hello list, I have a question thats more of a cueriosity that came from the recent case Ref [1]
Situation: Suppose a hard disk gets stolen & is recovered after a certain time. The normal forensics reveal no hints of any foreign body atempting to copy the data from the hdd. (PHYSICALLY) But from a "Digital Forensic Standpoint" what are the other things that should be examined before concluding no data was ACTUALLY STOLEN? The way I know even if the theaf is using "write blocker" (software/BIOS/external-hardware) it won't help him IF the harddisk itself stores FEW logs of "last access times" etc! (I really don't know something like that really exists) DOES SOMETHING SIMILAR EXIST that could help in forensic examination to determine if data has been stolen??? The only thing i know is if you have any software that monitors S.M.A.R.T failure of hdd ( & keeps log of the S.M.A.R.T record) comparing the S.M.A.R.T smart parameter from the log of "power on time" (in hrs) before & after the theft maybe the only possibility (i can think of) to determine if any data was stolen/copied!!! WHAT ELSE? Ref [1], VA Laptop, GIAC & Other Mail http://blogs.ittoolbox.com/security/investigator/archives/va-laptop-giac-other-mail-10246 Best Regards, -bipin http://www.bipin.tk
