Anything related to computer forensics (new section!)
May 23rd, 2015, 6:06
I'm thinking to this scenario: someone make a image of a HDD (with specailized tools and apps) without touching anything on the HDD and after this he adds files in the HDD (files that have metadata info completly removed) and then make another HDD image without touching the files from the HDD.
Is is possible to determine if the HDD was touched? Is it possible to add information in the unallocated space without leaving any trace?
May 23rd, 2015, 7:32
so you mean that the before and after images are exactly the same, and the hidden data is still in the harddisk somewhere?
yes - possible - see the recent NSA shenanigans with HDD Firmware as one way.
But really, a lot of effort to go to. I can't think of anything non-nefarious that would drive someone to do this.
May 23rd, 2015, 7:56
Much precisely, I meant to say if someone is able to add recent files on a disk in the unallocated sector (which I think it's the place where deleted files go to) and hide any trace about who/when/where did these new files come from by removing the metadata and other relevant information.
I was thinking it could be easily done by doing this: make an image of the HDD, add files in the unllocated sector, create the info hash of the new HDD and pretend it was the untouched and original version.
May 23rd, 2015, 9:34
In the LBA sectors, no. An MD5 Hash would show that the the two drives differ. But if you were to write in the un used SA tracks, it would likely go undetected.
May 23rd, 2015, 10:38
lcoughey wrote:In the LBA sectors, no. An MD5 Hash would show that the the two drives differ. But if you were to write in the un used SA tracks, it would likely go undetected.
Well,
Anything in SA will go unnoticed by a imager
May 23rd, 2015, 11:03
who is going to be looking that deep anyway. likely most changes would go unnoticed no matter where they were
May 23rd, 2015, 12:32
What's SA and LBA?
So it's pretty possible to go unnoticed and leave no trace at all.
I've read somewhere that:
If the hard drive was still connected and powered on in the computer, you can look in the registry to see if anyone plugged in a USB device to copy the drive by viewing the registry for connected devices. I'd use the Forensics Tool Kit (Encase --> USBstor) to view the registry since it breaks it down much easier for viewing. It will give you the type of device and serial #, time and date.
If the hard drive is portable or powered off, your best bet would be the powered on hours and power on count in the SMART data, as already mentioned.
You can also use MFT records to see if files were marked as copied.. Moved file from one volume to another = File marked deleted (sourceMFT), New file (destinationMFT).
And yes, they were going very deep with this one (that's why I posted in Forensics)
May 23rd, 2015, 15:31
Forgot to ask: recovered files from unallocated area could come with the metadata information stripped? For example not showing any information at all like the name, created/modified/last accessed, when the file was deleted?
May 23rd, 2015, 15:59
Gabe wrote:What's SA and LBA?
Hiding Data in Hard-Drive’s Service Areas:
http://www.recover.co.il/SA-cover/SA-cover.pdf
Powered by phpBB © phpBB Group.