PDA

View Full Version : Foul file deletion



Diver
18th June 2007, 16:50
Here's one for our more mature members!
Recently called out to do a DR job at a backwoods Dental surgery, they'd lost all of their patients & suppliers details inc Accounts.

antiquated system, running (believe it or not) win 3.11 and Dos 6.20
no malware detected on the sytem so suspected a rotten apple in the barrel (I.e. staff member)
keystroked the system! nothing, oh yeh, only the DB was affected!
still suspecting foul play, used DOS undelete. Nothing!
Had an old shareware program in my box of trix called recover, (On floppy)
(for you youngsters, that's what we used before they brought out those shiny round things that you usually use for coasters).
"anyway" back to the plot. the missing data appeared as if by magic!
however!!, unlike Dos deleted files, the first and last letter were missing from each file name. luckily they had a backup that was only 2 months old, so only a few hundred file names had to be re-written using harcopy records (by one of the girls in the office of course, "boring")
anyway, any of you come across this? it's really bugging me that I could find no evidence that pointed to local input.



"Under Water Nobody can hear you scream"

(they can in a dentists, but everone thinks it's a patient)

AtW
18th June 2007, 19:04
It's been a while since I used Norton Utilities to recover data on DOS, but I vaguely remember that those missing characters were normal feature of DOS when it was deleting files.

This link: http://www.vfrazee.com/ms-dos/6.22/help/undelete.htm seems to suggest that missing first letter is normal - you only get full letters if some extra software is running to assist undelete.

Either way you probably screwed up all forensics there so what exactly happened will probably never be established. This is just a reminder that undelete is not a substitution for a good backup strategy that should be regularly tested by restoring data into cloned machine to see if backups actually work.

Diver
18th June 2007, 20:25
Done uncounted number of recoveries because of Dos Del. but never come accross both ends of the file name being stripped before!

That's why I posted it.

as for the forensics! - We are talking about 1 x pentium1- 4 x 486 DX's and an SX. they probably had an 0806 greenscreen connected to a sinclair ZX81 in the basement as well for all I know

thankfully they let me talk them into a complete new install.

AtW
18th June 2007, 21:27
I think they made a number of changes in v6.x of DOS to aid their own undeletion - at the time (early 90s) there was big outcry from vendors like Norton that pioneered undelete command, and Stacker who were miffed at having DoubleSpace provided as part of DOS. My guess is that that file was deleted with something else than del command - this missing first letter behavior was standard in DOS, I myself manually recovered deleted files using Norton Utilities Disk Editor. You sound like a youngster who never edited FAT using Disk Editor :tongue

Either way it is all ancient history - good backups are a must.

Diver
18th June 2007, 22:08
I think they made a number of changes in v6.x of DOS to aid their own undeletion - at the time (early 90s) there was big outcry from vendors like Norton that pioneered undelete command, and Stacker who were miffed at having DoubleSpace provided as part of DOS. My guess is that that file was deleted with something else than del command - this missing first letter behavior was standard in DOS, I myself manually recovered deleted files using Norton Utilities Disk Editor. You sound like a youngster who never edited FAT using Disk Editor :tongue

Either way it is all ancient history - good backups are a must.


As soon as I spotted that the file names had been stripped at both ends I knew that Dos Del had not been the tool used!
(As for editing FAT, it's a serious problem, Not enough Exersize)

I.v still got Norton Utils on floppy from the late 80s, I used to own a top of the range IBM portable with Green Screen, everything you looked at used to have a pink tinge for about 2hrs after using it. youngster :tongue

AtW
18th June 2007, 22:18
And I was playing with punchcards in early 80s...and I used my fair share of black and white, and mono-crome (not just green, but other worse colour) screens :wink

Diver
18th June 2007, 22:22
Did you rush out and buy a ZX81 too! :smokin

AtW
18th June 2007, 22:24
No, I had to use this: http://www.taswegian.com/MOSCOW/mk-61.html

105 bytes of memory that gets wiped out when you switch it off, polish reverse logic - unfortunately proper small computers were extremely expensive and my parents could not afford them until IBM PC 386 in 1994 :sick

Diver
18th June 2007, 22:35
I think mine fell off the back of a lorry, it certainly looked like it when I got it.

as for the Sinclair ZX81, you certainly missed something special there.

the instruction book came with a delightfull little program to type in that showed a sine wave.
It took two days to type in (Basic) and two days to debug.

It was a very pretty sine wave though! :laugh

AtW
18th June 2007, 22:42
Yes I did some Basic too, but soon moved to assembly, so there youngster :tongue

Diver
18th June 2007, 22:52
Fortran Rules :banana:

threaded
19th June 2007, 06:49
Anyways, getting back to the point: was there any kind of program with a backup utility on the machine? Many DOS programs made backups by changing the last letter of the filename. This sounds like a likely scenario: maybe finger trouble and they made the whole disk a backup, and then they kindly deleted everything to try and cover the first mistake?

Bluebird
19th June 2007, 08:42
First used Clipper in a Gvt dept - they have still got it !

angusglover
19th June 2007, 08:46
Either way you probably screwed up all forensics there so what exactly happened will probably never be established. This is just a reminder that undelete is not a substitution for a good backup strategy that should be regularly tested by restoring data into cloned machine to see if backups actually work.
Yep, how many times have you seen companies that religiously run backups.....but never actually test that the data can be restored???...

Sysman
19th June 2007, 10:15
Yep, how many times have you seen companies that religiously run backups.....but never actually test that the data can be restored???...
The WORN backup strategy.

Write Once, Read Never.

™®© Sysman.

Diver
19th June 2007, 15:37
Anyways, getting back to the point: was there any kind of program with a backup utility on the machine? Many DOS programs made backups by changing the last letter of the filename. This sounds like a likely scenario: maybe finger trouble and they made the whole disk a backup, and then they kindly deleted everything to try and cover the first mistake?

The accounts program was Pegasus (to run in Dos)
The Database I can't remember the name of off hand, but they were stand alone programs with separate Backup facilities.?

I was going to download the op system & prog files on to an ext hard drive to study at a later date, but they were worried that I might download confidential patient info!