BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TN: Election Commission laptop harddrive found

From: "David C. Smith" <dcs44 () georgetown edu>
Date: Fri, 18 Jan 2008 15:38:37 -0500

I don't think ghost doesn't really copy every part of the drive.
I am sure it would be fairly easy to tell if the drive was only  

I am not sure about ghost, but it can be done with the unix dd command.  
It creates a forensically sound bit image of the source.
http://www.forensicswiki.org/wiki/Dd.  Dd images do hold up in court as 
evidence and you can use MD5 sums to prove changes were not made.  You 
may also view the drive with write blockers like 
http://www.forensicswiki.org/index.php?title=Write_Blockers which would 
not alter the source drive.

Cheaply, one can use a USB external cable say,  
http://www.newegg.com/Product/Product.aspx?Item=N82E16812156101  ($18) 
combined with a usb software block (free):
http://windowsir.blogspot.com/2004/12/xp-sp2-and-making-usb-storage-read.html 
to retrieve all information without being detected.

anything was changed unless you have an image of the drive before it
left and you individually "checksum"
each file to look for changes.

  
Um. I have to disagree with this.


But, you can alter the dd image using a hex editor and reapply it back 
the original media without detection (unless you have a source image to 
"diff" against).  But I would like to think that someone in the 
organization would tell them that since they lost integrity control of 
the data it should be deleted or reverified.

Dave



Daniel Clemens wrote:

On Jan 18, 2008, at 12:17 PM, Max Hozven wrote:

  

I think that if you are tricky enough, you could maybe do this:

1.  Boot laptop off of a Ghost CD and create a Ghost image of the  
drive.
2.  Use Ghost Explorer to overwrite a file you want to change in the
Ghost image file.
   Make sure the file date/time on the file you create is the same as
the one you overwrite
   to cover your tracks.  Keep the file size the same if you want to
get really sneaky.
3.  Boot the laptop off of the Ghost CD again.  Do a Ghost restore of
the updated image you just created.
4.  The resulting laptop will boot up with the hard disk appearing
unchanged, as it has never booted
   to it's native OS, the changes having been done via Ghost.

There's other disk imaging software packages besides Ghost that could
probably do similar things as well.
    


I don't think ghost doesn't really copy every part of the drive.
I am sure it would be fairly easy to tell if the drive was only  
Ghost'd and then restored since certain parts of the drive would have  
never been copied and certain portions would be completely overwritten  
or pointed to new locations on the drive.
(not to mention any installation logs that may have taken place , or  
anything in mbr, or mft).
The file you replaced could possibly still be on the drive that you  
restored to especially if inode pointer points to a new file, but the  
old file is still there...

I haven't tried this personally (Ghost , then re-analysis  
forensically) but I am willing to bet you could tell if something was  
're-ghosted'.
But then again I am only assuming and it sounds like you are too, so  
most likely we are both asses.

  

My opinion is that once a computer/drive gets out of your hands,  
there's
really no 100% way to know if
anything was changed unless you have an image of the drive before it
left and you individually "checksum"
each file to look for changes.

    


Um. I have to disagree with this.
There is actually allot of work you can do to see what has changed  
when dealing with data theft like this.(excluding super ninjas of  
course).
What you can't validate is what has been completely copied off of the  
drive if the theft involved a criminal that knew how to truly  
duplicate the drive.

-Daniel Clemens
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
  

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: