Yesterday, while in Knoxville putting the finishing touches on a clients network, I had my first experience with a structural fire, sprinklers, and flooding. My clients office is on the extreme lower level off a large office complex undergoing renovation. Apparently someone on one of the upper floors started a small fire which set-off the buildings sprinkler system. Being in a nearly sound proof basement with no windows, our first indication of a problem was the sudden and massive flooding from the levels above. As water pored down on us we scrambled to move systems out.

It was a very surreal and unnatural sight to see so much water poring into a room. Looking down the dimly lit the lower level hallways filling up with water, I almost felt like I was in Bio-Shock, or some seen from Half-life. As we were moving equipment, I looked over at my assistant and chuckled, “Welcome to IT, now learn to swim.”

I had an odd ball case a few weeks ago.

I was contacted by a friend of a good client who needed me to do some data recovery on a laptop. Not all that unusual occurrence since, statistically speaking, data is more likely to be lost on a laptop top a on a desktop. When I was presented with this laptop, I was also given a story about its resent history.

    It seems that this laptop belonged to a person who traveled quite a bit to China on business. While in China the gentleman, who was advanced in years, passed away. His body and all his effects were of course transferred back to the US and turned over to his family. In these effects was this laptop.

Now, some time later, the widow of the deceased man had tried to get into the laptop to copy off photographs of her late husband which she knew to be on the computer. It would seem that he was an avid armature photographer, and being a world traveler, had taken thousands of pictures of the places he had visited. However, when she tried to boot the laptop it kicked back an error indicating that the OS was not found.

Upon first inspection the laptop did indeed not boot. When I looked at the hard drive however I noted that there were NO partitions on the 40 GB disk. This struck me as rather odd, since I knew that this model of laptop normally had a manufacturer recovery partition. While it’s not unusual for the end-user to reformat the hard drive and reclaim this recovery partition, it is rare for a non-technical person to do this. In addition, a quick scan did not detect any errors which might indicate that the partition tables had been damaged in anyway, they just seemed to have vanished.

On a hunch, I used a partition recovery tool to scan the drive and try to rebuild the partition tables. Sure enough, after a day and a half, both the main system partition and the manufacturer recovery partition had been rebuilt. The laptop could boot, and ran normally.

Of course, not trusting the drive and or the partition tables, I copied all data off to a backup drive, put a new hard drive into the laptop, did a clean install of the OS, and copied all the data files back. It turns out that the gentleman had over 12 GB of images, Office Files, and other documents. I felt very confident that I was able to recover all of his data. The laptop was returned to a very grateful lady and I felt good about the work I had done for her, being able to save a bit of her late husband’s memories.

Now, what has troubled me these past few days is “why” the partitions were gone. While I cannot be 100% certain, all factors seem to indicate that those partitions were purposely deleted and not victims of random drive failure. These days, it is VERY rare for drives to fail in this way, furthermore, if the drives had failed in this way there would be additional evidence that would suggest hardware failure, such as other data lose, damaged sectors, or even just trouble rebuilding the drive. None of these things were in evidence. I can only conclude that someone perhaps intentionally tried to erase this drive. However, if this is the case, then the person who tried to erase the drive was obviously NOT an IT professional.

When a person dies in a foreign land, of course his or her body and effects will be handled by the local law enforcement in that country. Could it be that someone in the Chinese government felt that erasing this man’s laptop before it was sent back to the US was necessary? Of course, if this is the case, why send the laptop back at all, or send it back with a new blank hard drive? It could have been that the decision came from a very low level in their government, like a local police captain, who did not want to take the chance that sensitive data might get out, and erased the drive on his own initiative. Could the deceased man, perhaps senescing the end of his life approaching, taken a last act to try and hide his data from local authorities?

How very odd.