Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

No-Cost Detection of Endpoint Hard Drive Removal

Login to download
No-Cost Detection of Endpoint Hard Drive Removal (PDF, 42.71MB)Published: 19 Nov, 2025
Created by:
Ryan A. Graham

Most organizations today cannot detect if an end user removes their laptop's hard drive, connects it externally, steals data, then reinstalls the drive. While solutions exist today, such as tamper-evident tape, tamper protection BIOS settings, or forensic tools to identify drive activity artifacts, none provide real-time alerts when a drive has been removed and externally connected.

This paper analyzes low-cost detection methods, using existing hard drive counters from Self-Monitoring, Analysis, and Reporting Technology (S.M.A.R.T.) and the Windows Registry, for their fidelity in detecting hard drive removal. Since these counters capture the number of times a drive is powered on, they could be monitored for anomalies upon system boot, providing a cost-effective detection mechanism against insider threats.

Additional Resources

Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing

WhitepaperArtificial Intelligence
  • 7 Nov 2025

Can Your Security Stack Handle AI? An Empirical Assessment of Enterprise Controls Versus Generative AI Risks

WhitepaperArtificial Intelligence
  • 6 Nov 2025

Evaluating Large Language Models for Automated Threat Modeling: A Comparative Analysis

WhitepaperArtificial Intelligence
  • 6 Nov 2025

Modernizing OT Security: How Frenos Uses Digital Twin Technology, AI and Threat Emulation to Transform Security Posture and Compliance

WhitepaperArtificial Intelligence
  • 28 Oct 2025
  • Jason Dely, Tim Conway

Own AI Securely: The SANS Secure AI Blueprint

WhitepaperArtificial Intelligence
  • 9 Sep 2025
  • Rob T. Lee

Securing The Cloud: Persistent Challenges, Emerging Threats, and The Rise of AI Defense

WhitepaperArtificial Intelligence
  • 9 Sep 2025
  • Dr. Anton Chuvakin, Dr. Paul Vixie, Frank Kim, Simon Vernon, Brandon Evans, Dave Shackleford, Wesley Kuzma

Related Courses

  • Slide 1 of 7

    SEC545: GenAI and LLM Application Security

    newAI-FOCUSEDAdvanced
    SEC545Cloud Security, Artificial Intelligence
    SEC545: GenAI and LLM Application Security
    • 3 Days (Instructor-Led)
    • 18 CPEs / 18 Hours (Self-Paced)
    • Labs: 11 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 7

    SEC411: AI Security Principles and Practices: GenAI and LLM Defense

    newAI-FOCUSEDIntermediate
    SEC411Cyber Defense, Artificial Intelligence
    SEC411
    • 14 CPEs / 14 Hours (Self-Paced)
    • Labs: 3 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 7

    SEC495: Leveraging LLMs: Building & Securing RAG, Contextual RAG, and Agentic RAG

    AI-FOCUSEDEssentials
    SEC495Cyber Defense, Artificial Intelligence
    SEC495: Leveraging LLMs: Building & Securing RAG, Contextual RAG, and Agentic RAG
    • 7 CPEs / 7 Hours (Self-Paced)

    View course detailsRegister
  • Slide 4 of 7

    FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models

    newAI-FOCUSEDIntermediate
    FOR563Digital Forensics and Incident Response, Artificial Intelligence
    FOR509: Enterprise Cloud Forensics and Incident Response
    • 1 Day (Instructor-Led)
    • 6 CPEs / 6 Hours (Self-Paced)
    • Labs: 4 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 7

    SEC598: AI and Security Automation for Red, Blue, and Purple Teams

    Major UpdatesAI-FOCUSEDIntermediate
    SEC598Offensive Operations, Artificial Intelligence
    SEC598: AI and Security Automation for Red, Blue, and Purple Teams
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 25 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 7

    SEC535: Offensive AI - Attack Tools and Techniques

    newAI-FOCUSEDIntermediate
    SEC535Offensive Operations, Artificial Intelligence
    SEC535: Offensive AI - Attack Tools and Techniques
    • 3 Days (Instructor-Led)
    • 18 CPEs / 18 Hours (Self-Paced)
    • Labs: 14 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 7

    SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

    AI-FOCUSEDAdvanced
    SEC595Cyber Defense, Artificial Intelligence
    SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
    • GIAC Machine Learning Engineer (GMLE)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 30 Hands-On Labs

    View course detailsRegister
No-Cost Detection of Endpoint Hard Drive Removal | SANS Institute