Hard Drive Stolen: How to tell if it was copied?
March 29, 2010 4:54 PM   Subscribe

External hard drive stolen, then recovered. Can I tell if its contents were viewed/downloaded?

My external hard drive was stolen. It was gone for a couple of days. While not super top secret, it had stuff on it that I'd prefer remain private.

The drive is still in the possession of the police while they investigate the burglary. I can make an appointment to go to the police station and look at the drive to determine whether the contents were accessed. If necessary, I can bring a for-hire expert with me to help determine that.

If it helps: the external drive is a LaCie d2 HD Quadra v2.1.

My questions are:

#1 How can I tell if the contents of the drive were viewed, and more importantly, downloaded or copied? I have contacted LaCie and they suggested that I right-click on the files in the drive and look at the "last modified" date, which would show if the files were viewed or copied during the 48 hours when the drive was stolen. Is this the only way of determining whether the drive was accessed/copied?

#2 Is this something I can do by myself, or should I hire an expert? It's likely that my firm will pay for the expert, so the cost of such is not as much an issue as simply making sure that the drive was not accessed. I'm not even sure where to go or how to hire such a person, so any tips on that would be much appreciated as well.

Thank you in advance.
posted by anonymous to Computers & Internet (12 answers total)
There's no way to be sure. If the files were copied then the originals won't have been modified. Odd that LaCie would give you that advice as I'm really sure it's completely wrong. At any rate, even if it was right, it's possible to access the drive in ways that are guaranteed not to modify it.
posted by GuyZero at 5:11 PM on March 29, 2010

It depends enormously on how it is formatted. If it's NTFS, then files have a "last accessed" time stamp. But if it's the manufacturing default, FAT32, then I'm not sure if that field existed.

That timestamp doesn't tell you whether the file was copied, and just from the drive there's no way for you to tell that.
posted by Chocolate Pickle at 5:12 PM on March 29, 2010 [1 favorite]

What file system were you using on the drive? If it was a journaled filesystem, it's possible that you can look at low-level data on the last time the filesystem was mounted. This is only possible, however, if you absolutely *do not* mount the drive.
posted by strangecargo at 5:13 PM on March 29, 2010

Oh yeah, it might not be FAT. Is it NTFS or HFS/Mac-formatted?
posted by GuyZero at 5:14 PM on March 29, 2010

Sorry, posted too fast. What I meant to say is that if anybody mounts the drive before you get access to it, the last mount time will be overwritten. You should use Linux or some similar OS that doesn't auto-mount drives (ie: not OS X or Windows) to make a raw image of the block device and use that image to determine whether or not the filesystem had been accessed after it was stolen.
posted by strangecargo at 5:18 PM on March 29, 2010 [1 favorite]

No. The device may have been mounted read-only by someone in order to view it. You cannot be guaranteed that the data has not been read.
posted by Mikey-San at 5:19 PM on March 29, 2010

(That is, seeing any kind of change tells you someone mounted the device and may have looked at its contents. Not seeing change does not guarantee you that it was not mounted or read.)
posted by Mikey-San at 5:21 PM on March 29, 2010 [1 favorite]

There are things you can do that might tell you if it's been read, but there's no way at all to be sure that it hasn't.

Mandating the use of strong encryption on employee laptops and external drives is shutting the door after the horse has bolted. On the other hand, your firm probably has more than one horse.
posted by flabdablet at 5:31 PM on March 29, 2010

For the purposes of the above, read == copied.

In fact the fastest method for copying an entire drive involves freely available tools that don't mount the filesystem and leave no traces on the source drive.
posted by flabdablet at 5:34 PM on March 29, 2010

If the drive was accessed sloppily (mounted and read or copied in the conventional way), then yes, a computer forensics person will be able to tell.

But, as others have said, there are ways to access the data on the drive without leaving any trace. It doesn't look like SMART keeps a "last accessed time" or similar; I was going to suggest that SMART data from the drive might help, but unless you've been recording the drive's power-on hours (not that any reasonable person would), there's nothing to go on.

I definitely recommend using an expert (perhaps the police could give you a name). If someone has accessed the drive casually, they will be able to determine this and explain how to your employer. If, through incompetence or means unknown to us, the expert determines that the drive was not accessed, that's fine -- it will be on the expert, not you.
posted by scatter gather at 7:44 PM on March 29, 2010

You cannot tell for certain that the data was not accessed.

If you are very careful (and this means that you haven't plugged the drive into a computer and mounted it!) you could potentially tell if someone accessed it casually. This would be by analyzing the drive and looking at the last-accessed timestamps on the files.

This wouldn't really be conclusive though; someone could have mounted the drive read-only, or cloned it block-by-block at a low level and then only mounted the copy, or mounted it on a system that was set to not update access timestamps... there are many ways that you could get a false negative.

But if you got a positive (an accessed or modified timestamp from the period in which the drive was out of your control), then you would know with fairly high confidence that the data had been accessed. But a negative result wouldn't be conclusive.

Therefore I suggest you assume that the data was read — actually I suggest you assume that the drive was cloned and is at this very moment being Bittorrented all over the place — and take whatever steps would be necessary to mitigate the disclosure. Change passwords, notify financial institutions, build some sort of convincing cover story involving those compromising photos from Vegas, whatever it takes. But assume that it was copied, because you can't tell that it wasn't.
posted by Kadin2048 at 9:13 PM on March 29, 2010

Do you know anything about who stole it? What I'm asking here is, based on the circumstances, do you have any reason to believe that the person who took it would be interested in the information there, or were they just going to wipe it and fence it?

There's what the NSA could do with your computer and what the guy who snatched it out of your parked car after smashing the window could do. Which scenario do you actually have?
posted by Kid Charlemagne at 10:29 PM on March 29, 2010

« Older Farty MBP...   |   Where to watch World Cup 2010 in Chicago this... Newer »
This thread is closed to new comments.