Recovered FTS server: Is it possible to show whether or not information has been accessed?

Tom Thomson ukcrypto at chiark.greenend.org.uk
Wed, 29 Aug 2007 13:52:05 +0100 

Peter Sommer wrote:-

> The basic test is to look at the date-and-time stamps: of files on the =

> server  if these remain unaltered from the time of last "official" =
use,=20
> then one can say that  the server itself has not been started up in =
the=20
> normal fashion. (on a Win XP machine you would normally look at the=20
> NTUSER.DAT file which gets written to during normal close-down - its=20
> "last written" date and time stamp should precede that of any event in =

> which the computer has passed out of the owner's hands). =20

Here I don't agree.  If the server is set up in anything a seriously =
secure
fashion, it's quite likely that there are no NTUSER.DAT files for most
users, only NTUSER.MAN files, which are NOT modified by anything the =
user
they refer to does. Also, I note than on the NT5.2 (XP Pro and Windows =
2003)
systems I personally have an NTUser.dat file the dates on the .dat file =
have
no connection with when I last logged in or out:  for example the dates =
for
NTUSER.DAT fomr me on the machine I am typing on now are
  Date Created:  08/05/2006
  Date Accessed: 12/04/2007
  Date Modified: 08/05/2006
although I log in and out almost every day (sitting at the machine when =
I'm
here and via a slightly secure VPN connection when I'm not). None of =
those
dates tell you that I logged in and did a lot of work on the machine and
logged out again just yesterday.

Besides, the most likely way in which data would be accessed is by =
copying
hard drives (or RAID arrays) without ever logging in to the server. =
After
all, how does person with unauthorized possession of the machine ever =
get
logged in - unless usable username-password combinations were cellotaped =
to
the side of the server (I've seen that before now in so-called secure
environments).

> On the other hand  standard computer forensics procedures are to use=20
> techniques so that you can copy the contents of a computer's =
hard-disks=20
> (including such things as RAID arrays) without starting the computer =
up=20
> normally, so as to eliminate accusations of tampering.   The =
procedures=20
> normally involve either starting the computer from a bootable CD =
(which=20
> has an OS and imaging software) or removing the hard-disks into a=20
> separate chassis,  interposing write-protect devices and then running=20
> forensic imaging software.

But a criminal doesn't have to follow the forensic procedure: he doesn't
need to put a write-protect device in the way, because he isn't =
concerned
for example with having an audit trail that shows he was actively =
disabling
write access to prevent tampering with evidence.  The simple process of
booting off a CD containing something like Synmantec Ghost and taking an
image of each disc is good enough for him.  I don't think even the most
na=EFve of us would suggest that knowledge of tools like Synantec Ghost =
is
restricted to the forensic computing community.

> So:  if the DTS server fell into the hands of ordinary villains, the=20
> claim of non-accessing of valauble and sensitive information can=20
> probably be sustained.  But into the hands of those with experience of =

> digital forensics.....

It rather depends on whether the "ordinary villains" know a computer =
from
their elbow; it's not true that getting the data without leaving a clear
record of having done so requires knowledge or experience of digital
forensics.

M.