4                101024  38  7 340488 113 41 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1622952960, size=3846993920, end=5469946879, disk end=1923500000)

XFS Marker at 108507/105/15

recover_xfs
     XFS 4                108507 105 15 347971 180 49 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1743171584, size=3846993920, end=5590165503, disk end=1923500000)

XFS Marker at 115990/172/23

recover_xfs
     XFS 4                115990 172 23 355454 247 57 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
This partition ends after the disk limits. (start=1863390208, size=3846993920, end=5710384127, disk end=1923500000)
file_win32_pread(428,11,buffer,1923499994(119732/85/60)) read err: read after end of file
file_win32_pread(428,8,buffer,1923499997(119732/85/63)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499988(119732/85/54)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499989(119732/85/55)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499990(119732/85/56)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499991(119732/85/57)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499992(119732/85/58)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499994(119732/85/60)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499996(119732/85/62)) read err: read after end of file
file_win32_pread(428,14,buffer,1923499998(119732/86/1)) read err: read after end of file
Drive L: - 984 GB / 917 GiB - CHS 119732 255 63
Check the harddisk size: HD jumpers settings, BIOS detection...
The harddisk (984 GB / 917 GiB) seems too small! (< 2923 GB / 2722 GiB)
The following partitions can't be recovered:
     XFS 4                 3741 185 29 243206   5 63 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                11224 252 37 250689  73  8 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                18708  64 45 258172 140 16 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                26191 131 53 265655 207 24 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                33674 198 61 273139  19 32 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                41158  11  6 280622  86 40 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                48641  78 14 288105 153 48 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     Sys=0C               50739  39  4 240234 180 30 3044246085
     FATX, 1558 GB / 1451 GiB
     XFS 4                56124 145 22 295588 220 56 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                63607 212 30 303072  33  1 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                71091  24 38 310555 100  9 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                78574  91 46 318038 167 17 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                86057 158 54 325521 234 25 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                93540 225 62 333005  46 33 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                101024  38  7 340488 113 41 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                108507 105 15 347971 180 49 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB
     XFS 4                115990 172 23 355454 247 57 3846993920
     XFS 6.2+ - bitmap version blocksize=4096, 1969 GB / 1834 GiB

Results
   P Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 4096 B
   P CramFS               68709  43 52 68995 176 58    4602976 [êãĶpXë:•åÎˉ&]
     cramfs, 2356 MB / 2247 MiB
   P CramFS               68709  43 53 68995 176 59    4602976 [êãĶpXë:•åÎˉ&]
     cramfs, 2356 MB / 2247 MiB

interface_write()
   P Linux md 1.x RAID        0   0  1     0   0  8          8 [UNINSPECT-EM4B1:2]
   P CramFS               68709  43 52 68995 176 58    4602976 [êãĶpXë:•åÎˉ&]
   P CramFS               68709  43 53 68995 176 59    4602976 [êãĶpXë:•åÎˉ&]
 
Write isn't available because the partition table type "None" has been selected.

Interface Advanced

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)

Raid magic value at 0/0/1
Raid apparent size: 2626854058 sectors
check_MD 1.2
UNINSPECT-EM4B1:2 md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1)
   P Linux md 1.x RAID        0   0  1 119732  86  2 1923500000 [UNINSPECT-EM4B1:2]
     md 1.x L.Endian Raid 0 - Array Slot : 1 (0, 1), 984 GB / 917 GiB
Partition table type (auto): None
Drive L: - 984 GB / 917 GiB
Partition table type: Intel
Leider weiß ich nicht wie ich weiter verfahren soll.