What can be recovered from ZFS stripe set?
This quick research is inspired by this Twitter post
That's a bold statement.
Let's address it in reverse order.
Keep in mind that we're talking about a two-disk ZFS stripe set.
I highly doubt anyone would be able to recover anything even if both disks were unencrypted, given that the pool header is absent/corrupt
Let's first clarify that pool header means ZFS disk labels and uberblocks,
which are at the narrow top of the pyramidal filesystem structure.
When ZFS pool headers are destroyed, people tend to jump onto a nope train, saying you cannot recover the data.
Well, that's not true. Klennet ZFS Recovery does not care - it does not use pool headers in any way.
Moreover, it is not even aware that pool headers exist.
So, removing/damaging pool headers does not affect recovery.
... given that this is a zfs stripe I'm quite confident no one is able to recover shit with half of it.
What really can be recovered with just one drive out of the two?
Not much, but
- About half of the files below the record size will be recovered intact.
The record size is typically 128 KB, so that's pretty limited.
- Files larger than the record size will be recovered in a zebra pattern, good-bad-good-bad content alternating every 128 KB.
This pattern, alternating every 128 KB, is typically good enough
to get some understanding of what is inside the files.
Video files can be reconstructed to a stuttering playable state.
Images can be reconstructed into something recognizable.
The first one or several paragraphs can be extracted from DOCX or similar documents,
providing a fair guess about document content.
- All metadata, all the directory structure, all the file names, and all the corresponding timestamps can be recovered.
This is because ZFS stores at least two copies of everything important on two different physical drives.
If there is only one physical drive, then it is still two copies, but on the same drive.
So, get off the nope train.
Filed under: ZFS.
Created Thursday, February 21, 2019