Re: TN: Election Commission laptop harddrive found

[Daniel Clemens <daniel.clemens () packetninjas net>]

On Jan 18, 2008, at 12:17 PM, Max Hozven wrote:

> I think that if you are tricky enough, you could maybe do this:
>
> 1.  Boot laptop off of a Ghost CD and create a Ghost image of the  
> drive.
> 2.  Use Ghost Explorer to overwrite a file you want to change in the
> Ghost image file.
>    Make sure the file date/time on the file you create is the same as
> the one you overwrite
>    to cover your tracks.  Keep the file size the same if you want to
> get really sneaky.
> 3.  Boot the laptop off of the Ghost CD again.  Do a Ghost restore of
> the updated image you just created.
> 4.  The resulting laptop will boot up with the hard disk appearing
> unchanged, as it has never booted
>    to it's native OS, the changes having been done via Ghost.
>
> There's other disk imaging software packages besides Ghost that could
> probably do similar things as well.

I don't think ghost doesn't really copy every part of the drive.
I am sure it would be fairly easy to tell if the drive was only  
Ghost'd and then restored since certain parts of the drive would have  
never been copied and certain portions would be completely overwritten  
or pointed to new locations on the drive.
(not to mention any installation logs that may have taken place , or  
anything in mbr, or mft).
The file you replaced could possibly still be on the drive that you  
restored to especially if inode pointer points to a new file, but the  
old file is still there...

I haven't tried this personally (Ghost , then re-analysis  
forensically) but I am willing to bet you could tell if something was  
're-ghosted'.
But then again I am only assuming and it sounds like you are too, so  
most likely we are both asses.

> My opinion is that once a computer/drive gets out of your hands,  
> there's
> really no 100% way to know if
> anything was changed unless you have an image of the drive before it
> left and you individually "checksum"
> each file to look for changes.

Um. I have to disagree with this.
There is actually allot of work you can do to see what has changed  
when dealing with data theft like this.(excluding super ninjas of  
course).
What you can't validate is what has been completely copied off of the  
drive if the theft involved a criminal that knew how to truly  
duplicate the drive.

-Daniel Clemens
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml