smartmonster S.M.A.R.T. Monster Only Notices Surreptitious Tampering Events Retroactively "An anti-forensic reboot, disk access, and basic tamper detector" This set of scripts is written with the express purpose of detecting changes in the bootable file system, with the unencrypted block device used for booting, with S.M.A.R.T. data provided by your drives, and other interesting data points. This software assumes that your /boot is unencrypted and that everything else is encrypted with full disk encryption; it also assumes that your hard disk is a spinning platter with S.M.A.R.T. support - this may also function with SSD storage devices but is as of yet untested. We also assume that you layer your file system encryption with something like eCryptFS for use after the full disk encryption has been unlocked. Anything less will allow an attacker to simply log your main encryption key and leak it through a covert channel, such as attempting to join a wireless network with your key as the ESSID. Detection of such an event after the fact may be too late. This is of course entirely imperfect and still worth exploring.