Sunday, October 11, 2015

Detecting Surreptitious Drive Access

Many years ago someone told me that there was no way to detect the surreptitious imaging of a hard drive. This idea is reinforced in forensics classes that remind you to use a write-blocker during imaging to guarantee that nothing is changed on the drive. I believed that for a while, but then really focused on a what possible changes would happen to drives that are being imaged.  I finally discovered what I was looking for: SMART.