Forensic Analysis of the Stolen VA Database 144
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
Wow, the FBI discovered MAC times. (Score:5, Insightful)
Re:Wow, the FBI discovered MAC times. (Score:2, Interesting)
Well, if you'd RTFA then you would have known that they combine it with physical evidence (finger prints on the drive itself, as well as on areas such as the cd eject button and whatever keys you use to get to the bios setup on
Re:Wow, the FBI discovered MAC times. (Score:3, Interesting)
Re:Wow, the FBI discovered MAC times. (Score:4, Informative)
Re:Wow, the FBI discovered MAC times. (Score:2)
Re:Wow, the FBI discovered MAC times. (Score:2)
Re:Wow, the FBI discovered MAC times. (Score:3, Insightful)
Re:Wow, the FBI discovered MAC times. (Score:2)
No offense, but let them do their job (Score:1, Insightful)
First, since they're checking out a laptop, likely a government one no less, the chances of
(a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is
Re:No offense, but let them do their job (Score:3, Insightful)
As far as the encryption hypothesis, given the PR fall
Definition (Score:2)
Re:Wow, the FBI discovered MAC times. (Score:4, Insightful)
How clever of you to parrot back what was in the article. He said if they made a bit by bit copy of the disk there would be no way to tell if it had actually been accessed. They might be able to show it has been compromised, they can't prove it hasn't.
I think the FBI is totally blowing smoke on this one.
Why would you say that? If you'd actually read the article you'd know this isn't about what the FBI did or didn't do at all. It's nothing but speculation from someone who says he's a forensic specalist at Zone labs.
From the article:
The post was not written by the FBI, by an FBI agent or by anyone associated with the FBI. The only thing the post says about what the FBI has done is quote a vague press release.Correct, useless (Score:2, Interesting)
Re:Correct, useless (Score:5, Interesting)
What most forget (i.e. dont know) is that a modern IDE drive collects alot of
information (number of recycles, hours used, errors, bla bla), at least
if S.M.A.R.T is enabled. I'm sure that this information is helpful.
In any case, booting from CD and copy files from the harddisk may very well
leave traces that this maight have happened, contrary to what people believe.
Say what? (Score:2)
Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.
Re: Say what? (Score:3, Interesting)
The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS.
Re: Say what? (Score:2)
The event log is, by default, 512kb (or is it kB?) and loops after that. The total boots is likely los
Re: Say what? (Score:3, Insightful)
As I said, the SMART setting in the BIOS changes nothing useful. It just reports the current status (good/bad) of the drive while booting, nothing more. And by the time you've used the tool to turn SMART off on the drive, it has already spun up and logged a power-on.
It's worth the effort to try to account for all power cycles, because unlike checking access times, if you get the expected result here, you have a reasonable guarantee that the data wasn't accessed while the laptop was missing. The amount of e
Victims have to assume it was accessed (Score:4, Insightful)
Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
Re:Victims have to assume it was accessed (Score:2)
Which is the exact same thing people who did not have data on the computer should do. There are a lot of easier ways to steal someone's identity out there. This is hardly an unique case.
Re:Victims have to assume it was accessed (Score:2)
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Its also a good idea to call 1-888-5OPTOUT to prevent banks, insurance companies, an
Worst Case Scenario (Score:5, Informative)
Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.
Re:Worst Case Scenario (Score:5, Informative)
Re:Worst Case Scenario (Score:2, Informative)
Ummm... IIRC it was a laptop + USB external (Score:2)
Re:Worst Case Scenario (Score:2)
If the thieves were that well-prepared, it presupposes some complex conspiracy of the sort you only see in movies. Like, "ELINT from the VA indicates that Subject X will take his laptop home this weekend. Field operatives are directed to acquire the laptop. IT Intelligence will download the database, being careful to not leave any signs that the database was actually accessed. We will then return the laptop for the reward, so the entire operation will have the appearance of a casual theft."
The FBI has to
The hard drive was removed... (Score:2)
It was an external harddrive (Score:2)
http://www.wtop.com/?sid=813030&nid=25 [wtop.com]
Re:Worst Case Scenario (Score:2)
I've got a better worst-case scenario: Thief boots laptop up with a Ghost CD and images the hard disk across a network or to an external drive connected by USB or FireWire, leaving no trace that the contents have been read since none of the a-times (assuming they're even turned on) have changed on the original filesystem.
The hard drive they're worried about in this case is an actually external USB drive (from memory), but you could do the same with that.
Translation... (Score:5, Funny)
As with any physical evidence, looking for material containing DNA is standard procedure.
Translation: it was used to surf porn...
Highly Secret FBI Technique (Score:5, Funny)
Easy cheesy (Score:5, Insightful)
Re:Easy cheesy (Score:2)
So you claim, but if S.M.A.R.T is enabled, then for sure you have left traces
that the hard disk has at least been booted.
Re:Easy cheesy (Score:1)
Re:Easy cheesy (Score:2)
I objected to the statement that no trace was left that the
harddisk had been accessed when booting from a CD. If the user kept
logs it should be possible to determine that the harddisk have been
accessed, though you probably cannot conclude that it has not, though.
Re:Easy cheesy (Score:1)
Re:Easy cheesy (Score:4, Informative)
Unfortunately, I doubt anyone at Microsoft has ever thought of this nor even bothered to patent something so "novel."
Re:Easy cheesy (Score:2)
Not if the drive isn't S.M.A.R.T. capable - which I've found many drives that claim to be so but are really not capable of that capability. Infact - my drive claims to have S.M.A.R.T. yet every tool I run t check on it doesn't say it's compatible - yet my main OS drive is. Makes me a little suspicious that other companies around the world might be falsely selling hardware - e.g. the Dragonwh
Re:Easy cheesy (Score:2)
Re:Easy cheesy (Score:4, Interesting)
Try it this way: Many companies, in this country and others, cut corners where they don't think it will show. One of the things they do is claim to be compliant with standards that they haven't actually done the hard parts of being compliant with.
Actually, sometimes it isn't that "innocent", like the non-compliant CDs, but frequently it's done without malice, but only greed as a driver.
Re:Easy cheesy (Score:2)
Re:Easy cheesy (Score:2)
It's their money, that's the point!! Not "out" money. They lent you the money so your economy would not collapse, something that is not in their interests. It's a strange set of affairs this international debt. It's like the nuclear deterent of old (discouraging warfare) but instead promises ecconomic destruction as opposed to nuclear winter.
Re:Very Easy cheesy (Score:2)
The "last smartcheck time" and other time variables on hard drives are just measured in total runtime minutes. Though the OS could warn the user if it was discovered on startup that the hard drive had been running for long since the last
Is this just some guy's blog entry? (Score:4, Informative)
While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.
trust (Score:4, Interesting)
But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.
Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.
Re:trust (Score:2)
Ok, imagine that I tell you that the connector was installed three times, and there are seven small scratches on the sides of the HDD. What will you conclude from that? You do not know how many there were before the system was stolen.
Re:trust (Score:2)
If it had been exactly as fitted in the factory with no movements since, then it would be reasonably safe to conclude that it didn't happen.
Re:trust (Score:2)
But it still wouldn't prove the data hasn't been copied, because there's no need to remove the drive at all.
Boot the laptop from CD (using DamnSmallLinux, Knoppix, or any similar distribution), copy the drive image to another system over the network, and shutdown.
Re:trust (Score:2)
Paranoia (Score:1, Informative)
I think my tinfoil hat is on a bit too tight.
Regarding the article links, especially the second link, hopefully the FBI can show the other departments a thing or two about computer security.
At the recycling company I work at, we get dozens of hard drives full of data every day. An unscrupulous person could make a great deal of money off of just thrift store-level personal data, but you rarely
Obligatory conspiracy theory... (Score:3, Insightful)
Lapse of security? (Score:2, Interesting)
Re:Lapse of security? (Score:1)
Re:Lapse of security? (Score:2)
I'm thinking that the guy just got a copy of "sed and awk" and thought that a flat file full of ssn's and names would be the perfect data to work his scripting skillz on. So he brought the data home with him......
Re:Lapse of security? (Score:2)
How's this for a funny anecdote - nearly ten years ago when I was doing work at a fertilizer plant shutdown a laptop containing the only copy of the contacts and invoices for all the contractors was stolen. This resulted in contractors treating the company as a cash cow and a two week shutdown stretching out an extra six weeks - which meant that all stocks of the companies product ran out and the gap was filled by their competitor.
So in short, it's a bit of a gamble. But not much. (Score:5, Insightful)
A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.
So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?
Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?
The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
Re:So in short, it's a bit of a gamble. But not mu (Score:4, Insightful)
Re:So in short, it's a bit of a gamble. But not mu (Score:4, Insightful)
That burglar then sells the laptop, as is, to identity thieves
Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
Re:So in short, it's a bit of a gamble. But not mu (Score:5, Insightful)
If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.
Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.
Re:So in short, it's a bit of a gamble. But not mu (Score:2)
There's one critical difference between you and your legit computer contracting pals and the "criminal underground". Legit operators benefit by getting their name out there and "networking", whereas criminals that do that generally end up nicked. T
Re:So in short, it's a bit of a gamble. But not mu (Score:2)
First off, assuming that "If someone works as a thief, he knows other thieves" is a very, very large assumption. Most thieves are either opportunistic (unnattended laptop = free laptop!) and/or desperate (laptop = food/drugs/alcohol). Most criminals don't have some sort of underground orgonisation where they can all go to and chat about tactics and such. The thief will (hopefully) know who buys stolen goods, but of course any one will buy stolen goods if you
It's not the laptop I'd worry about (Score:2)
What was stolen (sometime in the afternoon, while the VA researcher was probably golfing) from the home was a laptop, an external hard-drive (assuming USB, heck might be firewire), and "some change". Now aside from the interesting question of why would you only take that, and not the CD-ROMs with even more VA data, that were laying nearby. Or, why would a petty, common thief not take more stuff? This was a 3pm-ish burglery
Re:It's not the laptop I'd worry about (Score:2)
Now aside from the interesting question of why would you only take that, and not the CD-ROMs with even more VA data, that were laying nearby.
Because the lowly thief had no clue who the laptop belongs to, and the idea that CDs may be far more valuable than the computer probably never visited his mind (I admit th
Re:So in short, it's a bit of a gamble. But not mu (Score:2, Informative)
Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.
But as far as the original perp goes, to be honest, I would doubt that the perp
Re:So in short, it's a bit of a gamble. But not mu (Score:2)
The drugs thing is largely a myth. They are just bad people, they steal to buy petrol and clothing as well; they just don't care. But they do know other people who are smarter, case in point: kids break into my office an steal a couple of laptops. They notice the server racks and two weeks later we are
Re:So in short, it's a bit of a gamble. But not mu (Score:3, Interesting)
In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a
Good news, everybody! (Score:2)
"It has been broadcast to the world that the data was not accessed, so our carefully-made copy (and the several dozen copies we've since made of that copy, etc.) is now back at peak value!"
Re:So in short, it's a bit of a gamble. But not mu (Score:2, Insightful)
Re:So in short, it's a bit of a gamble. (Score:2)
I do understand this. My (second) point was that anyone that sophisticated would have done just that, in a matter of minutes, probably doing it to the laptop right where it sat... and walked back out of the house without there being any sign of t
here's the conclusion we want, now come to it (Score:5, Insightful)
Re:here's the conclusion we want, now come to it (Score:2)
Well (Score:2)
Re:Well (Score:2)
Does it Matter? (Score:1)
Lessons learned (Score:1)
1) Obtain notebook containing sensitive data
2) Wearing rubber gloves, carefully remove disk drive. Do not scratch case
or otherwise mar screws.
3) Image disk drive.
4) Reassemble and allow notebook to be recovered.
5) Enjoy politicians spinning and shouting that the data has not been read.
So should we look for... (Score:1)
atime (Score:2)
Rich.
Not Impossible (Score:2)
S.M.A.R.T. is an obscure, but very useful logging mechanism.
Re:Not Impossible (Score:1)
Re:Not Impossible (Score:2)
All one would need is the existing IDE controller (if it can talk to a non-smart drive) or a different controller that can...
And the knowledge to boot to BIOS first to make the setting change (and boot from a CD).
Not really all that hard to imagine.
Granted, the complexity of doing the task goes up with each step, further reducing the probability that someone has the data as the number of people that know, and have a motive for that shrinks.
They al
Re:Not Impossible (Score:1)
Bitwise copy is possible, but extremely unlikely (Score:5, Insightful)
So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.
If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.
Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
Re:Bitwise copy is possible, but extremely unlikel (Score:1)
They should also demand That the finance institutions find better ways to secure the info...without causing undue incovenience to the customer. They are the people that are leaving the door wide open for this kind of problem. Data privacy laws are as worthless as an EULA and will always be virtually impossible to enforce worldwide.
Re:Bitwise copy is possible, but extremely unlikel (Score:2)
Re:Bitwise copy is possible, but extremely unlikel (Score:2)
Before ranting about random bullshit, how about making sure you understand what someone is saying first. I'm also curious how my comment warrants a tinfoil hat. Am I somehow generati
my day job (Score:2, Interesting)
Re:my day job (Score:2)
Or are you saying that professional forensics workers assume that hard discs can only be mounted by the installed OS, and therefore *any* access can be traced by the files' atimes?
If so, AIEEEEEE!
DRM. (Score:1, Insightful)
What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.
Re:DRM. (Score:2)
BUT... (Score:2)
I can't find a specific reference at the moment tho, everything simply says 'Laptop and HD', but you don't usually use 'and' for built-in components.
Even the forensics article assumes an internal drive
Am i getting prematurely senile or did everyone miss something here?
Does it make any diference?
And can one tell if True Image has been run on a USB drive to copy?
dont use the filesystem to read it (Score:1, Redundant)
If they are that good... (Score:2)
While it may have been stolen by a 'low brow' (as another posted put it), then sold to someone with skill; why would they they sell the laptop again with possible fingerprints, hairs, skin flakes, and such that could ID them, as well as allow someone else to copy the data, reducing it'
No mention of battery analysis (Score:2)
I'm sure they could even work out the last time the battery even saw a charge or use. Heck sure capacitors on the laptop mobo that would hold a slight charge for a while.
I also didn;t see any mention of measuring the magnetic feild strength upon the drive head of
What can they really prove? (Score:2)
It's a good thing that a criminal intent on stealing the database couldn't do the same thing .. er .. ah .. nevermind.
They cannot ever prove unequivocally that the database is not owned. Even if they see activity that show lot's of amateur activity, and no database accesses made, they have pr
Re:What can they really prove? (Score:2)
They can never be sure. One problem, though: if it were a smart thief, would the drive have ever been recovered at all?
This drive should have disappeared forever. If you want to outsmart the FBI, you don't copy the drive and give it to them for analysis. Instead, you just completely deny them the opportunity for analysis.
Re:What can they really prove? (Score:2)
If you are going to cite TFA, at least read it! (Score:2)
In the future, if you cite the article - and this holds especially true if you are going to suggest I am a moron who cannot understand what was written in the article -, consider reading it first ... at least up through the second or third paragraph :-)
From "TFA":
Speaking to this concern, another report stated this:
Wow, the FBI thinks I'm a K00L Hacker DooD! (Score:2)
The laptop thieves really know what they are doing.
As per my comment last week that I routinely boot Knoppix to run PartImage backups of several machines to a USB drive. True, I've only removed one laptop hard drive and, dang, the idea of wearing gloves didn't even come to mind at the time.
I don't know. I guess it's easy to make light of one's competence but people catch up, you know? Is it still really that esoteric to know that you can boot from removable media and ghost a
Occam's Razor (Score:2, Interesting)
Okay, it's "possible" that the data was stolen, but highly unlikely.
AFAIK we need the original crooks to either be experts AND know that they didn't want to change access times*, etc. (bare in mind that they don't initially know that there's valuable stuff on the HD) OR to not turn on the PC, but instead sell it directly to identity thieves who know what they are doing. These guys then take the risk of reselling the item in the hope that it's recovered, but that their actions are not noticed, in the hope
Re:Silly thieves .... don' they know ? (Score:4, Funny)