Quick forensic question

[sashok07]

Hello,

I never dealt with a situation like this, although I think I already know the answer, it never hurts to ask.

I have a client who has an external hard drive and he wants to know:

1. if its possible to get a list of which computers the hard drive (external) was connected too.
2. also if anything was copied (this isnt a priority but would be nice to know).

Here is the catch. Going by access date doesnt do any good as the hard drive is ALWAYS used but is suppose to be used only on ONE computer and not anywhere else.

I understand that you can image the drive through PC3K or even through other tools/software without ever mounting the file system but if the person is not as "bright" is there some sort of a stamp in the NTFS file system that would show which computers the hard drive was connected too?

Thanks in advance.

[fzabkar]

The registry of the Windows host machine will have an entry for any USB mass storage device that was ever connected to the machine. The entry may not be unique, though.

Look under HKEY_LOCAL_MACHINE\Enum\USB or HKEY_LOCAL_MACHINE\Enum\USBSTOR or HKEY_LOCAL_MACHINE\Enum\SCSI, or whatever is appropriate for that particular OS.

[dobrevjetser]

This will not tell the client if his usb-drive was connectrd to another pc

[fzabkar]

This will not tell the client if his usb-drive was connectrd to another pc

I didn't mean to imply that. I thought that was obvious from my post.

I was merely suggesting that if the client has access to the suspect machines, then s/he could at least determine if a similar device (with the same VID/PID and name) was ever connected to those machines.

[Cleanroom]

You will need access to the hosts computers. but since this is the reverse, you would need access to all potential computer it may of been attached to.

External drives do not have data needed to determine what computer it was attached too.

[HaQue]

I don't know anything about SMART but is there any timestamp of SMART checking going on where you might be able to look at a timestamp in any SMART data and determine that this is a time that was not connected to an auth'd pc, or use any secondary data, meaning data that is not directly what you are looking for but substantial to your case.

I would attack it this way(and as you haven't said what type of external drive it is I will assume standard USB external HDD):
1. go to the manufacturers website and read all the specs you can find, look on the product page and see what software ships with it etc.
2. open the case and case and see what the drive actually is, then Google for any features you might be able to use if any.

also, as I don't work in HDD's, what kind of stuff is accessible from the service terminal? anything like logging there?

I don't think this line of research is going to turn up anything and if you think the drive was accessed by unauthorised persons, to try and find other evidence.

[fzabkar]

I don't believe there is any RTC in an external HDD, unless it is a NAS, or a device that is connected to a time server.

SMART does keep timestamps in its logs, but these are not time-of-day stamps. Instead the timestamp reflects the power-on-time.

[einstein9]

Hello,

I never dealt with a situation like this, although I think I already know the answer, it never hurts to ask.

I have a client who has an external hard drive and he wants to know:

1. if its possible to get a list of which computers the hard drive (external) was connected too.
2. also if anything was copied (this isnt a priority but would be nice to know).

Here is the catch. Going by access date doesnt do any good as the hard drive is ALWAYS used but is suppose to be used only on ONE computer and not anywhere else.

I understand that you can image the drive through PC3K or even through other tools/software without ever mounting the file system but if the person is not as "bright" is there some sort of a stamp in the NTFS file system that would show which computers the hard drive was connected too?

Thanks in advance.

PM Sent...

[hhddrec]

I think you have 2 ways:
1º with hosts computers.
2º with date and time, off files accessed with host computers

[sashok07]

Thanks for the replies, sorry I was out of town for a few days.

A client of mines employee, backed up her files from the server to an external hard drive. She said it was easier/safer to use this way (doesnt make any sense, except for the easy of use part). She recently quit the company. They wanted to know if she backed up the files anywhere else besides her work PC.

The PCs where she might have backed them up are obviously unavailable :-\

So pretty much as I thought there is no way to check... Accessed date wont be of much help as she used the hard drive herself all the time. She quit and didnt get fired so she had TONS of time to backup the files beforehand.

[einstein9]

I think you have 2 ways:
1º with hosts computers.
2º with date and time, off files accessed with host computers

can u explain this issue with some details here?

[gvm]

Rather than access times, NTFS file ownership information is much more likely to be revealing, if any files were created by the "foreign" system (or possibly even if just modified). New files created by that system would have owner SIDs that don't match those on the "authorised system".

As several people have pointed out, if a "sophisticated user" had wanted to get information from the disk without leaving traces, it would be impossible to detect. If, on the other hand, we are talking about an "average user" who connected a USB drive to their laptop, and wasn't careful about opening/modifiying files (and creating temporary files and debris) there's a possibility of success via this route.

Also, I wouldn't rule out the timestamps as a source of information - we've been looking at timestamp patterns created by different operating systems, and found that it is possible to identify access patterns made by different operating systems. This is very much ongoing research however, and wouldn't help if the "snooper" was using the same OS/version as the "authorised" system.

[gvm]

I should add that file ownership isn't going to be useful if the account of the "snooping" user-id is an account in the same domain as the disk's "normal" server, and that user account is authorised to access to the data via the "normal" server. In that case, files created via the authorised and unauthorised methods would be have the same owner SID. This might be the case if the snooper used their (AD member) "work laptop" to access the disk, as opposed to a "home laptop".

[Keatah]

One of my USB disks keeps an Id, something like S-xxxxxx-xxxxxx-xxxxxxxxxxxxxx in its recycle bin for EACH separate computer its connected to, if its NTFS formatted, and used on win7.