So last Friday (May 1st, 2009) I was asked at work to upgrade the hard drive in the CEOs laptop. Alright no problem, we go to the closest store and pick up a new two hundred and fifty gigabyte hard drive to put in the laptop. I get the new drive and decide to make sure the old drive has no errors before I image the disk over.
I run the usual Windows `chkdsk` commands and it finds some stuff and fixes it quickly. I put the new drive on a small external USB adapter and throw in the TRK Rescue disc to run a `dd` on the drive. The program completes, and I put the new drive into the system. The new drive boots up and all is fine. I can resize the partition later when I have more time.
A little later I get a phone call saying that there are no folders in the CEOs Outlook Pane. “Alright.” So I walk up and take a look, sure enough no folders under the six PST files that were mounted from the local hard disk. I close the Personal Folders and then remount then in Outlook. Nothing. “Alright…”
So I browse to the My Documents folder where the files are kept and I search around. I find the six PST files. Looking over them, file size: 0 bytes. Yeah, zero bytes. Three of these files were over two gigabytes (2GB) and the other three were in the range of eight hundred megabytes (800MB). Now, we have a problem.
I come to find out that the `chkdsk` run found something wrong with these large files and marked them as zero bytes in the file table on the drive.
So I quickly take the original hard disk down to my system here and throw it on the USB adapter and start running a simple undelete utility on the files. It finds them, but still as zero bytes, and only restores a zero byte file. Now we have a larger problem. So I start searching around the Internet for some utilities that will scan the disk and reconstruct the damaged or missing PST files.
I come to find a program called Office Recovery by DiskInternals. The program installed, and I had it scan the disk. This took forever on my little machine but after many hours found the parts and displayed them to me. I was able to save the mail to a PST file on my primary hard disk. But still a problem, all of the new messages had their times erased and most of the messages have the `From:` field replaced with their Exchange counterparts /O= and /OU= stuff.
I need to recover the files themselves, not the contents. So a little more searching and reading up and I find out that a program I found a long time back can help. So I installed X-Ways Forensics, and had it scan the external disk. Following some bits and peices of information around the Internet I was able to do a File Recovery by Type. This scans the entire disk for any files with the particular header, looking for PST files you need to search for the header: `!BDN` in hex of course. It found the files, so I told it to grab four gigabytes (4GB) of data starting from the beginning of each PST file. This of course pulls tons of useless data with it, but does get the information that we need.
I then had six four gigabyte PST files sitting on my primary disk. Alright, lets try this. I loaded Outlook and File -> Open -> Personal Folder, I selected the first of the PST files and clicked OK. Nope! Outlook threw out some horrible errors and told me to fix the corrupt file. But for once… Just once, it told me how to do this. I then located `scanpst.exe` which comes with Office and using the utility chose to fix one file at a time. This reduced the file size to an acceptable level and I was able to import them into Outlook successfully. Once in Outlook, I created a new Personal Folder and moved the contents into the new folders so I was sure they would not be corrupt. After working on this for eight hours, I decided that was probably the best I was going to do, and the most data I was going to be able to recover.
This morning I put them back on to the CEOs laptop and for now she is happy. But this entire problem would not have been so huge if we were allowed to make backups. We have on many occasions, multiple times a month gone up with external drives and blank DVD’s to help back stuff up, and we are never given time to do so. She does not want her data stored on the multi-thousand dollar SAN we have setup for such things.
How do you tell the CEO to use the technology we have for the company to store data, that is protected for her access only and strictly monitored? You want data protection and backups and security, yet will not allow us to back it up, blow off I.T when we want to help you back up from your local machine.
Either way, this could have had a much worse outcome, I think she will let us take backups and give I.T the time it needs to do so as well.