Stolen drive evidence gathering. Forensics?
January 27th, 2021, 19:23
Hello HDD Gurus. This place is amazing.
I have recently had an external hard drive stolen and currently the police are trying to recover it. It was one of my time machine backup drives and was not encrypted. It was a WD 10TB WD100EMAZ that I shucked from an Element enclosure and I used it in a WD “My Book Thunderbolt Duo” external drive array. When I look in my time machine backup drop down on the top status bar on my OSX 10.11 machine it still shows the hard drive as registered as the Latest backup to “ExternalDriveName” machine backup device and I don’t want to run any other backup until I’ve ensured I won’t be destroying evidence.. I would like to try and find the unique identifier that currently exists on my Mac that can uniquely identify and match to the stolen hard drive if it is found. Something like a uuid or else the actual serial number of the hard drive that might be in its firmware or something like that. How can I go about doing this?
I am running OSX 10.11 on a mid 2011 iMac.
I would also like to know whether it is possible to determine whether the hard drive has been accessed since it has been stolen. My concern is that people have copied the data off it and returned the drive. From looking at websites like this I have a hope that there is enough intelligence on the disk to store some record of its access or power up logs on chips on the board or maybe in a hidden partition or file on the drive itself. Any pointers or advice would be appreciated.
Thanks a lot for your help in Advance,
DataSearcher
I have recently had an external hard drive stolen and currently the police are trying to recover it. It was one of my time machine backup drives and was not encrypted. It was a WD 10TB WD100EMAZ that I shucked from an Element enclosure and I used it in a WD “My Book Thunderbolt Duo” external drive array. When I look in my time machine backup drop down on the top status bar on my OSX 10.11 machine it still shows the hard drive as registered as the Latest backup to “ExternalDriveName” machine backup device and I don’t want to run any other backup until I’ve ensured I won’t be destroying evidence.. I would like to try and find the unique identifier that currently exists on my Mac that can uniquely identify and match to the stolen hard drive if it is found. Something like a uuid or else the actual serial number of the hard drive that might be in its firmware or something like that. How can I go about doing this?
I am running OSX 10.11 on a mid 2011 iMac.
I would also like to know whether it is possible to determine whether the hard drive has been accessed since it has been stolen. My concern is that people have copied the data off it and returned the drive. From looking at websites like this I have a hope that there is enough intelligence on the disk to store some record of its access or power up logs on chips on the board or maybe in a hidden partition or file on the drive itself. Any pointers or advice would be appreciated.
Thanks a lot for your help in Advance,
DataSearcher
Re: Stolen drive evidence gathering. Forensics?
January 27th, 2021, 21:32
If the thief mounted the disk in the system, then the time stamps will be. If he did not mount, but copied some recovery program, then there will be no marks.
Re: Stolen drive evidence gathering. Forensics?
February 1st, 2021, 10:24
If you have a backup of "HDD SMART REPORT", it can be managed. HDD records Number of spin-up times, I have attached a sample picture.
- Attachments
-
-
Powered by phpBB © phpBB Group.