Join Us!

Internal Hard-Disk ...
 
Notifications
Clear all

Internal Hard-Disk removal logs  

  RSS
CopyRight
(@copyright)
Active Member

Hey Folks,

Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.

When i say internal hard disk i mean the hardisk that runs the OS. roll

Is there any log or event that stores these kinds records?

Thnks.

Quote
Posted : 01/03/2020 8:50 am
AmNe5iA
(@amne5ia)
Active Member

If the OS isn't running how do you expect it to log anything?

ReplyQuote
Posted : 01/03/2020 6:53 pm
athulin
(@athulin)
Community Legend

If the OS isn't running how do you expect it to log anything?

A really clever OS might discover that someone is trying to hot-swap the system drive … -) I can't think of a good reason why anyone would want to log that kind of event, though …

Yet, on the principle that you never know until you try, I can only recommend the OP to try it out.

ReplyQuote
Posted : 01/03/2020 7:37 pm
CopyRight
(@copyright)
Active Member

If the OS isn't running how do you expect it to log anything?

A really clever OS might discover that someone is trying to hot-swap the system drive … -) I can't think of a good reason why anyone would want to log that kind of event, though …

Yet, on the principle that you never know until you try, I can only recommend the OP to try it out.

There's a strict policy in an entity that a hard-disk should not be removed from the Work "Laptop", it seems a person was suspected to have removed the hard disk and plugged it to an unknown machine and transfer confidential data, so they want to first prove that the hard disk has been removed from the work "Laptop".

Thank everyone for sharing your thoughts

ReplyQuote
Posted : 04/03/2020 5:36 am
jaclaz
(@jaclaz)
Community Legend

If the OS isn't running how do you expect it to log anything?

Of course there is no way, and of course such a log cannot exist, though in theory, the OS could log the SMART data of the hard disk (power on cycles) at shutdown and throw a fit if at next boot it is not increased of only one, and besides, that could well be implemented in the BIOS or UEFI firmware.

jaclaz

ReplyQuote
Posted : 04/03/2020 9:39 am
ArsenalConsulting
(@arsenalconsulting)
Junior Member

Hey Folks,

Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.

When i say internal hard disk i mean the hardisk that runs the OS. roll

Is there any log or event that stores these kinds records?

Thnks.

You may find NTFS's security descriptor stream (and file system transactions, keeping an eye on the progression of LSNs/USNs, timestamps, and SIDs) quite enlightening (as we have) in this kind of scenario. In other words, focus on the file system on the drive, not your workstation's operating system. I'm assuming your priority right now is simply determining whether the drive has in fact been removed and returned to your workstation.

I recommend using Joakim Schicht's Secure2Csv, LogFileParser, and UsnJrnl2Csv.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

ReplyQuote
Posted : 04/03/2020 1:33 pm
CopyRight
(@copyright)
Active Member

If the OS isn't running how do you expect it to log anything?

Of course there is no way, and of course such a log cannot exist, though in theory, the OS could log the SMART data of the hard disk (power on cycles) at shutdown and throw a fit if at next boot it is not increased of only one, and besides, that could well be implemented in the BIOS or UEFI firmware.

jaclaz

Yes that is possibly correct, but for that i should have the the SMART data before the hard disk is removed.

Thanks for you great contribution !

ReplyQuote
Posted : 05/03/2020 5:45 am
CopyRight
(@copyright)
Active Member

Hey Folks,

Just wanted to ask you guys if there are possibilities of getting the logs of when an internal hard-disk is removed from a windows machine, and when the internal hard disk is returned into the the windows machine.

When i say internal hard disk i mean the hardisk that runs the OS. roll

Is there any log or event that stores these kinds records?

Thnks.

You may find NTFS's security descriptor stream (and file system transactions, keeping an eye on the progression of LSNs/USNs, timestamps, and SIDs) quite enlightening (as we have) in this kind of scenario. In other words, focus on the file system on the drive, not your workstation's operating system. I'm assuming your priority right now is simply determining whether the drive has in fact been removed and returned to your workstation.

I recommend using Joakim Schicht's Secure2Csv, LogFileParser, and UsnJrnl2Csv.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

Hey Mark,

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS. Will Definitely try it if it comes by to me.

Thanks for your recommendations!

ReplyQuote
Posted : 05/03/2020 5:47 am
jaclaz
(@jaclaz)
Community Legend

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS.

NTFS data is of course worth a look at, though - at face value - it fails a logical test (i.e. it is well possible, but not really "making perfect sense")-

I mean, if the user is hypothetically so "smart" as to remove the hard disk from the laptop and "copying data from it on another machine" (in order to leave no traces) why would he/she have actually accessed the filesystem at all [1]?

jaclaz

[1] as opposed to - say - having used a read only distro or making an image?

ReplyQuote
Posted : 05/03/2020 7:31 am
CopyRight
(@copyright)
Active Member

Beautiful, this makes perfect sense, so it makes more sense looking at the filesystem data rather than the OS.

NTFS data is of course worth a look at, though - at face value - it fails a logical test (i.e. it is well possible, but not really "making perfect sense")-

I mean, if the user is hypothetically so "smart" as to remove the hard disk from the laptop and "copying data from it on another machine" (in order to leave no traces) why would he/she have actually accessed the filesystem at all [1]?

jaclaz

[1] as opposed to - say - having used a read only distro or making an image?

There are no assumptions that the user is hypothetically "smart", but the head of IT has been told that this person has given the hard disk to someone else, which exposed some classified documents to someone else. Then the hard disk was returned to the same laptop.

The hard disk had also a "safety sticker" that broke if someone opens up the hard disk, but that still isn't enough evidence.

So the scenario here is could we actually "forensically" prove that the hard disk has been removed from the Laptop or not?

as you said, In theory there is no difference between theory and practise, but in practise there is.

ReplyQuote
Posted : 05/03/2020 10:28 am
jaclaz
(@jaclaz)
Community Legend

There are no assumptions that the user is hypothetically "smart", but the head of IT has been told that this person has given the hard disk to someone else, which exposed some classified documents to someone else. Then the hard disk was returned to the same laptop.

The hard disk had also a "safety sticker" that broke if someone opens up the hard disk, but that still isn't enough evidence.

So the scenario here is could we actually "forensically" prove that the hard disk has been removed from the Laptop or not?

as you said, In theory there is no difference between theory and practise, but in practise there is.

Yep, but if (when) we are trying to make a (logical) theory, the logic must be the same.

IF the user took the hard disk out of the laptop, he/she needed
a. (possibly, it may depend on specific models) a screwdriver
b. a not difficult (but not at all "easy" or "common") knowledge on how to disconnect the hard disk and later re-connect it properly

Since in order to simply copy some contents from a laptop there are at least three ways (in order of increasing complexity AND decreasing risk of leaving digital forensic traces )
1) simply copy the data from the booted OS to an USb device (or send it as attachment to an e-mail or uploading to some http or ftp site, etc.)
2) use a bootable external OS (IF it is possible to boot the laptop to an external OS) to do the above
3) physically disconnect the hard disk, do *something* with it then reconnect it

IF the most complex #3 was chosen/adopted THEN there must be a reason.

Two possible reasons (among the many)
r.1) the user is "smart" and uses a more complex procedure in order to avoid leaving digital traces
r.2) the user is (very) "dumb" and either knows nothing about the simpler options #1 and #2 or has a masochistic attitude to choose more difficult options.

I was exploring possibility #r.1

jaclaz

ReplyQuote
Posted : 05/03/2020 11:03 am
Share: