Last week I was probably a little more annoyed than I should have been. I read an article (later to find it was an advertisement) on the DFINews website that said that “groundbreaking” research had been conducted resulting in finding data on a drive that determines how long the drive has been in use, how many times it has been power cycled, etc.
My immediate response was that this was completely insane. This is neither new or groundbreaking. We check SMART data frequently in our lab and have done for some time. SMART data is used to determine the health status of a drive. It records many things including those items above. Part of the reason that we check for this is in the following two stories.
When working at Disklabs we were asked to work on an unusual project. The start of this story is pretty familiar to most forensicators; woman leaves company for a competitor, woman is suspected of taking company documents/secrets, but there’s a twist…
The woman, an IT professional, handed in her notice on Friday afternoon, right at the close of day. When everyone arrived at work on Monday morning the server was powered down. When they tried to boot it there was an ominous message “Operating system not found”. After checking access logs they found that the former employee had used her swipe card to enter the building over the weekend. No, they hadn’t revoked her access. Not a mistake they’ll make again, I wager.
We conducted analysis on the server. There was NOTHING. No data of any description. Every single byte on every single drive was empty. This wasn’t a simple deletion of data, it was as if all of the drives had been completely wiped. We were about to tell the client that we were unable to recover any of their data when I decided to follow a hunch and check the SMART data of the drives. My hunch paid off. The drives all appeared to have been running for only a few hours each. They had also only been powered on a handful of times. How could this be? This was a server that had been in use for two years, surely the SMART data hadn’t cycled already. No, this wasn’t possible. I came to the conclusion that the drives were not the originals.
A court order was issued and the original drives were discovered at the woman’s house. Not only had she decided to take data with her, she had decided to try to cripple her former employer. Unfortunately this backfired in a big way.
The second story is another personal experience.
We received a drive from a client. Same story yet again. Someone had left the company on less than favorable terms and was joining a competitor. They wanted to know if he had tried to exfiltrate company data. The drive was clean. There was a Windows installation, a user profile, and company documents. There was normal browser and email activity going back a few months, but that was it. No USB history, no cloud storage, no sending the files out via email. Finally, the unallocated space was empty. Completely empty. I checked for evidence of anti-forensic software being employed. Still nothing. This guy, it appeared, had done nothing wrong. The lack of any data in the unallocated space, however, was highly suspicious. Once again I decided to look at the SMART data. Once again I found that the drive had only seen limited use.
When the company lawyer contacted the guy, threatening legal action, he soon caved and brought back the original drive from the computer. Once we had this in our hands we found extensive use of a USB hard drive the day before he left. The drive contained files not only from the computer, but many files from the company server. He admitted to using Norton Ghost to clone the drive and then putting the clone in his computer before returning it.
While these might be quite uncommon occurrences, it does sometimes pay to review the SMART data of a drive. You may find something useful that will help you to explain something strange.