Self-Monitoring Analysis and Reporting Technology currently supports EIDE and SATA drives, but not I believe, SCSI or RAID. There are a number of fields which might provide an indication that a drive has been spun up, and/or read:
ID Hex Attribute name 04 04 Start/Stop Count 09 09 Power-On Hours (POH) 12 0C Device Power Cycle Count 193 C1 Load/Unload Cycle 222 DE Loaded Hours 223 DF Load/Unload Retry Count 226 E2 Load 'In'-time 228 E4 Power-Off Retract Cycle See http://en.wikipedia.org/wiki/Self-Monitoring,_Analysis_and_Reporting_Tec hnology. There was a discussion on this some time ago - see http://www.securityfocus.com/archive/104/400854/30/420/threaded, which started out of an interesting paper on this - SMART ANTI-FORENSICS, Steven McLeod, May 2005. Mark Brewis Technical Manager (UK) Forensic Services - UK IMEA EDS Wavendon Tower Milton Keynes Buckinghamshire MK17 8LX. Tel: +44 (0)1908 28 4013 Mbl: +44 (0)7989 291 648 Fax: +44 (0)1908 28 4393 E@: [EMAIL PROTECTED] [EMAIL PROTECTED] This email contains information which is confidential and may be privileged. Unless you are the intended addressee (or authorised to receive for the addressee) you may not use, forward, copy or disclose to anyone this email or any information contained in this email. If you have received this email in error, please advise the sender by reply email immediately and delete this email. Any opinions expressed in this email are opinions of the author and do not represent a formal statement or opinion by EDS. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 03 July 2006 17:33 To: [email protected] Subject: Determine if data has been stolen from a stolen hdd. hello list, I have a question thats more of a cueriosity that came from the recent case Ref [1] Situation: Suppose a hard disk gets stolen & is recovered after a certain time. The normal forensics reveal no hints of any foreign body atempting to copy the data from the hdd. (PHYSICALLY) But from a "Digital Forensic Standpoint" what are the other things that should be examined before concluding no data was ACTUALLY STOLEN? The way I know even if the theaf is using "write blocker" (software/BIOS/external-hardware) it won't help him IF the harddisk itself stores FEW logs of "last access times" etc! (I really don't know something like that really exists) DOES SOMETHING SIMILAR EXIST that could help in forensic examination to determine if data has been stolen??? The only thing i know is if you have any software that monitors S.M.A.R.T failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the S.M.A.R.T smart parameter from the log of "power on time" (in hrs) before & after the theft maybe the only possibility (i can think of) to determine if any data was stolen/copied!!! WHAT ELSE? Ref [1], VA Laptop, GIAC & Other Mail http://blogs.ittoolbox.com/security/investigator/archives/va-laptop-giac -other-mail-10246 Best Regards, -bipin http://www.bipin.tk
