On 2012-06-22 at 06:49 -0400, Pamela Lynn Howell wrote: > Client took the Xenix box to his Windows hardware vendor (they rent desktop > PCs from this guy for the office workers). > The vendor claims there is "nothing on this system."
Bear in mind that with a different partition type, unrecognised by Windows, someone using a Windows GUI might well just see an unrecognised partition as disabled / unavailable and interpret it as "nothing on this system", because in their world, there's not anything. Nothing particular to Windows there, except for its propensity to *only* recognise a very limited set of partition and filesystem types. First step should be to figure out what's meant by "nothing". Is it that a "dd" from the disk contains nothing but zeroes? If there's data there, and it can be recovered, then the consultant probably did not do anything nefarious. After all, they know that their reputation affects their ability to get work and that they're about to need more customers. More likely is just some minor corruption of the storage -- disks fail. If the data is zeroed (and the consultant is a moron), then be careful to not read repeatedly. Many operations can become write operations unexpectedly, and you're going to want platter-level forensics to deal with the fact that no single write ever gets _all_ of the data. There's a reason that secure deletion standards involve multiple passes, of data in various patterns, including random. If you're lucky, the alleged perpetrator did not use something like "shred". -Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
