Determining if a hard disk has been removed and data copied from it?

windows-xp hard-drive security encryption

17,536

Solution 1

The use of deep freeze is irrelevant in this situation.

If they are semi competent, they will use a read only interface.

The last access timestamp will only be changed if they are using a read and write interface. Turning off the write interface is trivial. This is what forensics does. They never put an original drive in a read/write interface. Always in a read only. Then they make a working copy. All without altering a single bit on the original drive.

Your best bet is using a disk encryption like Bitlocker or TrueCrypt.

edit:

thanks alot, but could you clarify more what you mean by read and write interface please??

Devices like these . . .

They physically block write access to a drive. Often used in forensics/HD recovery for legal and practical reason, like the Amanda Knox case.

Solution 2

Everyone seems to be going for full disc encryption, which certainly has its merits for securing your data but doesn't address the question of telling if someone's been in your machine and monkeying with your hard drive.

For that simple task, find a pack of the irritatingly sticky plain labels which, once stuck, tear instead of coming off cleanly, sign your name on it and stick it over one of the screws holding your hdd in place (don't forget to clean the dust off first for a good bond). Not quite on the same scale as the manufacturers tamper evident seals but should prove sufficient to prevent anyone removing the hard drive without your knowledge. This means they either have to break the label which alerts you to the fact, or pull the wires out of the hard drive then mount it on a laptop, forcing them to to spend more time with your case open looking very suspicious!

Also its worth checking the back of your pc for a padlock attachment point, simple, fairly secure and effective.

Neither makes it impossible to get at your data but both add a significant level of inconvenience and force the attacker to either act overtly (ripping labels and bolt cutters to the padlock) or spend a lot more time monkeying with your pc and at risk of detection.

Solution 3

To discover tampering at a physical level, you could use something like Torque Seal on your drive's mounting hardware or the data cable connection. It is a lacquer that dries brittle so any tampering will crack and break the glob you installed on the hardware. It's used to make sure things like nuts and bolts on helicopters haven't moved and are still torqued to spec.

Solution 4

S.M.A.R.T. attributes may help in determining if the disk has been tampered with between two intervals. These attributes, on Linux, can be queried with "smartctl -a /dev/sda".

The simplest attribute for that is probably Power_Cycle_Count. When you power up the computer, this will be one more than the value when it was last shut down. So, by remembering this value before you shut down, and checking it when you power up next time, you can determine if the disk has been powered up in between.

Solution 5

Just a thought..maybe S.M.A.R.T.(if available) contains some information that can be used.

View more solutions

17,536

Anyname Donotcare

Updated on September 18, 2022

Comments

Anyname Donotcare over 1 year
Is there a method or a tool that can detect if someone has separated my hard disk from my computer, copied data from it, and returned it back?

I want to be sure that no one has done this without my knowledge, but I'm not sure how to this.
- Note:I use Deep freeze .
- Billy ONeal almost 13 years
  
  In the general case, someone who has physical access to a machine effectively owns the machine, Faronics' Deep Freeze or no. There are things you can do to make this harder but I seriously doubt it's possible to truly enforce.
- Cascabel almost 13 years
  
  Many commenters have mentioned that physical access pretty much means you're screwed. A related point: if you determine that someone has physically touched your drive, who cares about proof they've copied data? Assume they have.
- Prerak Diwan almost 13 years
  
  I've always wondered this whenever someone sends in their laptop to Dell or HP. This is why I will never send my laptop into a warehouse with out first removing my hard drive.
Anyname Donotcare almost 13 years

Do you mean that , if the windows time has changed ,this means that some one may separate my hard disk..
Synetech almost 13 years

No, it means that the last accessed timestamp of a file would be updated if it was accessed. Also, other files may potentially be created, modified, or deleted by the operating system when they install it in another system. Of course if someone is going to the trouble of sneaking the drive out and installing it in another system to steal data, they’ll probably be avoiding these issues.
Anyname Donotcare almost 13 years

i use deep freeze application is this change those factors?and from three days i found my windows clock has changed , is this may related to coping my data?
Anyname Donotcare almost 13 years

note: my hard disk is not an external hard disk.
surfasb almost 13 years

The last accessed timestamp will not change if they are using a custom file system driver or a read only interface, both which are likely. Deep freeze will not change a thing. They teach you in IT security that "If malicious people have physical access to your computer, it is no longer your computer."
Anyname Donotcare almost 13 years

This is so cool method, and i will do that in the future , but what about now.is there any way to be sure if some one has copyied my data.(footprints).
CarlF almost 13 years

Like surfasb said, unless your hypothetical intruder is dumb enough to write to the drive there is no reliable way to detect reading from it.
Joachim Sauer almost 13 years

In addition to what @CarlF said: If the intruder did write to it, then you should hope that you have not written to it since then, or it will become much harder to find any traces (harder or even impossible in some cases).
MSalters almost 13 years

There are hardware devices that you can insert between a disk and a computer to block writes, to prove in court that the disk really wasn't tampered with.
user3376703 almost 13 years

Your sticker placement will be useless when somebody comes along with a cord and just plugs the drive into a disk reader without removing the drive from the machine or touching the screws! You need to secure the cable both to the drive and motherboard as well.
Sirex almost 13 years

+1, this was my line of thought also.
Anyname Donotcare almost 13 years

thanks alot, but could you clarify more what you mean by read and write interface please??
user3376703 almost 13 years

@Robb: And pulling it apart with a screwdriver isn't obvious? In about an hour I could build a little disc duplicator using an embeded board of my desk that could be slipped into a machine and attached to the HD (and power) cables, left for a couple hours unnoticed, then retrieved. Physical access is inherently insecure if your data is not encrypted.
August Lilleaas almost 13 years

I can just connect the drive to my Linux computer and run dd if=/dev/sdx of=out.img. Afaik merely connecting the disk to a PC won't leave any traces. Then I'll get a copy of every byte on the disk that I can alter without you knowing, since I now have my own copy.
Robb almost 13 years

@Caleb - Fair point, I hadn't considered a small leave in duplicator. I agree once someone has physical access to your machine its game over. Even encryption is vulnerable to a hardware keylogger. These measures complicate matters for the attacker but wouldn't prevent intrusion by a competent, motivated and well equipped individual.
LawrenceC almost 13 years

en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
Thorbjørn Ravn Andersen almost 13 years

This needs to be anticipated. You cannot ask the drive back in time.
Soren almost 13 years

This is an internal write, where the disk keeps state of operation regardless of whether an actual write interface has been enabled (i.e. even in read-only mode) -- I think this is pretty smart way, but it needs the additional step of storing power cycle counts for disk off-box
Randolf Richardson almost 13 years

That's wrong -- with TrueCrypt a recovery CD is generated at the time of encryption, and the drive can be mounted by TrueCrypt installed from another computer (as long as the correct password/key is used). TrueCrypt, in fact, can encrypt specific partitions or an entire hard drive (encompassing all partitions).
surfasb almost 13 years

@mattimus: You mean, depending on the file system driver. . .
surfasb almost 13 years

@DMA57361: Yes, this will alter SMART attributes.
Zan Lynx almost 13 years

@Randolf: I think Abraxas is speaking of the BIOS encryption. However, I think that if the BIOS supports the drive encryption commands at all, a BIOS on another computer will decrypt the drive also as long as you provide the identical BIOS password.
Randolf Richardson almost 13 years

+1 for "splitting hairs." ;-D Placing the hair back in its original position, although broken, can still be a point of confusion for the original owner since they may then wonder if they inadvertently broke the hair, but your explanation covers the issues very nicely.
Zan Lynx almost 13 years

@Randolf: But the first and second paragraph combine: the password protection in the BIOS is what also enables AES-128 encryption on many SSD drives.
Randolf Richardson almost 13 years

Cool solution (+1)! Every technician should have this in their toolkit! =P
Randolf Richardson almost 13 years

@Zan Lynx: +1 for some pretty awesome information there.
Randolf Richardson almost 13 years

@Zan Lynx: That wasn't obvious to me (maybe they should have been combined as a single paragraph then, or the phrase "password-based encryption" should have been used instead of "password-protecting?"). Please also note that I do agree with your first comment about a BIOS on another computer decrypting the drive (obviously using the same brand/version or a compatible BIOS will be an important factor).
surfasb almost 13 years

@Zan: It sounds plausible, considering the amount of housekeeping SSDs do in the background.
user11934 almost 13 years

It is very very hard to modify S.M.A.R.T. counters. Most of the time this will involve a new hard drive firmware code load. Even then, only a few of the counters reset (by demand of certain large hard drive purchasers). If you have the relevant counter that you can interpret correctly, this will tell you how many times the drive has been powered/spun up. S.M.A.R.T. will increment the POWER_CYCLE_COUNT even in cases where you power the drive and don't connect anything on the interface, at least in all sane implementations.
sleske almost 13 years

Good point about password-protecting the drive. However, it's not true that you could "never recover your files from an encrypted disk" in case of failure. Encryption is per-sector, and any undamaged sectors can still be read&decrypted normally (unless the header block fails). Anyway, you have current backups, don't you?
sleske almost 13 years

And BTW, and @Zan Lynx: OP is not talking about the "BIOS password protection", but about the password protection inside the drive firmware. All modern drives have an internal password mechanism (defined by the PATA/IDE spec). See e.g. superuser.com/questions/174931/…
Randolf Richardson almost 13 years

@Piskvor: I was actually thinking along the lines of this solution being far less valuable if every technician had it in their toolkit (and wondering if a security-minded person might pick up on that, but perhaps I was way too subtle -- my fault, sorry), hence the emoticon of the tongue sticking out. +1 for you for pointing out some important information though.
Zan Lynx almost 13 years

@sleske: Yes I know that. Many BIOSes will initialize the drive password with the BIOS password. See dfarq.homeip.net/2011/03/… and dfarq.homeip.net/2011/07/…
sleske almost 13 years

@Zan Lynx: Thanks, interesting. Didn't know that.
Synetech almost 13 years

“physically block write access to a drive”? How exactly does that work? I can’t find anything about WiebeTech write-block tech being a physical implementation; to the contrary, it’s firmware.
surfasb almost 13 years

I use the phrase physical block even though the correct way to phrase it is a hardware block. You are right in that it isn't a physical block though. SATA is firmware, and thus to block SATA writes, they implement it typically on the firmware side. These are referred to as Hardware blockers. You can also install an OS level implementation, which is called a software blocker.