Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
| < Day Day Up > |
|
If there is any data, anywhere on your disk or tape, it can be recovered. Let’s take a look at some of the more interesting disk-recovery case studies.
A Dog’s Dinner
Late one afternoon, a phone call was received from a distraught customer who required data recovery from a couple of diskettes. The data was related to an important presentation. The customer was asked the nature of the problem and eventually confessed that the diskettes had suffered some physical damage. The problem involved one of his four-legged canine friends who had chewed the diskettes!
The damage to the disk cases was severe, with large tooth marks evident on the surface of the disks. Eventually both disks were imaged with only 15% sector damage and the File Allocation Tables (FATs) were rebuilt. All the files were successfully recovered and restored to the grateful customer.
Credit Card Monster
The customer was a well-known credit card company whose last few hours’ transactions, for which there was no back-up, were stored on the failed system. It was a NetWare Server and RAID array in one large, very heavy metal box, containing 18 x 2.5GB wide SCSI drives and weighing nearly 200Kg.
There were three failed drives amongst the remaining batch of eight drives. One of the drives had suffered component failure on its electronics assembly, the other two had serious head/disk assembly (HDA) problems that needed work in a cleanroom. Using a database of drive components and technical knowledge, the system administrator worked to correct the faults on the drives so he could take images.
When he finally finished, all 18 drives had been imaged with a total sector loss of just seven bad sectors. The total good sectors imaged that night was just under 88 million! The customer’s valuable data was safe.
Flying Low
Having flown numerous times on business without a problem, one customer was surprised to find that his Toshiba laptop wouldn’t boot. On contact with the system administrator, he finally mentioned that it had traveled in the cargo hold of a plane. The system administrator had a nagging suspicion that it had probably not only been thrown around by the baggage handlers, but also bounced its way down the carousel!
Luckily for him, it had not been swipe-damaged by any x-ray equipment at the airport. Hardware specialists opened the head disk assembly and found there was some speckle damage, confirming that it had been bounced around as the heads had dented the actual platters. Following a successful headstack swap, the drive was imaged and the system administrator found 112 bad sectors, of which he was finally able to read only 86 of them. The customer vowed always to take his laptop as hand luggage from then on.
Accounts Critical!
It was Easter Saturday and the system administrator had a critical tape data loss which another data-recovery company had failed to rectify. Within about four hours of receiving the first tape, the system administrator had several hundred megabytes of data from it. The tape was poorly recorded and had many areas where the recording had broken up.
The customer had a set of around 35 tapes in this condition, which the system administrator also needed to look at. By 6 a.m. on Sunday, the system administrator was recovering data from seven DAT tapes and had extracted images of each of the disks in the RAID.
A few hours later, most of the physical data had been recovered. The areas of missing data were being reprocessed to attempt to extract additional data from the tapes. However, the data of major importance was from the accounts system. About 48 hours later, the system administrator was still working on reading data from the damaged areas of the tapes. By the end of the following week, all the data had been successfully recovered—no mean feat considering the huge amount of data involved.
Sinking Ship
A seismic survey ship far away in a distant sea sent a system administrator an IBM 3590 tape. It contained the results of a number of geological surveys as part of a search for oil, but also contained a media flaw right at the start. If the data could not be recovered, they would have to send the ship back out to sea to repeat the tests–a rather costly operation!
At the time, the IBM 3590 drive was one of the fastest tape drives around. The 40kg monster is capable of storing 10GB of uncompressed data on a single cartridge and transferring that data at up to 9MB per second. At the heart of this mechanism is a read–writehead that records 16 data tracks at a time.
Gaining control of these various systems, finding the undamaged data on the tape, and then persuading the drive to read it was complex. However, after much perseverance, all the important data was safely on one of the systems, and the system administrator could call for a courier to take the data back to Singapore.
All Flooded Out
A business continuity firm had a customer with a big problem. A firm of automotive engineers had archived their important drawings and documents in a locked fireproof safe in their basement. Sadly, a flood had filled the basement with water and fine silt, and the engineers found that their archives and back-ups were soaked through and the media was coated inside and out with a thin layer of sediment.
In total, over 40 tape and optical cartridges of various different formats had been affected, and some of the tapes had started to dry while still in the safe. Each tape was extracted from its cartridge and installed in a special cleaning rig that removed any sediment. Once clean, the tape was then placed in a brand new cartridge assembly so that the data could be read. After a few hours, the system administrator was able to return the recovered files and folders on a total of 26 CD-ROMs; and, the engineers were grateful for the return of their archives.
A Concluding Case Study Example
As an almost real-life example, XYZ Corporation is an IMS shop with headquarters in Houston, Texas. Tropical Storm Allison visits the Texas Gulf coast and dumps three feet of rain on the city. XYZ, with its state-of-the-art data center located in the heart of the city, takes on a basement full of water. Their UPS system, network switches, and a portion of their direct access storage devices (DASD) are wiped out.
PREPARATIONS
Being good corporate citizens and experienced users of BRS, XYZ is in great condition to recover. They take weekly image copies, creating dual copies concurrently so that the second copy can be sent off-site. They run nightly change accumulations to consolidate their updates and send secondary CAs off-site each morning at 6 a.m.. Copies of logs are dispatched to off-site storage at 6 p.m. Recovery Advisor jobs are scheduled to make sure that image copies and change accumulations are performed at the specified intervals. They run the Check Assets function regularly to ensure that required assets are cataloged. Regular disaster-recovery drills let them practice, so their people know what to do.
PROOF
When disaster strikes, XYZ springs into action and the validity of their preparations is proved. They call their local disaster-recovery (DR) service provider, arrange for shipment of their tapes, and rush to the hot site. They IPL their system and bring up the Recovery Manager interface. They use the RECON cleanup utility to prepare the IMS RECONs for restart. They build the appropriate groups for their lost databases, and build appropriate recovery JCL. The recovery utility runs, calling in the appropriate image copy, change accumulation, and log data. Their data is restored without errors, their business resumes quickly, and everyone lives happily ever after, all with minimal expense and elapsed time.
| < Day Day Up > |
|