I can't remember if Symantec Ghost access the drive as read-only, preserving the last access time, but doing a copy that does is quite trivial to do. <br><br>Take the hard-drive out, connect it through a read-only interface and copy everything. Such interfaces are easy to find - any law enforcement departement will have a couple of them since they must use them to gather data from "evidence hard drive". Contacting their provider, or even building your own...
<br><br>I guess that the "third-party computer-security consultant" wrote something in the order of "the last-access time was not changed by the thief activities" in the report and it was interpreted as "not accessed".
<br><br>As a thief, this would be one of the easiest way to "gather data" without having it changed / repported by the corporation. <br> <br><br><br><div><span class="gmail_quote">On 1/26/07, <b class="gmail_sendername">
Max Hozven</b> <<a href="mailto:mhozven@tealeaf.com">mhozven@tealeaf.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Question:<br>If the laptop was booted with a Symantec "Ghost" floppy, then imaged to<br>a Ghost server, woudn't this<br>be undetectible, as no change of any type would be made to the laptop's<br>hard disk?
<br><br>-Max<br><br>-----Original Message-----<br>From: <a href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org</a><br>[mailto:<a href="mailto:dataloss-bounces@attrition.org">dataloss-bounces@attrition.org
</a>] On Behalf Of Dissent<br>Sent: Friday, January 26, 2007 1:45 AM<br>To: <a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a><br>Subject: [Dataloss] Stolen Boeing laptop is recovered<br><br><a href="http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizb">
http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizb</a><br>riefs26.html<br><br>A stolen Boeing laptop containing personal information on 382,000<br>workers and retirees has been recovered.<br><br>In an e-mail to employees, Senior Vice President Rick Stephens said
<br>Boeing and a third-party computer-security consultant had confirmed that<br>the files with personally identifiable information were not accessed<br>after the theft.<br><br>[...]<br><br>--<br>Privacy-related news and resources:
<a href="http://www.pogowasright.org">http://www.pogowasright.org</a> Privacy<br>news headlines feed:<br><a href="http://www.pogowasright.org/backend/pogowasright.rss">http://www.pogowasright.org/backend/pogowasright.rss</a>
<br><br>_______________________________________________<br>Dataloss Mailing List (<a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br><a href="http://attrition.org/dataloss">http://attrition.org/dataloss
</a> Tracking more than 145 million compromised<br>records in 547 incidents over 7 years.<br><br><br>_______________________________________________<br>Dataloss Mailing List (<a href="mailto:dataloss@attrition.org">dataloss@attrition.org
</a>)<br><a href="http://attrition.org/dataloss">http://attrition.org/dataloss</a><br>Tracking more than 145 million compromised records in 547 incidents over 7 years.<br><br><br></blockquote></div><br><br clear="all"><br>
-- <br>Pascal Charest, OpenSource Consultant.<br><a href="http://blog.pacharest.com">http://blog.pacharest.com</a>