Re: Stolen Boeing laptop is recovered

["Roy M. Silvernail" <roy () rant-central com>]

Pascal Charest wrote:
> I can't remember if Symantec Ghost access the drive as read-only,
> preserving
> the last access time, but doing a copy that does is quite trivial to do.
>
> Take the hard-drive out, connect it through a read-only interface and copy
> everything. Such interfaces are easy to find - any law enforcement
> departement will have a couple of them since they must use them to gather
> data from "evidence hard drive". Contacting their provider, or even
> building your own...

Or boot the box from your choice of Linux live CDs, plug in a large
external USB drive and do 'dd if=/dev/hda of=/mnt/sda1/chump_dump.img
bs=1M'.  As you say, trivial.

> I guess that the "third-party computer-security consultant" wrote something
> in the order of "the last-access time was not changed by the thief
> activities" in the report and it was interpreted as "not accessed".

I'd bet that *all* of the "data was not accessed" reports are due to this.

> As a thief, this would be one of the easiest way to "gather data" without
> having it changed / repported by the corporation.

Indeed.
-- 
Roy M. Silvernail is roy () rant-central com, and you're not
"It's just this little chromium switch, here." - TFT
CRM114->procmail->/dev/null->bliss
http://www.rant-central.com
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 550 incidents over 7 years.