Yesterday, while in Knoxville putting the finishing touches on a clients network, I had my first experience with a structural fire, sprinklers, and flooding. My clients office is on the extreme lower level off a large office complex undergoing renovation. Apparently someone on one of the upper floors started a small fire which set-off the buildings sprinkler system. Being in a nearly sound proof basement with no windows, our first indication of a problem was the sudden and massive flooding from the levels above. As water pored down on us we scrambled to move systems out.

It was a very surreal and unnatural sight to see so much water poring into a room. Looking down the dimly lit the lower level hallways filling up with water, I almost felt like I was in Bio-Shock, or some seen from Half-life. As we were moving equipment, I looked over at my assistant and chuckled, “Welcome to IT, now learn to swim.”

I had an odd ball case a few weeks ago.

I was contacted by a friend of a good client who needed me to do some data recovery on a laptop. Not all that unusual occurrence since, statistically speaking, data is more likely to be lost on a laptop top a on a desktop. When I was presented with this laptop, I was also given a story about its resent history.

    It seems that this laptop belonged to a person who traveled quite a bit to China on business. While in China the gentleman, who was advanced in years, passed away. His body and all his effects were of course transferred back to the US and turned over to his family. In these effects was this laptop.

Now, some time later, the widow of the deceased man had tried to get into the laptop to copy off photographs of her late husband which she knew to be on the computer. It would seem that he was an avid armature photographer, and being a world traveler, had taken thousands of pictures of the places he had visited. However, when she tried to boot the laptop it kicked back an error indicating that the OS was not found.

Upon first inspection the laptop did indeed not boot. When I looked at the hard drive however I noted that there were NO partitions on the 40 GB disk. This struck me as rather odd, since I knew that this model of laptop normally had a manufacturer recovery partition. While it’s not unusual for the end-user to reformat the hard drive and reclaim this recovery partition, it is rare for a non-technical person to do this. In addition, a quick scan did not detect any errors which might indicate that the partition tables had been damaged in anyway, they just seemed to have vanished.

On a hunch, I used a partition recovery tool to scan the drive and try to rebuild the partition tables. Sure enough, after a day and a half, both the main system partition and the manufacturer recovery partition had been rebuilt. The laptop could boot, and ran normally.

Of course, not trusting the drive and or the partition tables, I copied all data off to a backup drive, put a new hard drive into the laptop, did a clean install of the OS, and copied all the data files back. It turns out that the gentleman had over 12 GB of images, Office Files, and other documents. I felt very confident that I was able to recover all of his data. The laptop was returned to a very grateful lady and I felt good about the work I had done for her, being able to save a bit of her late husband’s memories.

Now, what has troubled me these past few days is “why” the partitions were gone. While I cannot be 100% certain, all factors seem to indicate that those partitions were purposely deleted and not victims of random drive failure. These days, it is VERY rare for drives to fail in this way, furthermore, if the drives had failed in this way there would be additional evidence that would suggest hardware failure, such as other data lose, damaged sectors, or even just trouble rebuilding the drive. None of these things were in evidence. I can only conclude that someone perhaps intentionally tried to erase this drive. However, if this is the case, then the person who tried to erase the drive was obviously NOT an IT professional.

When a person dies in a foreign land, of course his or her body and effects will be handled by the local law enforcement in that country. Could it be that someone in the Chinese government felt that erasing this man’s laptop before it was sent back to the US was necessary? Of course, if this is the case, why send the laptop back at all, or send it back with a new blank hard drive? It could have been that the decision came from a very low level in their government, like a local police captain, who did not want to take the chance that sensitive data might get out, and erased the drive on his own initiative. Could the deceased man, perhaps senescing the end of his life approaching, taken a last act to try and hide his data from local authorities?

How very odd.

While DNS is somewhat complicated, I’ll try to explain what is going on. A URL is composed of three or more parts. For example www.taborcg.com is the domain name for our site. The three parts are Host (www) Domain (taborcg) and Top Level Domain (com). there can also be one or more “sub-domains” between “www” and “taborcg”, like: www.crossville.taborcg.com or www.downtown.crossville.taborcg.com. In the old days on the internet, these sub domains helped user identify parts of larger organizations like universities or cooperations. The use of sub-domains has tapered off.

The “Host” part of the URL refers to a specific machine in a domain network. In most cases the slang term “www” has been used as a link or pointer to the “world wide web” server. This process of pointing and linking fake name to a real server is call “cname”. This is handy because network administrators can adjust web traffic from one physical machine to another by changing the cname of “www” and the users never have to know or update their bookmarks. (well update their books makes is itself an old term, now it’s more about a company not having to update a million dollars worth of advertising just to take a machine off line for repairs)

AT TCG our current production web-server is named “suzumiya”, so http://suzumiya.taborcg.com brings up out site, www is just a pointer to that address.

Now, if a user mistypes a URL, what is supposed to happen is that a “server or domain cannot be found” error is supposed to be displayed. Depending on what DNS server you have configured on your computer, some DNS servers feed you bogus search or advertising pages instead of errors. There is also a big market in typo domains, for example http://www.ebaayy.com/ is not owned by ebay, but the first link is a paid sponsor link back to ebay, thus this site is a revenue generator for who ever owns ebaayy.com. To combat domain typos, companies will also register several common typo domains and point them to the real location. Again, ebay owns http://www.ebayy.com and points it to their main site.

Domain typos are a problem, but a minor one. Most people and companies understand that the user has the responsibility to type the correct address to get where you need to go, in much the same way they have to dial the correct phone number to reach the right person. What Name.com has done however is NOT domain typo hijacking, but host level typo hijacking. Which on a technical and legal level is much, much worse.

Unlike a domain level typo hijack, a host level typo hijack involves a typo to the “host” part of the domain name. So rather than “www.taborcg.com” a user types “wwww.taborcg.com” or “ww.taborcg.com”. Why this is legally different is that I as the owner of the domain “taborcg.com” am responsible for any and all content on servers within my domain. In contrast if someone registered taborcggg.com and put child porn on www.taborcggg.com, I cannot be held responsible because I have no control over taborcggg.com. (it’s still reprehensible, and I would take action to stop taborcggg.com, but I would not be criminally liable for publishing it.)