Recovered FTS server: Is it possible to show whether or not information
has been accessed?
Peter Sommer
ukcrypto at chiark.greenend.org.uk
Tue, 28 Aug 2007 07:33:02 +0100
The basic test is to look at the date-and-time stamps: of files on the
server if these remain unaltered from the time of last "official" use,
then one can say that the server itself has not been started up in the
normal fashion. (on a Win XP machine you would normally look at the
NTUSER.DAT file which gets written to during normal close-down - its
"last written" date and time stamp should precede that of any event in
which the computer has passed out of the owner's hands).
On the other hand standard computer forensics procedures are to use
techniques so that you can copy the contents of a computer's hard-disks
(including such things as RAID arrays) without starting the computer up
normally, so as to eliminate accusations of tampering. The procedures
normally involve either starting the computer from a bootable CD (which
has an OS and imaging software) or removing the hard-disks into a
separate chassis, interposing write-protect devices and then running
forensic imaging software.
So: if the DTS server fell into the hands of ordinary villains, the
claim of non-accessing of valauble and sensitive information can
probably be sustained. But into the hands of those with experience of
digital forensics.....
Peter Sommer
Mary Hawking wrote:
>
>
> Is it *technically* possible to be sure that information on a server
> has not been accessed, backed up during the period it went missing or
> copied?
> If so, how?
>
>