Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Determine if data has been stolen from a stolen hdd.

from [David Smith] Network Security [Permanent Link]
Subject: RE: Determine if data has been stolen from a stolen hdd.
Date: Mon, 3 Jul 2006 14:25:59 -0500 
If someone removes a hard drive and connects it to a write-blocker before
powering on again, none of the data on the drive will be altered. So
last-access times will only indicate the last time the owner accessed the
files. The files should not be altered in any way with the write-blocker
installed. So you shouldn't even be able to determine whether or not the
drive has been powered on after theft.

That's my educated guess.


-----Original Message-----
From: visitbipin@hotmail.com [mailto:visitbipin@hotmail.com] 
Sent: Monday, July 03, 2006 11:33 AM
To: forensics@securityfocus.com
Subject: Determine if data has been stolen from a stolen hdd.

hello list,

I have a question thats more of a cueriosity that came from the recent case
Ref [1]


Situation:

Suppose a hard disk gets stolen & is recovered after a certain time. The
normal forensics reveal no hints of any foreign body atempting to copy the
data from the hdd. (PHYSICALLY)


But from a "Digital Forensic Standpoint" what are the other things that
should be examined before concluding no data was ACTUALLY STOLEN?


The way I know even if the theaf is using "write blocker"
(software/BIOS/external-hardware) it won't help him IF the harddisk itself
stores FEW logs of "last access times" etc! (I really don't know something
like that really exists) DOES SOMETHING SIMILAR EXIST that could help in
forensic examination to determine if data has been  stolen???


The only thing i know is if you have any software that monitors S.M.A.R.T
failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the
S.M.A.R.T smart parameter from the log of


"power on time" (in hrs) before & after the theft maybe the only possibility
(i can think of) to determine if any data was stolen/copied!!!


WHAT ELSE?


Ref [1], VA Laptop, GIAC & Other Mail

http://blogs.ittoolbox.com/security/investigator/archives/va-laptop-giac-oth
er-mail-10246



Best Regards,

-bipin

http://www.bipin.tk






-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 6/30/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 6/30/2006
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Tracing Excel Worksheets beyond metadata, keydet89
Next by Date:  Re: PECompact2, RaMatkal
Previous by Thread:  Re: Determine if data has been stolen from a stolen hdd., Jim Halfpenny
Next by Thread:  Re: Determine if data has been stolen from a stolen hdd., Christoph Gruber
Indexes:  [Date] [Thread] [Top] [All Lists]