Computer Security - A Handy Trick

12-29-2008, 07:52 PM

The following handy trick is useful for anyone who does not have
bombproof continuous control and custody of his computer. It is
extremely easy to do and will protect you against all but top-level TLAs.
In fact, like any good magician's trick it will be "obvious" - but only
after it has been explained

Many of us have only intermittent control and custody of "our" computer
at work or even at home (e.g., we leave for work or school with the
computer protected only by the low-grade lock on our front door). The
next best thing to preventing unauthorized access to our computer is
tamper indication that it has been messed with. Forewarned is forearmed.
Here's how to achieve it:

Every modern hard drive today supports SMART reporting (maximum disk
temperatures, seek errors, etc.). But the most useful parameters are
these: start/stop count, drive power cycle count, power-on time count.
There are any number of utilities out there which will report this
information for your HDs.

To protect yourself, record these values just before ending a session,
and compare them with the values at the start of your next session (you
can automate this with scripts, etc.). If the drive power cycles are up
by more than 1, someone has fired up your machine in your absence. If
the power-on hours are up by a large amount someone has had an extended
session, possibly including making an image of your drive.

Note that while all standard forensic acquisition tools (Encase, etc.)
try to "preserve state" by not writing to a drive, none can prevent these
automatic SMART writes! The SMART info is written to a portion of the
disk not accessible to ordinary users - drive-specific manufacturer
commands are needed to write it. Only TLAs are likely to be aware of this
trick and have the resources to manipulate the SMART data to thwart it.
(Incidentally, SMART does have a "disable" command but almost no drives
obey it!)

It's not a complete or foolproof solution, of course, but it is a handy
tool to add to your security/privacy toolbox.

Regards,

nemo_outis

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
This Guy shows a SEO trick to beat Pay Per Click	ayt46g6b	A+ Certification	0	01-17-2008 03:47 AM
Easily Restart Windows XP. -- Trick	Abbas	Software	0	08-29-2006 03:12 PM
Blockbuster rental trick or Rude BB employee	wasteofcarbon@yahoo.com	DVD Video	21	04-17-2006 09:35 PM
Re: POSSESSION and the latest annoying DVD trick	Doonie	DVD Video	0	08-31-2003 08:56 PM

12-29-2008, 07:52 PM	#1
	A Handy Trick The following handy trick is useful for anyone who does not have bombproof continuous control and custody of his computer. It is extremely easy to do and will protect you against all but top-level TLAs. In fact, like any good magician's trick it will be "obvious" - but only after it has been explained Many of us have only intermittent control and custody of "our" computer at work or even at home (e.g., we leave for work or school with the computer protected only by the low-grade lock on our front door). The next best thing to preventing unauthorized access to our computer is tamper indication that it has been messed with. Forewarned is forearmed. Here's how to achieve it: Every modern hard drive today supports SMART reporting (maximum disk temperatures, seek errors, etc.). But the most useful parameters are these: start/stop count, drive power cycle count, power-on time count. There are any number of utilities out there which will report this information for your HDs. To protect yourself, record these values just before ending a session, and compare them with the values at the start of your next session (you can automate this with scripts, etc.). If the drive power cycles are up by more than 1, someone has fired up your machine in your absence. If the power-on hours are up by a large amount someone has had an extended session, possibly including making an image of your drive. Note that while all standard forensic acquisition tools (Encase, etc.) try to "preserve state" by not writing to a drive, none can prevent these automatic SMART writes! The SMART info is written to a portion of the disk not accessible to ordinary users - drive-specific manufacturer commands are needed to write it. Only TLAs are likely to be aware of this trick and have the resources to manipulate the SMART data to thwart it. (Incidentally, SMART does have a "disable" command but almost no drives obey it!) It's not a complete or foolproof solution, of course, but it is a handy tool to add to your security/privacy toolbox. Regards, nemo_outis