«

The following handy trick is useful for anyone who does not have
bombproof continuous control and custody of his computer. It is
extremely easy to do and will protect you against all but top-level TLAs.
In fact, like any good magician's trick it will be "obvious" - but only
after it has been explained

Many of us have only intermittent control and custody of "our" computer
at work or even at home (e.g., we leave for work or school with the
computer protected only by the low-grade lock on our front door). The
next best thing to preventing unauthorized access to our computer is
tamper indication that it has been messed with. Forewarned is forearmed.
Here's how to achieve it:

Every modern hard drive today supports SMART reporting (maximum disk
temperatures, seek errors, etc.). But the most useful parameters are
these: start/stop count, drive power cycle count, power-on time count.
There are any number of utilities out there which will report this
information for your HDs.

To protect yourself, record these values just before ending a session,
and compare them with the values at the start of your next session (you
can automate this with scripts, etc.). If the drive power cycles are up
by more than 1, someone has fired up your machine in your absence. If
the power-on hours are up by a large amount someone has had an extended
session, possibly including making an image of your drive.

Note that while all standard forensic acquisition tools (Encase, etc.)
try to "preserve state" by not writing to a drive, none can prevent these
automatic SMART writes! The SMART info is written to a portion of the
disk not accessible to ordinary users - drive-specific manufacturer
commands are needed to write it. Only TLAs are likely to be aware of this
trick and have the resources to manipulate the SMART data to thwart it.
(Incidentally, SMART does have a "disable" command but almost no drives
obey it!)

It's not a complete or foolproof solution, of course, but it is a handy
tool to add to your security/privacy toolbox.

Regards,