2014-07-23

Computer Problems

I've done quite a bit of computer repair in my time. I'm not a professional computer repairman. (There's more money in writing programs than in repairing hardware.)

Most of that has been software repair. Uninstall bad programs, upgrade programs, pull backup copies of pictures/documents, fix OS installs, clean out registries, etc.

Other things have been hardware upgrades. New displays, new network cards, additional hard-disk drives, replacement/upgrade of optical drives, etc.

Very few times have I needed to replace broken hardware.

Once, the broken hardware was a light bulb. A miniature fluorescent bulb that provided a backlight to an LCD display on a laptop. That fix was challenging, mainly because the laptop in question was not easy to disassemble.

My most recent repair on my own machine was a replacement of a faulty Hard Disc Drive. That drive had begun making strange noises during read/write access. And I sometimes got errors when I executed commands like "svn status" on the subversion repository stored on that drive.

Some time ago, I helped my parents recover a Hard Disc that was failing slowly. It wasn't making funny  noises. It was simply not saving important data in one location. This failure convinced the Windows bootloader that the drive didn't contain a valid filesystem.*

This hardware failure wasn't drive-destroying...but there was no way to restore the copy of NTFS on that drive and keep all the old files. And my parents wanted to extract all the Documents and locally-stored email that had been on that drive.

So I (with some trepidation) began searching for "file system recovery" tools online.

I rapidly discovered that if I could produce an image of the data on that HDD, I could pull all sorts of stuff from it. Including the files that my parents wanted. And deleted files, fragments of deleted files, data stored in the swap file, data stored in the Recycle Bin, etc.**

Among these files/deleted-files/fragments-of-files were lots of emails.

The entire process took me about 12 hours. However, these hours were spread across evenings of several weeks.

This is one reason why, when I read stories like this, I am not surprised. There are several different ways for an HDD to fail. Unless the failure involves destruction of the disc platters inside the HDD metal box, then most of the data can usually be restored/recovered.

If the IT team at the IRS didn't maintain central backups of internal emails, they should still have been able to recover most of those emails from a faulty HDD.

------------------------------------------------
* The deep technical details: one of the data-storage sectors on the disc had gone bad. It could be read from, but all write operations would fail.
This copy of Windows was installed on an NTFS partition. Usually, NTFS can recover from this kind of failure. When the problem is detected during a write, Windows/NTFS can re-send the data to the drive with instructions to save it elsewhere. In many cases, this can happen without Windows telling the user!
However, this particular bad sector involved one of three redundant copies of the Master File Table. Windows and NTFS kept on trying to fix the bad MFT without moving it. The write operation would fail. Windows would check the attempted fix, discover the that the fix didn't succeed, and halt the Startup process. Then the user would see a message about a Startup failure, with a recommendation to try again.
Trying again produced the same result.

** Another aside: at one time, I worked for a company that performed contract work for DARPA, the Advanced Research agency of the US Dept. of Defense.
Several employees at the company had to get Security Clearance, and the company had to follow US DoD procedures for handling Classified data.
The US DoD-approved process for clearing Classified data from an Hard Disc Drive involves a custom program that will attempt to overwrite every bit of every byte of every sector on the HDD. Then the progam repeats this process four more times.
This knowledge came in handy. It also clarified for me that a determined attacker (or IT support person who wishes to comply with legal requirements for data retention) can extract most old data from a Hard Disc. Unless the disc is (a) put through the above process for cleaning out old data, or (b) mechanically disassembled and the components physically destroyed.

No comments:

Post a Comment

I like thoughtful feedback; I prefer polite feedback.

I don't like screeds.

Comments older than a few days will have comments go into moderation.