Tales from the flying disk doctor - a lot of hah!

Copyright Dr Alan Solomon (1986-1995)

We usually tackle impossible data recoveries only - if it can be fixed
with Norton, we leave it to the amateurs.  But every now and then, a
dead easy one comes through the door, and this one was the easiest.
Or at least, it was to start with.  Hah!

I can't tell you who it was, for obvious reasons.  But we were asked
to look at a disk that used to belong to a firm that (I think) was
acting as an investment manager, only something had gone wrong, and
the aroma of fraud was in the air.  We were looking at it on behalf of
an Official Body who was investigating the matter.  I guessed that
they didn't know how to use a computer, and all we'd have to do is
print out anything that looked interesting.  Hah!

The disk was full of data, and there didn't seem to be anything wrong
with it.  It had a large Smart data base, several Smart spreadsheets
and many Smart WP documents.  We looked deep into the disk, and there
weren't any suspicious deleted files, or mysterious blank areas of
disk.  So we decided to print out the databases etc, and that would be
that.  Smart is quite a neat package, and it lets you put a password
on things.  There was a password on the database, on the spreadsheets,
and on the documents.  Great, I thought, at least I'll be earning my
fee.  Hah!

The password system on a Smart data base is really really stupid.  The
way it works, is that Smart sees that the data base is password
protected, so it won't show you the data;  very clever.  The stupid
part is that the data isn't encrypted, and you can look at it with
Debug or any other file snooping tool.  So we wrote a little program
that read through that big file and printed out each record;  it
turned out to be a complete list of clients, and might well be
valuable evidence.  We ended up with about fifty quires of paper (and
if you don't know what a quire is, you're not as old as I am and
didn't use those exercise books that told you things like that, along
with rods, poles and perches).

So far, a piece of cake, and I had every reason to suppose that the
rest of the job would be just as easy.  Hah!  We had connected up the
laser printer for this mammoth printing session, but now we needed the
laser for other things;  normally it's connected to the LAN and we all
use it.  But there was a lot more Smart to print out, so we put a
network interface card into the client's machine, so that we could
print across the network, and carried on working on this Smart stuff.

Smart creates little files every time you run it - I think they're
some kind of place-marker, but I don't know Smart well enough to be
sure.  Anyhow, it makes these little files.  The next time we started
up Smart, it ran alright for a while, and then the machine hung.  When
we rebooted it, it wouldn't start up off the hard disk, so we booted
it off a floppy and had a look.  Using a disk snooping tool, we found
that both copies of the FAT had been damaged in such a way that the
disk could not be read.  Now I was sure that it couldn't have been
like that before, or we couldn't have done the big data base.  We must
have damaged it ourselves - just what I needed.

The disk wouldn't boot, if you did a DIR it hung, you couldn't do a
Chkdsk - all the classic symptoms exhibited by about half the disks we
get sent to us.  But, dammit, this one had been fine.  We opened it up
again, and saw the problem;  in putting in the network interface card,
we'd partially dislodged the hard disk controller cables.  Interesting
- at least now I knew what was causing some of the problems that were
coming in through my front door;  I guess the amateur that gets to it
first would normally have put the cable back on properly, thus
removing the evidence.

But, instead of being a doddle, this disk was turning into a real
hassle.  I could have kicked myself for not getting the data safely
off the disk as soon as possible.  This is our normal procedure, but
in this case there was nothing actually wrong with the disk, so there
didn't seem to be any point.  Kick, kick.

So at that point, we had to do a full data recovery.  It turned out
that three of the FAT sectors were damaged into total unreadabliity,
and that both copies were damaged in the same place.  There were six
sectors of the disk that appeared to have never been low-level
formatted, except that of course they had been once, and the FAT had
been written on them.  But the area of FAT that was damaged looked as
if it would not correspond to the data that we still had to get off,
except that the pointer to the subdirectory was in there.

So we did a low level format on just those six sectors, and anyone who
knows a lot about hard disks will tell you that it is quite impossible
to do a low level format on a single sector - I don't care, I prefer
impossibilities, they make the job more interesting.  But that gave us
formatted sectors, not sectors of FAT.  We had to calculate the
location of the start of the Smart subdirectory, and hand-patch the
FAT to point to it, and then we could DIR the subdirectory, go into
the sub-sub- directories, and copy the Smart spreadsheets and
documents onto floppies, and then print out the contents, ignoring the
silly Smart password system.  And that should have been that.  Hah!

They did have passwords on them.  But the passwording system on a
Smart spreadsheet or document is very different, and it is MUCH harder
to crack, as they do a proper encryption job on it.  So we had to do
some serious hacking, because if it had a password on it, that meant
it was confidential, and that meant that it could be useful evidence.

We cracked the Smart password system;  actually there wasn't a hope in
hell that we wouldn't.  Given enough time, and access to the
encrypting program, a determined hacker should be able to crack just
about anything, and things like the Smart encryption aren't meant to
be military-grade encryption anyway.  We decrypted the documents and
spreadsheets, and very interesting they were too, except that of
course I can't tell you what was in them.  And I won't tell you how to
crack a Smart spreadsheet or document;  you'll have to be content with
knowing how to do a Smart database.

But I can tell you this - if anyone comes to you with a scheme for
investing your money with a guaranteed 50% per year return, check it
out carefully before you put your hard earned ackers into it.  I don't
care whether it's chips, bugs or whatever the latest investment craze
is;  check it out carefully, and particularly be on the lookout for
pyramid schemes, whereby money from later arrivals is the main source
of revenue for the earlier investors, and if you're one of the later
investors, make sure that there is a plentiful supply of untapped
suckers.

By the way, the floppy disk drive on the Compaq had a little bit of
Sellotape insulating part of the connector from the floppy disk
controller, and this was stopping the drive from switching into low
density mode.  So the drive could read and write high capacity disks,
but was very unreliable about reading low density disks, and would
almost never write low density disks.  I really cannot imagine why the
dealer would have set the drive up that way, unless he was working a
scam on the financial people, whereby they had to buy expensive high
capacity disks instead of cheap low density disks.  Even the sharks
are preyed on by sharks.