[Dataloss] TN: Election Commission laptop harddrive found

David C. Smith dcs44 at georgetown.edu
Fri Jan 18 20:38:37 UTC 2008 

>
> I don't think ghost doesn't really copy every part of the drive.
> I am sure it would be fairly easy to tell if the drive was only  
I am not sure about ghost, but it can be done with the unix dd command.  
It creates a forensically sound bit image of the source.
http://www.forensicswiki.org/wiki/Dd.  Dd images do hold up in court as 
evidence and you can use MD5 sums to prove changes were not made.  You 
may also view the drive with write blockers like 
http://www.forensicswiki.org/index.php?title=Write_Blockers which would 
not alter the source drive.

Cheaply, one can use a USB external cable say,  
http://www.newegg.com/Product/Product.aspx?Item=N82E16812156101  ($18) 
combined with a usb software block (free):
http://windowsir.blogspot.com/2004/12/xp-sp2-and-making-usb-storage-read.html 
to retrieve all information without being detected.
> >anything was changed unless you have an image of the drive before it
> >left and you individually "checksum"
> >each file to look for changes.
>   
> Um. I have to disagree with this.

But, you can alter the dd image using a hex editor and reapply it back 
the original media without detection (unless you have a source image to 
"diff" against).  But I would like to think that someone in the 
organization would tell them that since they lost integrity control of 
the data it should be deleted or reverified.

Dave



Daniel Clemens wrote:
> On Jan 18, 2008, at 12:17 PM, Max Hozven wrote:
>
>   
>> I think that if you are tricky enough, you could maybe do this:
>>
>> 1.  Boot laptop off of a Ghost CD and create a Ghost image of the  
>> drive.
>> 2.  Use Ghost Explorer to overwrite a file you want to change in the
>> Ghost image file.
>>    Make sure the file date/time on the file you create is the same as
>> the one you overwrite
>>    to cover your tracks.  Keep the file size the same if you want to
>> get really sneaky.
>> 3.  Boot the laptop off of the Ghost CD again.  Do a Ghost restore of
>> the updated image you just created.
>> 4.  The resulting laptop will boot up with the hard disk appearing
>> unchanged, as it has never booted
>>    to it's native OS, the changes having been done via Ghost.
>>
>> There's other disk imaging software packages besides Ghost that could
>> probably do similar things as well.
>>     
>
> I don't think ghost doesn't really copy every part of the drive.
> I am sure it would be fairly easy to tell if the drive was only  
> Ghost'd and then restored since certain parts of the drive would have  
> never been copied and certain portions would be completely overwritten  
> or pointed to new locations on the drive.
> (not to mention any installation logs that may have taken place , or  
> anything in mbr, or mft).
> The file you replaced could possibly still be on the drive that you  
> restored to especially if inode pointer points to a new file, but the  
> old file is still there...
>
> I haven't tried this personally (Ghost , then re-analysis  
> forensically) but I am willing to bet you could tell if something was  
> 're-ghosted'.
> But then again I am only assuming and it sounds like you are too, so  
> most likely we are both asses.
>
>   
>> My opinion is that once a computer/drive gets out of your hands,  
>> there's
>> really no 100% way to know if
>> anything was changed unless you have an image of the drive before it
>> left and you individually "checksum"
>> each file to look for changes.
>>
>>     
>
> Um. I have to disagree with this.
> There is actually allot of work you can do to see what has changed  
> when dealing with data theft like this.(excluding super ninjas of  
> course).
> What you can't validate is what has been completely copied off of the  
> drive if the theft involved a criminal that knew how to truly  
> duplicate the drive.
>
> -Daniel Clemens
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list