Recovered FTS server: Is it possible to show whether or not information has been accessed?

Dave Howe ukcrypto at chiark.greenend.org.uk
Tue, 28 Aug 2007 22:29:02 +0100 

Mary Hawking wrote:
> "A police spokesman said the server was undamaged. "Examination revealed 
> the information had not been accessed," the spokesman said. FTS declined 
> to comment."
> 
> http://www.computerweekly.com/Articles/2007/08/20/226280/police-recover-s
> tolen-forensic-server.htm
> 
> Is it *technically* possible to be sure that information on a server has 
> not been accessed, backed up during the period it went missing or copied?
> If so, how?

   The short answer is yes, its technically possible.

   The longer answer is that its unlikely; at a bare minimum, you would 
need to activate a ATA password on the hard drive so that you need a 
special boot floppy (or ATA password enabled bios) to even spin it up.

   In that case, the drive would need to be dismantled and the platters 
mounted on a forensic recovery rig in order to access the data.

   Assuming you were willing to spend a decent amount on security, you 
could encrypt the hard drive using a physical token for the key (drives 
exist that can do this, usually using 3DES and encrypting at the 
firmware level).

   It is also possible that software encryption at the os level was used 
to protect the data - not presumably EFS (which apparently the WSJ can 
crack in three days) but something like Truecrypt - so yes, in that case 
they could have copied the raw data from the drive, but not accessed the 
information (as encrypted volumes require a password to mount before 
they are decrypted, and as the data on them is never stored to disc in 
an un-encrypted form, powering off the machine effectively removes any 
chance to recover the plaintext of the intercepts)

   Given the level of security and technical skill shown by the company 
so far (Assuming that the office door was even locked) I suspect that 
anything like that is fairly unlikely.  They have probably just checked 
the time stamps, decided that windows has not booted on that machine 
since they last used it, and hence it was "not accessed".