> hello list, Hello.
> I have a question thats more of a cueriosity that came from the recent > case Ref [1] > > Situation: > Suppose a hard disk gets stolen & is recovered after a certain time. The > normal forensics reveal no hints of any foreign body atempting to copy the > data from the hdd. (PHYSICALLY) > > But from a "Digital Forensic Standpoint" what are the other things that > should be examined before concluding no data was ACTUALLY STOLEN? If the physical security of a hard drive is compromised it is safest to assume that the data on it is compromised. The absence of forensic evidence for data access cannot be used to assert that the data has not been accessed (think chain of custody). > The way I know even if the theaf is using "write blocker" > (software/BIOS/external-hardware) it won't help him IF the harddisk itself > stores FEW logs of "last access times" etc! (I really don't know something > like that really exists) DOES SOMETHING SIMILAR EXIST that could help in > forensic examination to determine if data has been stolen??? I'm not aware of hard drives that log disk activity. A hard disk would need to be file system aware to provide this functionality at a file level. If there is a persistent read/write cache this could potentially be dumped to give an indication of what was recently accessed on the disk. > The only thing i know is if you have any software that monitors S.M.A.R.T > failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the > S.M.A.R.T smart parameter from the log of > > "power on time" (in hrs) before & after the theft maybe the only > possibility (i can think of) to determine if any data was stolen/copied!!! If the drive is powered up without the benefit of a SMART controller then I doubt the power on time would be updated, but don't quote me on that. > WHAT ELSE? Consider using encryption on hard disks that contain sensitive data, particularly is there is a significant risk of their physical security being compromised e.g. a laptop. Do a proper risk assessment and avoid putting sensitive data on mobile devices wherever possible. Physical security is an important and often overlooked aspect of IT security. Don't forget to lock your doors, bar your windows and hide your daughters. Regards, Jim Halfpenny
