Recovered FTS server: Is it possible to show whether or not information has been accessed?

Roland Perry ukcrypto at chiark.greenend.org.uk
Tue, 28 Aug 2007 08:04:43 +0100 

In article <46D3C19E.6080104@pmsommer.com>, Peter Sommer 
<peter@pmsommer.com> writes
>The basic test is to look at the date-and-time stamps: of files on the 
>server  if these remain unaltered from the time of last "official" use, 
>then one can say that  the server itself has not been started up in the 
>normal fashion. (on a Win XP machine you would normally look at the 
>NTUSER.DAT file which gets written to during normal close-down - its 
>"last written" date and time stamp should precede that of any event in 
>which the computer has passed out of the owner's hands).
>On the other hand  standard computer forensics procedures are to use 
>techniques so that you can copy the contents of a computer's hard-disks 
>(including such things as RAID arrays) without starting the computer up 
>normally, so as to eliminate accusations of tampering.   The procedures 
>normally involve either starting the computer from a bootable CD (which 
>has an OS and imaging software) or removing the hard-disks into a 
>separate chassis,  interposing write-protect devices and then running 
>forensic imaging software.
>
>So:  if the DTS server fell into the hands of ordinary villains, the 
>claim of non-accessing of valauble and sensitive information can 
>probably be sustained.  But into the hands of those with experience of 
>digital forensics.....

An excellent description, but there are some other things which can be 
done.

eg: Use the BIOS to write the date and time last used into non-volatile 
RAM, which would demonstrate whether or not the PC had been powered up 
at all (irrespective of the boot mechanism). But apart from a range of 
PCs I once had a hand in designing I don't know if this technique is 
deployed very often; and a determined villain could fake it.

and: I have some SCSI drives which record internally the number of seeks 
they've done, and the power-up time. Not sure how much (if any) 
co-operation that requires from the PC. If network management software 
was regularly logging those statistics, you might have a chance of 
spotting how long the drives had been powered up after the time of theft 
(even better if the server was powered off at a known time that 
evening).
-- 
Roland Perry