Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Determine if data has been stolen from a stolen hdd.

from [Jim Halfpenny] Network Security [Permanent Link]
Subject: Re: Determine if data has been stolen from a stolen hdd.
Date: Tue, 4 Jul 2006 08:02:02 +0100 (BST) 
hello list,


Hello.


I have a question thats more of a cueriosity that came from the recent
case Ref [1]

Situation:
Suppose a hard disk gets stolen & is recovered after a certain time. The
normal forensics reveal no hints of any foreign body atempting to copy the
data from the hdd. (PHYSICALLY)

But from a "Digital Forensic Standpoint" what are the other things that
should be examined before concluding no data was ACTUALLY STOLEN?


If the physical security of a hard drive is compromised it is safest to
assume that the data on it is compromised. The absence of forensic
evidence for data access cannot be used to assert that the data has not
been accessed (think chain of custody).


The way I know even if the theaf is using "write blocker"
(software/BIOS/external-hardware) it won't help him IF the harddisk itself
stores FEW logs of "last access times" etc! (I really don't know something
like that really exists) DOES SOMETHING SIMILAR EXIST that could help in
forensic examination to determine if data has been  stolen???


I'm not aware of hard drives that log disk activity. A hard disk would
need to be file system aware to provide this functionality at a file
level. If there is a persistent read/write cache this could potentially be
dumped to give an indication of what was recently accessed on the disk.


The only thing i know is if you have any software that monitors S.M.A.R.T
failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the
S.M.A.R.T smart parameter from the log of

"power on time" (in hrs) before & after the theft maybe the only
possibility (i can think of) to determine if any data was stolen/copied!!!


If the drive is powered up without the benefit of a SMART controller then
I doubt the power on time would be updated, but don't quote me on that.


WHAT ELSE?


Consider using encryption on hard disks that contain sensitive data,
particularly is there is a significant risk of their physical security
being compromised e.g. a laptop. Do a proper risk assessment and avoid
putting sensitive data on mobile devices wherever possible. Physical
security is an important and often overlooked aspect of IT security. Don't
forget to lock your doors, bar your windows and hide your daughters.

Regards,
Jim Halfpenny
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Determine if data has been stolen from a stolen hdd., Brewis, Mark
Next by Date:  Re: Determine if data has been stolen from a stolen hdd., securityfocus . 438947
Previous by Thread:  RE: Determine if data has been stolen from a stolen hdd., Sun, David
Next by Thread:  RE: Determine if data has been stolen from a stolen hdd., David Smith
Indexes:  [Date] [Thread] [Top] [All Lists]