How to recover data by splicing database fragments

Due to the sudden power failure of the server , Cause our company Xen Server One of the servers VPS（ namely Xen Server virtual machine ） Unavailable , The virtual disk file is missing . The hardware environment is Dell 720 The server wears a H710P Of RAID card , from 4 Block Seagate 2T STAT The hard disk makes up RAID 10, The upper environment is Xen Server 6.2 Version operating system , Virtual machine is Windows Server 2003 System ,10G System disk + 5G Data disk two virtual machine disks , The upper layer is Web The server （ASP + SQL 2005 Web site architecture ）.

  Our data disk is first connected to the North Asia recovery environment server , Then, the space exceeding the total capacity of the hard disk mirrors the data disk to the backup space in the form of the bottom sector of the disk .

because Xen Server The disks of virtual machines in the server are all in LVM The structure of storage ,（ That is, the virtual disk of each virtual machine is a LV, And the mode of virtual disk is thin mode .）LVM The relevant information is in Xen Server There are records in , see “/etc/lvm/backup/frombtye.com “ Next LVM No damaged virtual disk information was found , So it can be concluded LVM The information has been updated . Then analyze the bottom layer to see if you can find the ones that have not been updated LVM Information , Sure enough, I found something that hasn't been updated at the bottom LVM Information .

Based on not updated LVM Information found the data area of the virtual disk , Unfortunately, the data in this area has been destroyed . After analysis, it is found that the final reason for the unavailability of the virtual machine is that the virtual disk of the virtual machine is damaged , This leads to the loss of operating system and data in the virtual machine . It is very likely that the virtual machine encounters network attack or hack After the invasion, it is caused by malicious programs . After checking this area carefully, I found , Although a lot of data in this area has been destroyed , But still found a lot of database page fragments . Therefore, you can try to piece together the page fragments of many databases into a usable database .

First, analyze the bottom layer , according to RAR The structure of the compressed package can find the data start position of many compressed packages , and RAR This... Will be recorded in the first sector of the compressed package file RAR The name of the file . Therefore, the file name of the compressed package of the backup database provided by us matches the file name of the currently found compressed package location , You can find the starting location of the compressed package of the backup database . After finding the location of the compressed package, carefully analyze the data in this area , Then recover the data in this area and rename it to a RAR Format of compressed files . Then try to unzip the package , The decompression error is found .

The reason for the decompression error is that part of the data has been destroyed . Then start trying RAR Can you ignore the error and decompress some data , As a result, after the repair is completed, only part of the code of the website is extracted from the database , No database backup files . Therefore, it can be judged that the backup file of data is in RAR The compressed package is damaged .

according to SQL Server The structure of the database goes to the starting position of the underlying analysis database , In the structure of the database , The first 9 A page will record the database name of this database . So after providing the name of the database , Then analyze the bottom layer and find the starting location of the database . Because the database page number and file number will be recorded in each page of the database , Therefore, programs can be written according to these characteristics to scan the data matching the database page at the bottom .

Then the scanned fragments are reassembled into a complete MDF file , Re pass MDF The verification program detects the entire MDF Is the document complete .

【 Conclusion 】

Set up the database environment after the detection is OK , Attach the reorganized database to the built database environment . Then query whether the data in the related table is normal , Query whether the latest data exists .

Because the database needs to be combined with website code to better verify the integrity of the database . We got the website code from the developer and built the environment , Then send the recovered database to us for verification , Everything is all right , Successfully recover the database by splicing database fragments , The whole data is recovered successfully .