1. Field of the Invention
The invention described herein relates to information security and in particular relates to detecting access to memory media.
2. Background Art
Hard disk drives are found in most modern computers. Such devices are capable of storing enormous amounts of data including, inter alia, sensitive, proprietary, confidential or otherwise non-public information. Loss of hard disks or computers containing these devices can occur as a result of theft or negligence. Such loss can expose the hard drive data to unauthorized people or processes. This risk is particularly significant with respect to laptop, notebook, tablet and other forms of portable computers.
In the event that a lost or stolen computer containing a hard drive is subsequently recovered, it may be desirable to know whether the hard drive had been accessed while it was out of the owner's control. Such access may be indicative of a security breach. This information would be particularly relevant in highly sensitive contexts (e.g. government intelligence work or corporate intellectual property development).
Access may be detected if the hard drive was accessed by the computer in which it was installed (i.e., the host computer). Boot processes of current hard drives change file system metadata and record a variety of additional data, such as the date and time of the last shut down. Such events (e.g., start up, boot processing, and shut down) are detectable using widely available digital forensic tools and techniques. Currently, however, there is no forensic method available to detect whether or not a hard drive has been accessed using a read-only connection to the hard drive. Such access would leave no indication on the hard drive that it had been accessed after the last shut down is recorded.
There is a need, therefore, for a system and method that allow analysis to be performed on the activity of a hard disk drive in order to assess whether the hard disk has been accessed through a read-only connection.
Further embodiments, features, and advantages of the present invention, as well as the operation of the various embodiments of the present invention, are described below with reference to the accompanying drawings.