All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Quick forensic question
PostPosted: April 15th, 2013, 13:03 
Offline

Joined: September 4th, 2007, 18:37
Posts: 26
Hello,

I never dealt with a situation like this, although I think I already know the answer, it never hurts to ask.

I have a client who has an external hard drive and he wants to know:

1. if its possible to get a list of which computers the hard drive (external) was connected too.
2. also if anything was copied (this isnt a priority but would be nice to know).

Here is the catch. Going by access date doesnt do any good as the hard drive is ALWAYS used but is suppose to be used only on ONE computer and not anywhere else.

I understand that you can image the drive through PC3K or even through other tools/software without ever mounting the file system but if the person is not as "bright" is there some sort of a stamp in the NTFS file system that would show which computers the hard drive was connected too?

Thanks in advance.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 15:56 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15466
Location: Australia
The registry of the Windows host machine will have an entry for any USB mass storage device that was ever connected to the machine. The entry may not be unique, though.

Look under HKEY_LOCAL_MACHINE\Enum\USB or HKEY_LOCAL_MACHINE\Enum\USBSTOR or HKEY_LOCAL_MACHINE\Enum\SCSI, or whatever is appropriate for that particular OS.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 16:07 
Offline

Joined: December 27th, 2006, 10:15
Posts: 1852
Location: Belgium
This will not tell the client if his usb-drive was connectrd to another pc

_________________
Murphy was an optimist

Datarecovery in Belgium, Holland, France and Germany
Datarecoverytools http://www.drtools.eu


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 16:47 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15466
Location: Australia
dobrevjetser wrote:
This will not tell the client if his usb-drive was connectrd to another pc

I didn't mean to imply that. I thought that was obvious from my post.

I was merely suggesting that if the client has access to the suspect machines, then s/he could at least determine if a similar device (with the same VID/PID and name) was ever connected to those machines.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 17:05 
Offline
User avatar

Joined: June 23rd, 2008, 11:26
Posts: 503
Location: Austin, TX
You will need access to the hosts computers. but since this is the reverse, you would need access to all potential computer it may of been attached to.

External drives do not have data needed to determine what computer it was attached too.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 17:23 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I don't know anything about SMART but is there any timestamp of SMART checking going on where you might be able to look at a timestamp in any SMART data and determine that this is a time that was not connected to an auth'd pc, or use any secondary data, meaning data that is not directly what you are looking for but substantial to your case.

I would attack it this way(and as you haven't said what type of external drive it is I will assume standard USB external HDD):
1. go to the manufacturers website and read all the specs you can find, look on the product page and see what software ships with it etc.
2. open the case and case and see what the drive actually is, then Google for any features you might be able to use if any.

also, as I don't work in HDD's, what kind of stuff is accessible from the service terminal? anything like logging there?

I don't think this line of research is going to turn up anything and if you think the drive was accessed by unauthorised persons, to try and find other evidence.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 15th, 2013, 17:37 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15466
Location: Australia
I don't believe there is any RTC in an external HDD, unless it is a NAS, or a device that is connected to a time server.

SMART does keep timestamps in its logs, but these are not time-of-day stamps. Instead the timestamp reflects the power-on-time.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 16th, 2013, 4:31 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
sashok07 wrote:
Hello,

I never dealt with a situation like this, although I think I already know the answer, it never hurts to ask.

I have a client who has an external hard drive and he wants to know:

1. if its possible to get a list of which computers the hard drive (external) was connected too.
2. also if anything was copied (this isnt a priority but would be nice to know).

Here is the catch. Going by access date doesnt do any good as the hard drive is ALWAYS used but is suppose to be used only on ONE computer and not anywhere else.

I understand that you can image the drive through PC3K or even through other tools/software without ever mounting the file system but if the person is not as "bright" is there some sort of a stamp in the NTFS file system that would show which computers the hard drive was connected too?

Thanks in advance.


PM Sent...
:wink:

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 17th, 2013, 5:46 
Offline
User avatar

Joined: August 13th, 2008, 13:10
Posts: 809
Location: World
I think you have 2 ways:
1º with hosts computers.
2º with date and time, off files accessed with host computers


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 24th, 2013, 13:55 
Offline

Joined: September 4th, 2007, 18:37
Posts: 26
Thanks for the replies, sorry I was out of town for a few days.

A client of mines employee, backed up her files from the server to an external hard drive. She said it was easier/safer to use this way (doesnt make any sense, except for the easy of use part). She recently quit the company. They wanted to know if she backed up the files anywhere else besides her work PC.

The PCs where she might have backed them up are obviously unavailable :-\

So pretty much as I thought there is no way to check... Accessed date wont be of much help as she used the hard drive herself all the time. She quit and didnt get fired so she had TONS of time to backup the files beforehand.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 25th, 2013, 4:26 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
hhddrec wrote:
I think you have 2 ways:
1º with hosts computers.
2º with date and time, off files accessed with host computers


can u explain this issue with some details here?

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 28th, 2013, 7:04 
Offline

Joined: September 27th, 2009, 11:10
Posts: 9
Location: United Kingdom
Rather than access times, NTFS file ownership information is much more likely to be revealing, if any files were created by the "foreign" system (or possibly even if just modified). New files created by that system would have owner SIDs that don't match those on the "authorised system".

As several people have pointed out, if a "sophisticated user" had wanted to get information from the disk without leaving traces, it would be impossible to detect. If, on the other hand, we are talking about an "average user" who connected a USB drive to their laptop, and wasn't careful about opening/modifiying files (and creating temporary files and debris) there's a possibility of success via this route.

Also, I wouldn't rule out the timestamps as a source of information - we've been looking at timestamp patterns created by different operating systems, and found that it is possible to identify access patterns made by different operating systems. This is very much ongoing research however, and wouldn't help if the "snooper" was using the same OS/version as the "authorised" system.


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 28th, 2013, 7:37 
Offline

Joined: September 27th, 2009, 11:10
Posts: 9
Location: United Kingdom
I should add that file ownership isn't going to be useful if the account of the "snooping" user-id is an account in the same domain as the disk's "normal" server, and that user account is authorised to access to the data via the "normal" server. In that case, files created via the authorised and unauthorised methods would be have the same owner SID. This might be the case if the snooper used their (AD member) "work laptop" to access the disk, as opposed to a "home laptop".


Top
 Profile  
 
 Post subject: Re: Quick forensic question
PostPosted: April 28th, 2013, 10:00 
Offline

Joined: April 26th, 2012, 1:52
Posts: 388
Location: Chicago, USA
One of my USB disks keeps an Id, something like S-xxxxxx-xxxxxx-xxxxxxxxxxxxxx in its recycle bin for EACH separate computer its connected to, if its NTFS formatted, and used on win7.

_________________
On a clear disk you can seek forever.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group