4

I am a senior systems engineer at a mid-sized ASP/hosting company. 9 or 10 months ago we had a large lay off which included our company's marketing director.

None of our upper management thought to take the time to look through his emails or laptop data when we offered to provide it to them after the termination was announced. After about two weeks I went ahead and "fully processed" the termination which entails removing the user's email account (30 day retention), moving all of their personal drive data to another location to be backed up...etc.

Shortly before he was fired he worked out a (bad) deal with one of our customers which currently brings in roughly $15k per month. Now, 9-10 months later, our customer is calling this into question as to what they're being billed for. Guess what, no one has a statement of work (the customer probably does but they'd never share it). This thing is nowhere to be found...

I dug up his hard drive and slapped it into a laptop. It booted up and immediately i noticed something was wrong. nothing on the start menu, nothing under all programs, and some strange "legacy windows" explorer behavior. So i check out the C:\ and low and behold, almost every file and folder (outside of MOST required OS stuff) has had its name changed to a random letter or number.

From what i can tell this freaking guy ran some utility out of spite that not only wiped out any data on the drive but also destroyed the folder structure throughout the system. I was unable to collect any information from it and decided it's better to take the drive to a recover expert.

Has anyone heard of a utility that can do that? If so, is there a recovery method that you may have used to reverse the damage? We're more than likely taking the drive to an expert this week but i'm curious if we might have recourse to take this guy to court and float the cost of the recovery.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user165597
  • 41
  • 1
  • To the OP though, I'd like to point out that it's not necessarily a pre-existing utility which did it. Even if it's not the result of innocent corruption, they could very well have written a simple script to do just this. Someone with even moderate experience in any scripting language could do it in 5 minutes. – forest Dec 07 '17 at 04:43
  • “he worked out a (bad) deal with one of our customers” I assume this was done using the company email... is it so? – Andrea Lazzarotto Dec 09 '17 at 22:49

2 Answers2

1

There are two levels of file-deletion on a computer.

When you delete a file, the system simply marks the space that the file took up as available again. If that space doesn't actually get used again, the file is still there and can be recovered. I've used Piriform's Recuva program with some success in the past, but there are others out there as well.

If the file was overwritten, either deliberately with a secure-erase program or just through normal course of operations, then recovery is extremely difficult to impossible.

If all the files are just renamed to random strings, then you could conceivably just try opening them all in notepad/word/etc. Might take a while but changing a files name doesn't destroy any of the data in the file.

K.B.
  • 667
  • 4
  • 6
  • If there were a couple of large applications on there and the folder structure was wiped out, that could take a LONG while. – baldPrussian Dec 06 '17 at 23:17
  • 2
    Re "When you delete a file, the system simply marks the space that the file took up as available again. If that space doesn't actually get used again, the file is still there and can be recovered" - this is only true for traditional HDDs. If the drive is an SSD, this is no longer generally true. – loneboat Dec 19 '17 at 03:52
1

Assuming that the deal was set up &/or confirmed by email then all of the exchanges should be stored in your email servers logs, most jurisdictions have a long several years retention of emails on or off the server as a legal requirement, (Often based on the anti-terrorism &/or trafficking legislation).

Check with the email service provider technical support - it should be quite simple to retrieve all of the emails between a specified employee and a specific domain during a given time period.

If your company email system is not doing such mail retention then check the local legislation and if necessary correct your practices. You could possibly send a small bonus & a thank-you email, nice and vaguely worded such as "A thank-you for your final actions with the company you have saved us from a great deal of trouble!" to the person who did this not highlighting what you were at risk of - I suspect that this will drive them nuts. If you are feeling a little nasty send it to their new work email address with a high importance and point out that their final actions have alerted you to a possible security compliance risk!

Steve Barnes
  • 256
  • 1
  • 5
  • Definitely check local legislation. Some companies have a stated policy of **not** keeping emails on their server for more than a few weeks specifically to prevent problems if they receive a lawsuit several years later. If you deleted the email, it can't be used against you. – Simon B Feb 05 '18 at 14:16
  • @SimonB if local legislation mandates email retention, _(and a lot now do)_, then the fact that it was deleted can be used against you, the company &/or the person who deleted it. Of course some companies do prohibit local email archives _possibly so that in the event of a problem they can decide if the mails "accidentally" were deleted as the lesser of evils_. – Steve Barnes Feb 05 '18 at 15:08