All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Any way to add info to harddisk without leaving any trace?
PostPosted: May 23rd, 2015, 6:06 
Offline

Joined: March 24th, 2015, 13:51
Posts: 8
Location: Bucharest
I'm thinking to this scenario: someone make a image of a HDD (with specailized tools and apps) without touching anything on the HDD and after this he adds files in the HDD (files that have metadata info completly removed) and then make another HDD image without touching the files from the HDD.

Is is possible to determine if the HDD was touched? Is it possible to add information in the unallocated space without leaving any trace?


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 7:32 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3432
Location: Adelaide, Australia
so you mean that the before and after images are exactly the same, and the hidden data is still in the harddisk somewhere?

yes - possible - see the recent NSA shenanigans with HDD Firmware as one way.

But really, a lot of effort to go to. I can't think of anything non-nefarious that would drive someone to do this.


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 7:56 
Offline

Joined: March 24th, 2015, 13:51
Posts: 8
Location: Bucharest
Much precisely, I meant to say if someone is able to add recent files on a disk in the unallocated sector (which I think it's the place where deleted files go to) and hide any trace about who/when/where did these new files come from by removing the metadata and other relevant information.

I was thinking it could be easily done by doing this: make an image of the HDD, add files in the unllocated sector, create the info hash of the new HDD and pretend it was the untouched and original version.


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 9:34 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2253
Location: Ontario, Canada
In the LBA sectors, no. An MD5 Hash would show that the the two drives differ. But if you were to write in the un used SA tracks, it would likely go undetected.

_________________
Luke
RAID Data Recovery


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 10:38 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 2693
Location: CDRLabs @ Chandigarh [ India ]
lcoughey wrote:
In the LBA sectors, no. An MD5 Hash would show that the the two drives differ. But if you were to write in the un used SA tracks, it would likely go undetected.


Well,
Anything in SA will go unnoticed by a imager

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 11:03 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3432
Location: Adelaide, Australia
who is going to be looking that deep anyway. likely most changes would go unnoticed no matter where they were


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 12:32 
Offline

Joined: March 24th, 2015, 13:51
Posts: 8
Location: Bucharest
What's SA and LBA?

So it's pretty possible to go unnoticed and leave no trace at all.

I've read somewhere that:

Quote:
If the hard drive was still connected and powered on in the computer, you can look in the registry to see if anyone plugged in a USB device to copy the drive by viewing the registry for connected devices. I'd use the Forensics Tool Kit (Encase --> USBstor) to view the registry since it breaks it down much easier for viewing. It will give you the type of device and serial #, time and date.

If the hard drive is portable or powered off, your best bet would be the powered on hours and power on count in the SMART data, as already mentioned.

You can also use MFT records to see if files were marked as copied.. Moved file from one volume to another = File marked deleted (sourceMFT), New file (destinationMFT).


And yes, they were going very deep with this one (that's why I posted in Forensics)


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 15:31 
Offline

Joined: March 24th, 2015, 13:51
Posts: 8
Location: Bucharest
Forgot to ask: recovered files from unallocated area could come with the metadata information stripped? For example not showing any information at all like the name, created/modified/last accessed, when the file was deleted?


Top
 Profile  
 
 Post subject: Re: Any way to add info to harddisk without leaving any trac
PostPosted: May 23rd, 2015, 15:59 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11993
Location: Australia
Gabe wrote:
What's SA and LBA?

Hiding Data in Hard-Drive’s Service Areas:
http://www.recover.co.il/SA-cover/SA-cover.pdf

_________________
A backup a day keeps DR away.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group