[Dataloss] Stolen Boeing laptop is recovered
Roy M. Silvernail
roy at rant-central.com
Sat Jan 27 12:37:25 EST 2007
Pascal Charest wrote:
> I can't remember if Symantec Ghost access the drive as read-only,
> preserving
> the last access time, but doing a copy that does is quite trivial to do.
>
> Take the hard-drive out, connect it through a read-only interface and copy
> everything. Such interfaces are easy to find - any law enforcement
> departement will have a couple of them since they must use them to gather
> data from "evidence hard drive". Contacting their provider, or even
> building your own...
Or boot the box from your choice of Linux live CDs, plug in a large
external USB drive and do 'dd if=/dev/hda of=/mnt/sda1/chump_dump.img
bs=1M'. As you say, trivial.
> I guess that the "third-party computer-security consultant" wrote something
> in the order of "the last-access time was not changed by the thief
> activities" in the report and it was interpreted as "not accessed".
I'd bet that *all* of the "data was not accessed" reports are due to this.
> As a thief, this would be one of the easiest way to "gather data" without
> having it changed / repported by the corporation.
Indeed.
--
Roy M. Silvernail is roy at rant-central.com, and you're not
"It's just this little chromium switch, here." - TFT
CRM114->procmail->/dev/null->bliss
http://www.rant-central.com
More information about the Dataloss
mailing list