Determining if a hard disk has been removed and data copied from it?

Posted on


Is there a method or a tool that can detect if someone has separated my hard disk from my computer, copied data from it, and returned it back?

I want to be sure that no one has done this without my knowledge, but I’m not sure how to this.

  • Note:I use Deep freeze .


The use of deep freeze is irrelevant in this situation.

If they are semi competent, they will use a read only interface.

The last access timestamp will only be changed if they are using a read and write interface. Turning off the write interface is trivial. This is what forensics does. They never put an original drive in a read/write interface. Always in a read only. Then they make a working copy. All without altering a single bit on the original drive.

Your best bet is using a disk encryption like Bitlocker or TrueCrypt.


thanks alot, but could you clarify more what you mean by read and write interface please??

Devices like these . . .

They physically block write access to a drive. Often used in forensics/HD recovery for legal and practical reason, like the Amanda Knox case.

Everyone seems to be going for full disc encryption, which certainly has its merits for securing your data but doesn’t address the question of telling if someone’s been in your machine and monkeying with your hard drive.

For that simple task, find a pack of the irritatingly sticky plain labels which, once stuck, tear instead of coming off cleanly, sign your name on it and stick it over one of the screws holding your hdd in place (don’t forget to clean the dust off first for a good bond). Not quite on the same scale as the manufacturers tamper evident seals but should prove sufficient to prevent anyone removing the hard drive without your knowledge. This means they either have to break the label which alerts you to the fact, or pull the wires out of the hard drive then mount it on a laptop, forcing them to to spend more time with your case open looking very suspicious!

Also its worth checking the back of your pc for a padlock attachment point, simple, fairly secure and effective.

Neither makes it impossible to get at your data but both add a significant level of inconvenience and force the attacker to either act overtly (ripping labels and bolt cutters to the padlock) or spend a lot more time monkeying with your pc and at risk of detection.

To discover tampering at a physical level, you could use something like Torque Seal on your drive’s mounting hardware or the data cable connection. It is a lacquer that dries brittle so any tampering will crack and break the glob you installed on the hardware. It’s used to make sure things like nuts and bolts on helicopters haven’t moved and are still torqued to spec.

S.M.A.R.T. attributes may help in determining if the disk has been tampered with between two intervals. These attributes, on Linux, can be queried with “smartctl -a /dev/sda”.

The simplest attribute for that is probably Power_Cycle_Count. When you power up the computer, this will be one more than the value when it was last shut down. So, by remembering this value before you shut down, and checking it when you power up next time, you can determine if the disk has been powered up in between.

Leave a Reply

Your email address will not be published. Required fields are marked *