sync: auto-sync from GURU-5070 at 2026-07-02 19:14:01
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-02 19:14:01
This commit is contained in:
@@ -161,6 +161,33 @@ ACL root is `G:\Shares\Scanned`; permissions inherit to `@Clients` and subdirect
|
||||
|
||||
**Caveat:** the `(D,DC)` deny on Admin1 also blocks rename and app save patterns that delete-then-write. If Admin1 users report inability to rename or save, carve an individual exception. Reversal: `Add-ADGroupMember Admin1 -Members Admin2`; `icacls "G:\Shares\Scanned" /remove:d "PEACEFULSPIRIT\Admin1"` then restore allow via `/grant`.
|
||||
|
||||
### 2025 Crash & File Corruption (investigated 2026-07-02)
|
||||
|
||||
June 4, 2025: the OLD server (hostname **NEWSERVER**, domain PSTMC) crashed; a second failure during restore corrupted file-table→data mappings. Corrupted files carry the original name/size but contain foreign data blocks (MPEG-2 video streams `00 00 01 BA`, ownCloud sync-log text, etc.). Mara's July-2026 Claude analysis of `_C_IC_Payments_2-12_to_2-26-25.xlsx` (62,993 bytes, MPEG content) is in Mike's Documents (`Data recovery covo Claude.docx`).
|
||||
|
||||
**Damage inventory (live G:\Shares, Mike's `[C]` filename prefix = confirmed corrupt):** 5,044 files, ~2.9 GB — 4,858 PDF, 108 xlsx, 25 docx; 5,027 under Private (~129 across Accounting Docs year folders 2016-2025). Full list: PST-SERVER `C:\PST-Recovery\corrupted-file-list-20260702.txt` (size TAB path). In the 2024/2025 payroll trees specifically only 5 of 161 Office files are corrupt, incl. Mara's IC Payments 2-12–2-26-25 (MPEG in BOTH G: `[C]` copy and D:\Shares copy — corruption predates all copies) and IC Payments 5-13–5-27-25 (content = ownCloud log text; Mara built a partial replacement "(clare and alice corrections ONLY)").
|
||||
|
||||
**Recovery corpus on PST-SERVER D: (931 GB, label "VM Files" — the old server's drive; FROZEN, no cleanup):**
|
||||
- `D:\Shares` — crash-era share tree (2025-06-03), incl. full Accounting Docs 2013-2025; mostly intact.
|
||||
- `D:\Recovery2019` — restore attempt (2025-06-26), Private+Scanned.
|
||||
- `D:\Recovery-EXT` — ownCloud/Syncthing copy circa 2021 (complete IC Payments 2018 – mid-2021).
|
||||
- `D:\Unknown folder` — file-carving output (2025-06-03): 101,552 files at root (`[000024].xlsx` bracket names; 20,345 .doc, 1,121 .xls, 9,274 .pdf) + hex-named subdirs; candidate source for recovering the `[C]` files.
|
||||
- `D:\Users` — old-server profiles (mconcordia, hallb, lmt, pst-admin, Administrator.PSTMC/NEWSERVER).
|
||||
|
||||
**No cloud copy predates the crash:** MSP360 plan "Files Backup 2025" was created 2025-06-04 (crash day); B2 fully enumerated 2026-07-02 — generic bucket (MSPBackups20200311) holds other clients only (FSG-SRV-02, UC2-SERVER, LAB-BECKY, DROBO, VWP-SERVER, SALMON/TROUT), ACG-PST has only post-crash data, ACG-Internal only NEPTUNE.
|
||||
|
||||
**Gotcha:** `G:\Shares` ROOT denies SYSTEM directory enumeration (Access denied) — recursive scans from the root silently return nothing; enumerate the children (`Private`, `Scanned`, ...) directly.
|
||||
|
||||
**Carve-identification results (2026-07-02): all 4 MPEG-corrupted 2024/2025 payroll files RECOVERED** from `D:\Unknown folder` carved output. Method: fingerprint sharedStrings vocabulary from adjacent-period good files → score ~770 carved xlsx by token overlap → confirm by exact byte-size match with the corrupted original (NTFS keeps true size) + date-serial range / sheet title inside. Staged as copies (NOT yet placed into the live share — needs Excel-open validation + Mara sign-off):
|
||||
`C:\PST-Recovery\carve-identified\` on PST-SERVER:
|
||||
- `IC Payments 2-12 to 2-26-25` <- `[006001].xlsx` (62,993 B; serials exactly 2025-02-12..02-26) — **the file Mara has chased for a year**
|
||||
- `Payroll Report 4-29-2025 - 5-12-2025` <- `[007234].xlsx` (53,480 B; sheet title contains the full period)
|
||||
- `Tips Report 12-30--1-12-25` <- `[007102].xlsx` (20,302 B; serials 2024-12-30..2025-01-12; original name said "12-13" — likely Mara typo)
|
||||
- `Triwest & Insurance ... 2024-11-15 check` <- `[006975].xlsx` (19,904 B; October-2024 data, consistent with 11/15 check run)
|
||||
Also spotted in the carve dump with its original name: `IC Payments 2024-08-12--2024-08-27.xlsx` (253,949 B) — a period absent from the 2024 tree. Scoring artifacts: `C:\PST-Recovery\carve-match-xlsx.txt`.
|
||||
|
||||
**Remaining:** the 5th damaged file `IC Payments 5-13 to 5-27-25` (content = ownCloud log; no exact-size carve hit; Mara's "(clare and alice corrections ONLY)" partial rebuild exists) — nearest candidate `[005037].xlsx` (56,344 B, score 58) unverified. And the broader ~5,039 other `[C]` files (mostly PDFs) — same identify-by-size/content approach can be batch-applied to the carved .pdf pool (9,274 root PDFs) if Mike/Mara want to chase them.
|
||||
|
||||
### Deletion Investigation (June–July 2026)
|
||||
|
||||
A report that client files disappeared (trigger: the "Glennda" folder) prompted a staged restore-and-diff investigation. The 6/24 10:05 AM restore point was staged to `C:\PST-Recovery\PreDelete-0624` (~99 GB). Authoritative diff: **47,749 files deleted from @Clients since 6/24 10:05**; ~93% intentional duplicate cleanup (33,711 in folders labeled "duplicate DO NOT USE or delete"; ~10,696 in nested misfile-buckets A\A, D\A, P\O, H\I whose canonical client folders remain live). Genuine loss estimate: **~3,342 files**, recoverable via no-overwrite copy-back from staging (not yet executed — awaiting Mike/Mara approval; writes to live HIPAA data). The 10:05->12:05 PM window had only 2 deletions (Ballard, Kathy and Rivera, Anthony SOAP PDFs) — mass deletion occurred later. Glennda trigger: `EDWARDS, GLENDA` (single-N, 79 files, deleted) was a misspelled duplicate of the active canonical `EDWARDS, GLENNDA VA REFERRAL` (double-N, 127 files, live and growing). Shelton report: only 6 old Shelton files exist (2011–2015), loose in `S\`, CreationTime 2025-06-02 (migration), unchanged since 6/24 — not a 2026 deletion; the 6/29/2025 restore point needed for further check has been purged. Staging artifacts (~200 GB, removable after recovery decision): `C:\PST-Recovery\{PreDelete-0624, PostDelete-0624, authdiff, incidentdiff, acl-backup-scanned-20260701-072725.txt}`.
|
||||
@@ -250,7 +277,7 @@ As of 2026-07-01 session end:
|
||||
- **[OPEN] UDR port-forward reboot-persistence test.**
|
||||
- **[OPEN] DDNS for VPN endpoint** (hardcoded Cox WAN 98.190.129.150).
|
||||
- **[OPEN] Vault drift — pst-admin password** (vpn.sops.yaml vs 2026-05-22 reset). Verify with Mara.
|
||||
- **[OPEN] D: backup-junk cleanup on PST-SERVER** (~700 GB).
|
||||
- **[FROZEN - DO NOT CLEAN] D: on PST-SERVER** — is NOT junk; it is the June-2025 crash recovery corpus (see "2025 Crash & Corruption" section). No deletion until the corruption-recovery effort concludes.
|
||||
- **[OPEN] PST-SERVER temp/staging cleanup:** `C:\PST-Backup\*` (SYSVOL/GPO backups) once rebuild confirmed stable; `C:\ProgramData\` cert-enroll scratch (*.inf/*.req/*.cer/*.pfx, gen_certs.ps1, etc.); temp firewall rules TEMP-CertEnroll-RPC / TEMP-CertEnroll-DCOM.
|
||||
- **[OPEN] Backup synthetic-full confirmation** — confirm "Files Backup 2025" completes cleanly after the stop/resume.
|
||||
- **[DEFERRED] Machine cert VPN path (IKEv2)** — certs/PFXs exist (MaraHomeNew D067E07B, Maras-HP-Laptop 4CADDE8F, PST-SURFACE 197FF22A); superseded by L2TP. Complete, abandon, or revoke.
|
||||
|
||||
Reference in New Issue
Block a user