BreachExchange mailing list archives
Re: TN: Election Commission laptop harddrive found
From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Fri, 18 Jan 2008 13:00:52 -0600
On Jan 18, 2008, at 12:17 PM, Max Hozven wrote:
I think that if you are tricky enough, you could maybe do this: 1. Boot laptop off of a Ghost CD and create a Ghost image of the drive. 2. Use Ghost Explorer to overwrite a file you want to change in the Ghost image file. Make sure the file date/time on the file you create is the same as the one you overwrite to cover your tracks. Keep the file size the same if you want to get really sneaky. 3. Boot the laptop off of the Ghost CD again. Do a Ghost restore of the updated image you just created. 4. The resulting laptop will boot up with the hard disk appearing unchanged, as it has never booted to it's native OS, the changes having been done via Ghost. There's other disk imaging software packages besides Ghost that could probably do similar things as well.
I don't think ghost doesn't really copy every part of the drive. I am sure it would be fairly easy to tell if the drive was only Ghost'd and then restored since certain parts of the drive would have never been copied and certain portions would be completely overwritten or pointed to new locations on the drive. (not to mention any installation logs that may have taken place , or anything in mbr, or mft). The file you replaced could possibly still be on the drive that you restored to especially if inode pointer points to a new file, but the old file is still there... I haven't tried this personally (Ghost , then re-analysis forensically) but I am willing to bet you could tell if something was 're-ghosted'. But then again I am only assuming and it sounds like you are too, so most likely we are both asses.
My opinion is that once a computer/drive gets out of your hands, there's really no 100% way to know if anything was changed unless you have an image of the drive before it left and you individually "checksum" each file to look for changes.
Um. I have to disagree with this. There is actually allot of work you can do to see what has changed when dealing with data theft like this.(excluding super ninjas of course). What you can't validate is what has been completely copied off of the drive if the theft involved a criminal that knew how to truly duplicate the drive. -Daniel Clemens _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- TN: Election Commission laptop harddrive found lyger (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)
- Re: TN: Election Commission laptop harddrive found Tracy Blackmore (Jan 18)
- Re: TN: Election Commission laptop harddrive found Max Hozven (Jan 18)
- Re: TN: Election Commission laptop harddrive found Daniel Clemens (Jan 18)
- Re: TN: Election Commission laptop harddrive found David C. Smith (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)
- Re: TN: Election Commission laptop harddrive found James Childers (Jan 18)
- Re: TN: Election Commission laptop harddrive found Chris Walsh (Jan 18)