SecurityFocus

Determine if data has been stolen from a stolen hdd. Jul 03 2006 04:33PM
visitbipin hotmail com (4 replies)

Re: Determine if data has been stolen from a stolen hdd. Jul 07 2006 09:03PM
Christoph Gruber (list guru at)

RE: Determine if data has been stolen from a stolen hdd. Jul 04 2006 03:09PM
Brewis, Mark (mark brewis eds com) (1 replies)

RE: Determine if data has been stolen from a stolen hdd. Jul 07 2006 03:26PM
Sun, David (dsun SunBlockSystems com)

Re: Determine if data has been stolen from a stolen hdd. Jul 04 2006 07:02AM
Jim Halfpenny (jim openanswers co uk)

RE: Determine if data has been stolen from a stolen hdd. Jul 03 2006 07:25PM
David Smith (nich95ds gmail com)

If someone removes a hard drive and connects it to a write-blocker before
powering on again, none of the data on the drive will be altered. So
last-access times will only indicate the last time the owner accessed the
files. The files should not be altered in any way with the write-blocker
installed. So you shouldn't even be able to determine whether or not the
drive has been powered on after theft.

That's my educated guess.

-----Original Message-----
From: visitbipin (at) hotmail (dot) com [email concealed] [mailto:visitbipin (at) hotmail (dot) com [email concealed]]
Sent: Monday, July 03, 2006 11:33 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Determine if data has been stolen from a stolen hdd.

hello list,

I have a question thats more of a cueriosity that came from the recent case
Ref [1]

Situation:

Suppose a hard disk gets stolen & is recovered after a certain time. The
normal forensics reveal no hints of any foreign body atempting to copy the
data from the hdd. (PHYSICALLY)

But from a "Digital Forensic Standpoint" what are the other things that
should be examined before concluding no data was ACTUALLY STOLEN?

The way I know even if the theaf is using "write blocker"
(software/BIOS/external-hardware) it won't help him IF the harddisk itself
stores FEW logs of "last access times" etc! (I really don't know something
like that really exists) DOES SOMETHING SIMILAR EXIST that could help in
forensic examination to determine if data has been stolen???

The only thing i know is if you have any software that monitors S.M.A.R.T
failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the
S.M.A.R.T smart parameter from the log of

"power on time" (in hrs) before & after the theft maybe the only possibility
(i can think of) to determine if any data was stolen/copied!!!

WHAT ELSE?

Ref [1], VA Laptop, GIAC & Other Mail

http://blogs.ittoolbox.com/security/investigator/archives/va-laptop-giac
-oth
er-mail-10246

Best Regards,

-bipin

http://www.bipin.tk

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 6/30/2006

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 6/30/2006

[ reply ]