method to tell if a drive has been mounted/read?

[nocloud]

This is kind of an unusual question, hopefully the experts here can help.

Recently, our company shipped a hard drive (unencrypted, EXT3 with noatime set) and we have reason to believe that the drive may have been read/copied without authorization.

Is there a way to check if data from the drive was read/copied since we dismounted it from the server it was attached to. We know the exact time of the dismount.

I know there are ways of reading/copying the drive without leaving any trace, but assuming it was done very naively, what is the best procedure for me to check to see if there was unauthorized access?

[byoungtgs]

I believe checking to see the last accessed time on a file would be best, but it will only work (I believe) if you haven't accessed the file since.
Also, I don't know if it works the same if the file is accessed outside of the operating system (not so sure on that)

Use the "stat" command

Code:

stat /path/to/file

As far as a 1-to-1 copy without leaving a trace, I am sure it can be done, and I'm sure it's very easy to do. I think inside linux, dd would do the trick.

[atreyu]

check out the -amin, -atime and -used arguments to the gnu find command.

In any case, be sure you mount your drive readonly, e.g.:

Code:

mount -o ro /dev/sdb1 /mnt/mount/

I'm assuming mounting it read-only will mean that access time will not be modified anyway, i'm not really sure, so be warned.

If you really want to preserve the disk in its current state first, before diagnosing, use dd to clone it to another drive or to an image.

note: if they actually BOOTED the drive (which would be REALLY naive), then it'd be easy - look in /var/log/messages for the last boot time, e.g.:

Code:

cat /mnt/mount/var/log/messages|grep syslogd.*restart

[Rubberman]

If they just did a bit copy of the drive or partitions without mounting/reading the file system directly, then you can't tell. If they did access any directories on the disc, then since the diratime option is set on by default (unless you also set nodiratime as well as noatime), you could tell if the file system were read. However, as I said, if someone were to do a bit copy without mounting/reading the file system via normal tools, then you are SOL as they would be able to loop mount the bit copy file after returning the drive to you. This is what computer forensics people do (or at least should) so they don't "contaminate" the evidence of the actual physical device.