Self-Monitoring Analysis and Reporting Technology currently supports
EIDE and SATA drives, but not I believe, SCSI or RAID. There are a
number of fields which might provide an indication that a drive has been
spun up, and/or read:
ID Hex Attribute name
04 04 Start/Stop Count
09 09 Power-On Hours (POH)
12 0C Device Power Cycle Count
193 C1 Load/Unload Cycle
222 DE Loaded Hours
223 DF Load/Unload Retry Count
226 E2 Load 'In'-time
228 E4 Power-Off Retract Cycle
See
http://en.wikipedia.org/wiki/Self-Monitoring,_Analysis_and_Reporting_Tec
hnology.
There was a discussion on this some time ago - see
http://www.securityfocus.com/archive/104/400854/30/420/threaded, which
started out of an interesting paper on this - SMART ANTI-FORENSICS,
Steven McLeod, May 2005.
Mark Brewis
Technical Manager (UK) Forensic Services - UK IMEA
EDS
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
Tel: +44 (0)1908 28 4013
Mbl: +44 (0)7989 291 648
Fax: +44 (0)1908 28 4393
E@: mark.brewis@eds.com
securityforensicsEMEA@eds.com
This email contains information which is confidential and may be
privileged. Unless you are the intended addressee (or authorised to
receive for the addressee) you may not use, forward, copy or disclose to
anyone this email or any information contained in this email. If you
have received this email in error, please advise the sender by reply
email immediately and delete this email. Any opinions expressed in this
email are opinions of the author and do not represent a formal statement
or opinion by EDS.
-----Original Message-----
From: visitbipin@hotmail.com [mailto:visitbipin@hotmail.com]
Sent: 03 July 2006 17:33
To: forensics@securityfocus.com
Subject: Determine if data has been stolen from a stolen hdd.
hello list,
I have a question thats more of a cueriosity that came from the recent
case Ref [1]
Situation:
Suppose a hard disk gets stolen & is recovered after a certain time. The
normal forensics reveal no hints of any foreign body atempting to copy
the data from the hdd. (PHYSICALLY)
But from a "Digital Forensic Standpoint" what are the other things that
should be examined before concluding no data was ACTUALLY STOLEN?
The way I know even if the theaf is using "write blocker"
(software/BIOS/external-hardware) it won't help him IF the harddisk
itself stores FEW logs of "last access times" etc! (I really don't know
something like that really exists) DOES SOMETHING SIMILAR EXIST that
could help in forensic examination to determine if data has been
stolen???
The only thing i know is if you have any software that monitors
S.M.A.R.T failure of hdd ( & keeps log of the S.M.A.R.T record)
comparing the S.M.A.R.T smart parameter from the log of
"power on time" (in hrs) before & after the theft maybe the only
possibility (i can think of) to determine if any data was
stolen/copied!!!
WHAT ELSE?
Ref [1], VA Laptop, GIAC & Other Mail
http://blogs.ittoolbox.com/security/investigator/archives/va-laptop-giac
-other-mail-10246
Best Regards,
-bipin
http://www.bipin.tk
