Recovered FTS server: Is it possible to show whether or not information has been accessed?
ukcrypto@chiark.greenend.org.uk
ukcrypto at chiark.greenend.org.uk
Tue, 28 Aug 2007 10:11:19 +0200
>"A police spokesman said the server was undamaged. "Examination revealed
>the information had not been accessed," the spokesman said. FTS declined
>to comment."
>
>http://www.computerweekly.com/Articles/2007/08/20/226280/police-recover-s
>tolen-forensic-server.htm
>
>Is it *technically* possible to be sure that information on a server has
>not been accessed, backed up during the period it went missing or
>copied?
>If so, how?
It's not impossible, but you need to meet some conditions which I think
are not likely to be true:
- the server was tamper-evident and no traces of tampering were
found
- the server cannot be made to boot from anything you can plug
into it (ethernet, floppy, DVD, USB, Firewire)
I'd assume they're just lying.
Casper