Can techs verify HD data was not access and/or copied?

I’d prefer to discuss technical capability, not culpability, in this thread.

The infamous stolen VA laptop has been recovered.

The Feds were quick to announce

Now, although not a technical person myself, I can believe that computer experts could tell if the database had been accessed, probably because it logs views.

But the Feds went further in claims that no damage had been done:

If the whole hard drive was just “imaged”, like the IT staff do to my work computer whenever they need to make changes and want a backup copy, would forensic analysis be able to tell? would “imaging” require opening the database files (and presumably logging a view) at all? What about plain old copying?

Is the implication that analysts can tell if the data is totally secure, after beintg outside the “chain of custody” for as long as this laptop has been missing, a valid assertion? Technically feasible?



Some file systems store the date of last access of every file. Therefore it is possible to show whether and when anyone used the operating system to access a particular file.

It is, however, possible that the data was duplicated with a low-level tool, such as a hard drive cloning program. In this case the last-access timestamp would not be modified.

As to whether or not a physical examination of the hard drive can reveal whether anything was accessed, I’m not entirely sure.

Back in my mainframe days I worked with an IDMS database (networked not your modern inefficient relational database) and used to often run jobs in local mode, where the program directly addressed the disk packs without invoking the DBMS at all. While it meant that jobs ran real fast and could run against a production system while users were logged in, it also meant no journals, no rollback points, no recovery other than restoring a backup and no audit trail. So we were careful what we did. I doubt that anyone could tell what had been done at all although the system logs would show that a job had run - if the packs were on another box though you wouldn’t know that.

If you are technically sophisticated enough it would be child’s play to clone the hard drive and not leave a trace that you had ever accessed the system.

However, given that:

1: Most modern database programs and OSes have a variety of time stamped files that are generated each time the program is executed or the data is accessed, if the hard drive analysis shows these data base files are unchanged since the PC was reported lost and :

2: Assuming that the person took the notebook & is robbing houses is not a major league geek

I think the FBI can be reasonably confident that the data is untouched. The only caveat is that someone knew what this notebook was before they returned it, but if they did intend to steal the data why would they bother returning it?

Overall the reasonable man conclusion is that the data was untouched.

As a person who at one point had to untraceably clone data off a laptop computer (nothing sinister or malicious though), I’d like to comment that it’s fairly easy. Don’t turn on the computer, don’t boot the drive. Gently remove the hard drive, noting any physical trace you might leave. Put it in a cloner, preferrably on an IDE controller that has a “read only” jumper (I don’t know if these exist actually, I know they exist for SCSI), clone it to any media you wish, replace the drive. Voila!

Even if the hard drive caddy has a tamper evident seal on it, it’s most likely a generic seal you can find online and buy a new one (I never did figure out what the point of a tamper evident seal is if it does not have a serial # or some other identifying factor).

So they can’t really safely make that claim.

Sure they can. They could have used their own custom seal, or some other device which would have shown whether the hard drive had been removed.

I’d say that was incredibly unlikely for the for the Veterans Adminstation to go to the trouble and expense of using special security seals on the drives of it’s IT staff notebooks. Microscopic examination of the the drive chassis cradle screws for recent toolmarks and scratches would be the most likely indicator of tampering.

Many consumer products have those, to see if someone unqualified was screwing around with the equipment (this would void the warrenty). Probably most folks who would replace the seal would also be doing reasonable quality work.

As for returning the computer, if we’re assuming malicious intent, the information on the hard drive would be much more valuable if it were still thought to be secure. If the VA thought the information had been compromised, they might notify all of the people in the database and tell them to get their credit cards, etc. changed. If they think it’s still secure, though, they might not do that, or the people they notified might be less likely to follow through on it. So any hypothetical thief would want it to appear as though the data were never accessed, and returning the computer would be part of that.

You could check with a high powered microscope to see whether the layer of crud under the screws have been disturbed. This would indicate whether someone had tried to physically remove a HD.

What if you booted in with a linux live CD and did a dd copy over a local network. Would that leave any traces?


Also, it’s trivial to mount the partition as read-only in Linux, which would prevent any timestamps from being updated.