[Dataloss] TN: Election Commission laptop harddrive found

James Childers james at iqbio.net
Fri Jan 18 19:30:31 UTC 2008


Knopix Boot CD and linux bit-by-bit copying of the hdd would be good
tools for doing something like this.

James (Jim) Childers
President & CEO
Artemis Solutions Group (USA)
BioCert(r) - iQBio(tm) - BioSaf(r)
www.iqbio.com 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Max Hozven
Sent: Friday, January 18, 2008 10:17 AM
To: Chris Walsh; lyger
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found


I think that if you are tricky enough, you could maybe do this:

1.  Boot laptop off of a Ghost CD and create a Ghost image of the drive.
2.  Use Ghost Explorer to overwrite a file you want to change in the
Ghost image file.
    Make sure the file date/time on the file you create is the same as
the one you overwrite
    to cover your tracks.  Keep the file size the same if you want to
get really sneaky.
3.  Boot the laptop off of the Ghost CD again.  Do a Ghost restore of
the updated image you just created.
4.  The resulting laptop will boot up with the hard disk appearing
unchanged, as it has never booted
    to it's native OS, the changes having been done via Ghost.

There's other disk imaging software packages besides Ghost that could
probably do similar things as well.

My opinion is that once a computer/drive gets out of your hands, there's
really no 100% way to know if
anything was changed unless you have an image of the drive before it
left and you individually "checksum"
each file to look for changes.

-Max
 (Note: Opinions expressed are solely my own and not that of my
company.)

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Friday, January 18, 2008 9:38 AM
To: lyger
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found

On Fri, Jan 18, 2008 at 02:54:50PM +0000, lyger wrote:
> 
> Computer experts have begun the process of examining the files and 
> data components to determine if they have been accessed or tampered 
> with, according to police.

Luckily, it is impossible to modify bits on a hard drive without leaving
evidence of your misdeed.

Surprisingly, Tripwire  and similar products manage to make quite a bit
of money despite this feature of computer architecture which is
seemingly known by even the least-experienced newspaper writer.


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Dataloss mailing list