Is it possible to prove that a hard drive was within a certain PC?

3

I have a situation in which a person has been accessing confidential information from another PC which they shouldn't have accessed and stored the acquired information on their own PC.

Since all of the computers are within my jurisdiction, I am the one responsible for any information leaks and, since I don't know whether that person is going to misuse the information, I could copy/clone/seize their hard drive to serve as a proof that they stole and had that info on their PC should they try to e.g. sell that info to competition.

What I'm interested in: if the information ends up in competition's hands, I will know for certain they did it but can I prove it by showing that the original drive was inside their PC? Are there traces that could link that hard drive to his PC e.g. motherboard/CPU configuration, user name etc. or would that be dismissed under argument that I could've written that info to the disk?

user571607

Posted 2016-03-16T17:44:48.343

Reputation:

I presume you want to confirm the HDD was installed in a computer assigned to you, and both are assets, inventoried by you? You should have record that they were assigned the computer, simply taking note of the serial of the HDD inside that computer currently, should do the trick. Most programs like Speccy will provide you the serial number of the HDD, they will also indicate the license for Windows, both should be something that is part of your inventory information. When an employee is assigned a computer, you make them sign a document that they received the computer, which includes the HDD – Ramhound – 2016-03-16T18:04:10.753

You are on the point but I want it to be undisputable whether I have tampered with the disk. They could for example say that I put the disk in another PC and written to it. Could I seize the PC and have undeniable proof that the HDD was written to only by their PC? – None – 2016-03-16T18:44:50.197

You inventory the hardware in the PC. You then have the employee sign the inventory slip. You do this for every employee, or just them, they can't argue at that point. Once signed, seize the hardware, and make a byte-to-byte copy of the HDD. What other things you can do, seek the advice of a lawyer, I am hesitant to go into deeper detail for that reason. – Ramhound – 2016-03-16T18:47:58.460

Yes but we're a small team and have operated without that up until now. If I ask of them to sign a new document, they may be aware of the way I am going and refuse that, leaving me without the preemptive action I am trying to do now: have a proof before they try to do something with the data.

Is there a way to read from the disk what other components were in that PC or something like that? – None – 2016-03-16T18:49:55.230

1You should seek the advice of a lawyer. – Ramhound – 2016-03-16T19:00:27.597

To cut to the chase though: if there is a way to find (read) such traces, there is a way to falsify (write) them as well. – Yorik – 2016-03-16T19:22:32.763

not sure the legality, but have you considered deleting the info from their pc? – barlop – 2016-03-16T20:56:29.407

maybe this should be in http://security.stackexchange.com/

– Hermann Ingjaldsson – 2016-03-16T23:09:29.387

I can't re-iterate @Ramhounds advise strongly enough - Chain of custody issues and what qualifies as evidence are not something people can advise you on here - even less so without knowing your jurisdiction. I would imagine you could sometimes prove this to a "preponderance of the evidence" standard, but not to a "beyond reasonable doubt" standard - in some cases. Also, would you not be better off watermarking images or using phrases or particular words to create "signatures" ON DOCUMENTS which you register with a lawyer or similar officer of the court, to enable later verification. – davidgo – 2016-03-16T23:26:45.703

1"I will know for certain they did it" - you dont know anything other than the competition has the files. Saying someone stole data without real evidence is slander. – Keltari – 2016-03-17T00:21:34.950

Answers

1

It can't really be proven, sorry.

When a hard drive is connected to a computer as a data drive, nothing is going to be written to it unless the user explicitly puts something there. Even if the user did write to it, no file system I'm aware of records any sort of hardware-specific information in the change journals.

If the computer booted the drive, things are slightly different. (Windows-specific information up ahead.) Driver installations are logged, but then you'd only be able to guess what kind of machine the drive was in based on what drivers and PnP IDs were in play. It is conceivable that Windows troubleshooting/telemetry programs recorded hardware-specific data and wrote them to disk, but there's no way to prove that they're accurate. After all, you could have faked the on-disk data (or fiddled with the data collector, if you're clever).

Even things that might seem to contain machine-specific information (like some places in the Registry) really only contain information specific to the OS installation. The machine SID is a good example of such data.

You could write a program that, on machine startup, records a lot of information like motherboard serial number and MAC address, but again, even if you're convinced the drive was there, you can't without-a-doubt prove that the collected data is real.

Ben N

Posted 2016-03-16T17:44:48.343

Reputation: 32 973

1It isn't hard to prove a drive was in a machine, you just have to track the serial number of the HDD, to the serial number of the machine. If you did this for all your machines, then you would know, where every single one of your HDDs were. Of course this can't prove a file came from HDD A though, unless you totally change how you protect your files, and digitally sign each copy of them with unique information tied to the user accessing it. Everything stated in this answer is also correct though. – Ramhound – 2016-03-17T02:00:42.020

Asked: 2016-03-16T17:44:48.343

Viewed: 101 times

Active: 2016-03-16T23:20:42.717