Continuing Professional Development
InnoICT Competition Review
IS Audit & Security
Hard driven computer emergency
Computer emergencies have happened before and they will happen again. It is only a matter of time as any hardware specification bear a “MTBF”, which you may read as either the mean time between or before failure. Perhaps the person that operated the computer did not quite realize what happened, but a disaster of the bits and bytes occurred and may only be able to say that there is something not-quite-right with that hard drive. A person a bit more savvy with computers will say that there was a problem with the availability of the system. No matter what language used, the thing crashed. It is only on further analysis of what happened that anyone may be able to tell if confidentiality and integrity was compromised as well in the hard-drive crash. What happened in simple terms is the dreaded phrase “Computer Emergency”. Yet, it would be a strange event to hear the phrase “Computer Emergency!” being screamed down a street in the same manner as the phrase “Fire Fire!!”. Computer Emergencies are much less mortal as they are much more embarrassing than fires and hence a much muted response comes from the operator, yet both events can be just as damaging to an organization.
So what is there to be done when the “bits-hit-the-fan” in a computer emergency. Well the answer is that it is too late for wishful thinking. The damage is already done. All the preventative measures that should have been put into place is now a blurry flash in the mind. A flash of things that is wished was already in place is now transformed into a to-do list for the next time. But this time, now just after the event, nothing it seems can save that data on the hard drive. Crashed, stuck, infiltrated with malware, “deleted data” or just an application that is no longer useable.
It would be surprising to know that data on computer media is surprisingly resilient. No other person knows this better than a digital forensic expert. The reason for this resilience is easy to explain. It results from a mix of development from vendors, both hardware and software, looking for performance on the cheapest machines that could support the operating system. So there are a lot of controls to ensure that there is functionality even if partial hardware failure occurs, read data is slightly corrupted, or the files to be moved from folder to folder are in the order of gigabytes. On the topic of lost data when a user deletes it, what happens is that the data is not actually deleted but rather the record of its location on the disk removed. The data is still there on the disk, but the “table-of-content” entry has been removed. Yes, with default operating system settings, the data is not removed. The performance gained in doing this, is a great selling point for the operating system. This selling point is enhanced with an iconic graphics and sounds of a paper document removed from the “bin”, presumably destroyed forever. This is distraction as the data is still there and could be recovered with immediate action. Yet, continue to use the hard drive without seeking help and sooner or later the data will be lost as it is overwritten.
Should the hard drive contain a malware infected OS that does not let proper use or access to the computer. Shut down the computer, however it can be managed, and avoid the infection in getting worse. After all, the infection itself may be slowly overwriting the data byte by byte. The data that is on the hard drive is most probably still available if accessed by other means even if it had disappeared or held at ransom by the malware. Try attaching the infected drive as an external drive. As a precaution, but not a requirement, do consider a host computer that is not installed with the same OS as the one on the infected drive. Luck would have it that the data will still be available. Immediate action and being prepared can help recover inaccessible or threatened files. Yet, continue to surf the net for a solution, a magic application, or ignore the malware and the data may be lost byte-by-byte.
The above two examples are software failures, but hardware failures can be also just as lenient. Yet the approach may turn out to be more expensive. Even with the rarity of hardware failures, it is even more rare, out of the hardware failure scenarios, to have the platters of the disk completely rubbed clean from a faulty head. The reason is that the manufactures of the hard drive knows that they are using the cheapest equipment so many tricks are used to check and preserve written data and to even be tolerable to “mistakes”.
So what should be done when the bit-hits-the-fan with a computer emergency? The simplest answer is to stay calm, figure out if the data is worth saving and start acting on saving the data in a methodical and appropriate manner. Should the approach to the situation turn to a sudden urge to run down the street and scream out “Fire Fire!!”, then a quick call to MOCERT will help bring a methodic solution to your “Computer Emergency”.
The following are a summary of state of internet and computer security.
In the past five (5) months from February till June 2010 inclusive, there has been an “average” activity of about ten (10) advisories and a little more than three (3) issues per week, as collected by the Early Warning System function of MOCERT.
The internet threat signal has been raised four (4) times over the course of February to June 2010 to YELLOW requesting computer users to be cautious about the websites and files they access from the internet. In mid of February there was a concern about a 0-day vulnerability that affected Mozilla Firefox. Since this vulnerability may affect a considerable number of internet user in Macao and there were not patch available, the “internet weather” signal raised to “Cautious”. After a few days, Mozilla responded with a patch and the signal was brought back to normal nearing the end of the following week.
At the start of April, Adobe Reader and Acrobat were revealed to have a vulnerability that had no fix until a few days later. Since Adobe Reader, and Acrobat are widely used in Macao, the signal was raised once more to “Cautious” being lowered after a few days the patch was released. In mid May the quantity of issues and advisories on various technologies prompted a brief elevation of the “Cautious” signal. Mid of June the signal was raised to “Cautious” on an active 0-Day exploit of Adobe Reader and Flash. This was kept up to a few days after the release of the patch was made available.
Stay safe by getting informed of the latest advisory and issues at: www.mocert.org