Internal Hard-Disk removal logs

If the OS isn't running how do you expect it to log anything?

If the OS isn't running how do you expect it to log anything?

A really clever OS might discover that someone is trying to hot-swap the system drive … -) I can't think of a good reason why anyone would want to log that kind of event, though …

Yet, on the principle that you never know until you try, I can only recommend the OP to try it out.

If the OS isn't running how do you expect it to log anything?

A really clever OS might discover that someone is trying to hot-swap the system drive … -) I can't think of a good reason why anyone would want to log that kind of event, though …

Yet, on the principle that you never know until you try, I can only recommend the OP to try it out.

There's a strict policy in an entity that a hard-disk should not be removed from the Work "Laptop", it seems a person was suspected to have removed the hard disk and plugged it to an unknown machine and transfer confidential data, so they want to first prove that the hard disk has been removed from the work "Laptop".

Thank everyone for sharing your thoughts

If the OS isn't running how do you expect it to log anything?

Of course there is no way, and of course such a log cannot exist, though in theory, the OS could log the SMART data of the hard disk (power on cycles) at shutdown and throw a fit if at next boot it is not increased of only one, and besides, that could well be implemented in the BIOS or UEFI firmware.

jaclaz

Hey Folks,

Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.

When i say internal hard disk i mean the hardisk that runs the OS. roll

Is there any log or event that stores these kinds records?

Thnks.

You may find NTFS's security descriptor stream (and file system transactions, keeping an eye on the progression of LSNs/USNs, timestamps, and SIDs) quite enlightening (as we have) in this kind of scenario. In other words, focus on the file system on the drive, not your workstation's operating system. I'm assuming your priority right now is simply determining whether the drive has in fact been removed and returned to your workstation.

I recommend using Joakim Schicht's Secure2Csv, LogFileParser, and UsnJrnl2Csv.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

If the OS isn't running how do you expect it to log anything?

Of course there is no way, and of course such a log cannot exist, though in theory, the OS could log the SMART data of the hard disk (power on cycles) at shutdown and throw a fit if at next boot it is not increased of only one, and besides, that could well be implemented in the BIOS or UEFI firmware.

jaclaz

Yes that is possibly correct, but for that i should have the the SMART data before the hard disk is removed.

Thanks for you great contribution !

Hey Folks,

Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.

When i say internal hard disk i mean the hardisk that runs the OS. roll

Is there any log or event that stores these kinds records?

Thnks.

You may find NTFS's security descriptor stream (and file system transactions, keeping an eye on the progression of LSNs/USNs, timestamps, and SIDs) quite enlightening (as we have) in this kind of scenario. In other words, focus on the file system on the drive, not your workstation's operating system. I'm assuming your priority right now is simply determining whether the drive has in fact been removed and returned to your workstation.

I recommend using Joakim Schicht's Secure2Csv, LogFileParser, and UsnJrnl2Csv.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

Hey Mark,

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS. Will Definitely try it if it comes by to me.

Thanks for your recommendations!

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS.

NTFS data is of course worth a look at, though - at face value - it fails a logical test (i.e. it is well possible, but not really "making perfect sense")-

I mean, if the user is hypothetically so "smart" as to remove the hard disk from the laptop and "copying data from it on another machine" (in order to leave no traces) why would he/she have actually accessed the filesystem at all [1]?

jaclaz

[1] as opposed to - say - having used a read only distro or making an image?

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS.

NTFS data is of course worth a look at, though - at face value - it fails a logical test (i.e. it is well possible, but not really "making perfect sense")-

I mean, if the user is hypothetically so "smart" as to remove the hard disk from the laptop and "copying data from it on another machine" (in order to leave no traces) why would he/she have actually accessed the filesystem at all [1]?

jaclaz

[1] as opposed to - say - having used a read only distro or making an image?

There are no assumptions that the user is hypothetically "smart", but the head of IT has been told that this person has given the hard disk to someone else, which exposed some classified documents to someone else. Then the hard disk was returned to the same laptop.

The hard disk had also a "safety sticker" that broke if someone opens up the hard disk, but that still isn't enough evidence.

So the scenario here is could we actually "forensically" prove that the hard disk has been removed from the Laptop or not?

as you said, In theory there is no difference between theory and practise, but in practise there is.