Forgot your password?
typodupeerror

Forensic Analysis of the Stolen VA Database 144

Posted by timothy
from the overconfidence-perhaps dept.
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
This discussion has been archived. No new comments can be posted.

Forensic Analysis of the Stolen VA Database

Comments Filter:
  • by base3 (539820) on Monday July 03, 2006 @03:13PM (#15651696)
    But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.
    • by Anonymous Coward
      But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse.

      Well, if you'd RTFA then you would have known that they combine it with physical evidence (finger prints on the drive itself, as well as on areas such as the cd eject button and whatever keys you use to get to the bios setup on
      • The fact that I can wear gloves and never once touch the hard-drive physicially yet copy it without leaving a trace except for maybe the last access time leaves practically NO EVIDENCE - no DNA, maybe the MAC address of where the information was being sent (if that exists, but it's useless if it was put on another harddrive, then copied over after decryption to another drive and the middle-transfer drive destroyed,) but the original post is still pretty much 100% accurate - I've done plenty of consumer-untr
    • What frightens me most is that they surmise that making a bit copy would be unlikely, difficult, or technically compex (I've read the government's view on this from numerous sources). My six year old can do it. This is like assigning nearsighted guards to the top of a town's wall without corrective lenses: "yeah, sure, there are people out there--or are they animals? or maybe bushes?--either way they don't look threatening."
    • by Anonymous Coward
      While there is certainly "no way to be certain" that the data hadn't be compromised or copied, there is some rational thought that can be applied here, especially rational thought devoid of sarcastic and disrespectful post titles like your own.

      First, since they're checking out a laptop, likely a government one no less, the chances of

      (a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is
      • I understand what you're saying, but if I were the one testifying before Congress, I would have to say the data must be assumed compromised. Given that the machine was fenced, there were a number of people who had an opportunity to obtain the data and then put the machine back into the pawn circuit so that it looked like a ham-handed theft. I agree that the initial theft was a crime of opportunity, but wouldn't rule out a sophisticated grab of the data.

        As far as the encryption hypothesis, given the PR fall

    • ID Theft = Thanks for our service on behalf of a grateful nation.
  • Correct, useless (Score:2, Interesting)

    by Anonymous Coward
    Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
    • Re:Correct, useless (Score:5, Interesting)

      by Homology (639438) on Monday July 03, 2006 @03:40PM (#15651924)
      > Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

      What most forget (i.e. dont know) is that a modern IDE drive collects alot of
      information (number of recycles, hours used, errors, bla bla), at least
      if S.M.A.R.T is enabled. I'm sure that this information is helpful.

      In any case, booting from CD and copy files from the harddisk may very well
      leave traces that this maight have happened, contrary to what people believe.
      • What most forget (i.e. dont know) is that a modern IDE drive collects alot of information (number of recycles, hours used, errors, bla bla), at least if S.M.A.R.T is enabled.

        Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.

        In any case, booting from CD and copy files from the harddisk may very well leave traces that this maight

        • Re: Say what? (Score:3, Interesting)

          by Burpmaster (598437)

          Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.

          The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS.

          • The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS. You'd have to question the owner of the laptop about anything he's done that might start the drive without booting the OS.

            The event log is, by default, 512kb (or is it kB?) and loops after that. The total boots is likely los
  • by eln (21727) on Monday July 03, 2006 @03:14PM (#15651706) Homepage
    The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.

    Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
    • "Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft."

      Which is the exact same thing people who did not have data on the computer should do. There are a lot of easier ways to steal someone's identity out there. This is hardly an unique case.

    • Agreed. Contact the credit agency of your choice to put a fraud watch on your file. The agency you contact will notify the other two for you.

      Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

      Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013

      TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

      Its also a good idea to call 1-888-5OPTOUT to prevent banks, insurance companies, an
  • Worst Case Scenario (Score:5, Informative)

    by neonprimetime (528653) on Monday July 03, 2006 @03:14PM (#15651709) Homepage
    I really like the "worst-case scenario" that article posts ...

    Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.
    • by fireduck (197000) on Monday July 03, 2006 @03:31PM (#15651844)
      The worst case scenario is quite likely, given that the hard drive was found separate from the computer, as described here [msnbc.com]:
      Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.
      • The HDD in question was external. I grew up in and still frequent the area in which they say the equipment was recovered. I seriously doubt anyone was doing back-of-truck sales there. More likely, it wound up in one of the 3 pawn shops in the recovery area or the guy who stole it in the first place is only a few degrees seperated from those who turned it in. Aspen Hill, where the VA worker is said to live is deceptively rotten (I lived there for 2.5 years) and I seriously doubt anyone burglarizing a home
      • So, no.. the internal drive was not necessarily removed
    • If the thieves were that well-prepared, it presupposes some complex conspiracy of the sort you only see in movies. Like, "ELINT from the VA indicates that Subject X will take his laptop home this weekend. Field operatives are directed to acquire the laptop. IT Intelligence will download the database, being careful to not leave any signs that the database was actually accessed. We will then return the laptop for the reward, so the entire operation will have the appearance of a casual theft."

      The FBI has to

    • As quoted here (http://redtape.msnbc.com/2006/07/what_happened_t. html) it appears the laptop and hard drive were for sale separately. That means the hard drive had been removed from the computer. The buyer states he bought both items at the same time and he (the buyer) probably put both back together. That means the hard drive was out of the laptop for some time.
    • I've got a better worst-case scenario: Thief boots laptop up with a Ghost CD and images the hard disk across a network or to an external drive connected by USB or FireWire, leaving no trace that the contents have been read since none of the a-times (assuming they're even turned on) have changed on the original filesystem.

      The hard drive they're worried about in this case is an actually external USB drive (from memory), but you could do the same with that.

  • by Frosty Piss (770223) on Monday July 03, 2006 @03:15PM (#15651720)
    FTA:

    As with any physical evidence, looking for material containing DNA is standard procedure.

    Translation: it was used to surf porn...

  • by SvetBeard (922070) on Monday July 03, 2006 @03:15PM (#15651721)
    Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!
  • Easy cheesy (Score:5, Insightful)

    by MooseTick (895855) on Monday July 03, 2006 @03:16PM (#15651724) Homepage
    It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.
    • > It is trivial to copy the contents from a hard drive and leave NO sign that the data was read.

      So you claim, but if S.M.A.R.T is enabled, then for sure you have left traces
      that the hard disk has at least been booted.
      • But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.
        • > But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.

          I objected to the statement that no trace was left that the
          harddisk had been accessed when booting from a CD. If the user kept
          logs it should be possible to determine that the harddisk have been
          accessed, though you probably cannot conclude that it has not, though.
          • Ah--so if Windows (which I assume it was running, they'd have probably hung the poor guy if he had been running Linux) logs the S.M.A.R.T. times, they could be compared. Thanks.
    • Re:Easy cheesy (Score:4, Informative)

      by dattaway (3088) on Monday July 03, 2006 @03:59PM (#15652071) Homepage Journal
      Actually you can determine if the hard drive was copied. If you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics. This information can be logged by a paranoid host operating system to check for unaccounted time.

      Unfortunately, I doubt anyone at Microsoft has ever thought of this nor even bothered to patent something so "novel."
      • f you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics.

        Not if the drive isn't S.M.A.R.T. capable - which I've found many drives that claim to be so but are really not capable of that capability. Infact - my drive claims to have S.M.A.R.T. yet every tool I run t check on it doesn't say it's compatible - yet my main OS drive is. Makes me a little suspicious that other companies around the world might be falsely selling hardware - e.g. the Dragonwh
        • Mod me down for my poor HTML $k1ll$.
        • Re:Easy cheesy (Score:4, Interesting)

          by HiThere (15173) * <charleshixsn@ear ... t ['hli' in gap]> on Monday July 03, 2006 @07:08PM (#15653141)
          I'm no conspiracy theorist - but in true reality, this smells like other countries making hardware under specifications that do not match ours - and therefore may pose a security risk to us. Yea - I know, far-fetched. Damned far-fetched. But think about it. The greatest threat/companoin to us right now truly is China - they hold the majority of our worldwide currency, and they produce a damned-good percentage of our products. If they withdrew, and took our money with them, and left us our debt - we'd be in some DEEP shit. We'd be 3rd-world classification without any warning.

          Try it this way: Many companies, in this country and others, cut corners where they don't think it will show. One of the things they do is claim to be compliant with standards that they haven't actually done the hard parts of being compliant with. ...

          Actually, sometimes it isn't that "innocent", like the non-compliant CDs, but frequently it's done without malice, but only greed as a driver.
          • True enough, and when you try to market to a country like the U.S. that has multiple standards with which you must comply for even a simple electronic device, the requisite testing and verification can get very expensive and time-consuming. And if you fail testing, you have to go back to your production line and fix the problem. Domestic manufacturers are, presumably, less likely to cheat because if they get caught they are immediately subject to prosecution, but if you're a vendor in China or Malaysia or w
        • If they withdrew, and took our money with them, and left us our debt

          It's their money, that's the point!! Not "out" money. They lent you the money so your economy would not collapse, something that is not in their interests. It's a strange set of affairs this international debt. It's like the nuclear deterent of old (discouraging warfare) but instead promises ecconomic destruction as opposed to nuclear winter.

          I'm no conspiracy theorist - but in true reality, this smells like other countries making hardw

      • Actually you can determine if the hard drive was copied. If you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics. This information can be logged by a paranoid host operating system to check for unaccounted time.

        The "last smartcheck time" and other time variables on hard drives are just measured in total runtime minutes. Though the OS could warn the user if it was discovered on startup that the hard drive had been running for long since the last

  • by IANAAC (692242) on Monday July 03, 2006 @03:19PM (#15651747)
    Because nowhere in his blog does he say that this is really what the FBI is doing, as the summary suggests.

    While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.

  • trust (Score:4, Interesting)

    by Lord Ender (156273) on Monday July 03, 2006 @03:20PM (#15651760) Homepage
    Sure, the filestamp could be "last accessed: before this thing was stolen."

    But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.

    Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.
    • by tftp (111690)
      Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed.

      Ok, imagine that I tell you that the connector was installed three times, and there are seven small scratches on the sides of the HDD. What will you conclude from that? You do not know how many there were before the system was stolen.

      • It tells you that this line of enquiry is inconclusive.

        If it had been exactly as fitted in the factory with no movements since, then it would be reasonably safe to conclude that it didn't happen.
    • Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.

      But it still wouldn't prove the data hasn't been copied, because there's no need to remove the drive at all.

      Boot the laptop from CD (using DamnSmallLinux, Knoppix, or any similar distribution), copy the drive image to another system over the network, and shutdown.

      • You're right! You win the thought experiment. There really is NO WAY anyone could possibly show that the data his not been stolen.
  • Paranoia (Score:1, Informative)

    by dreddnott (555950)
    The first two times I clicked on the Read More... link, I got the ol' 404 "Nothing to see here, move along" message.

    I think my tinfoil hat is on a bit too tight.

    Regarding the article links, especially the second link, hopefully the FBI can show the other departments a thing or two about computer security.

    At the recycling company I work at, we get dozens of hard drives full of data every day. An unscrupulous person could make a great deal of money off of just thrift store-level personal data, but you rarely
  • by Chabil Ha' (875116) on Monday July 03, 2006 @03:24PM (#15651779)
    What if the whole examination is a hoax? Or the real results covered up? What do they stand to gain??? The government (and for that fact humanity) has an ego problem of not wanting to admit mistakes because a mistake of this magnitude merits a major change. If the information is found to have been access/copied/etc., you have insane public outcry. If the results come back negative, you still have people grumble about it, but the status quo doesn't have to change.
  • Lapse of security? (Score:2, Interesting)

    by Anonymous Coward
    What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server. After all, servers are much harder to carry out of the building than a laptop is.
    • That is something that bothered me all along. Granted the government has our information in databases, but why can that information be copied locally at any point in time? Shouldn't there be a guard against copying sensitive data to removable drives, laptops, etc? Couldn't this person work on the data at work or over a vpn instead of locally on his laptop?? I should get a job with the VA, seems like a cakewalk for IT. My company post SOX doesn't even allow IPODs because you can potentially copy client
    • >>What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server.

      I'm thinking that the guy just got a copy of "sed and awk" and thought that a flat file full of ssn's and names would be the perfect data to work his scripting skillz on. So he brought the data home with him......
    • What I want to know is why they kept a highly sensitive database on a laptop

      How's this for a funny anecdote - nearly ten years ago when I was doing work at a fertilizer plant shutdown a laptop containing the only copy of the contacts and invoices for all the contractors was stolen. This resulted in contractors treating the company as a cash cow and a two week shutdown stretching out an extra six weeks - which meant that all stocks of the companies product ran out and the gap was filled by their competitor.

  • by ScentCone (795499) on Monday July 03, 2006 @03:26PM (#15651793)
    The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).

    A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.

    So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?

    Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?

    The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
    • by tftp (111690) on Monday July 03, 2006 @03:36PM (#15651903) Homepage
      A combination of your scenarios is even more likely:

      1. A common burglar enters the house and takes anything that looks valuable.
      2. That burglar then reads in newspapers what exactly he has in his hands.
      3. That burglar then sells the laptop, as is, to identity thieves; from that point on, he is out of the picture.
      4. The ID thief boots from a Ghost CD, and copies the contents of the drive to another computer.
      5. The ID thief returns the laptop, so that he can maximize the value of the data, and stop the investigation.
      6. The FBI concludes that the computer was not booted up for ages, and the data is safe. There will be no discernible fingerprints on the computer (of the owner, or of the thieves,) that is not unusual.
      • by ScentCone (795499) on Monday July 03, 2006 @03:43PM (#15651943)
        Interesting. I think, believe it or not, that the hardest part for your average burglar is this:

        That burglar then sells the laptop, as is, to identity thieves

        Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
        • by tftp (111690) on Monday July 03, 2006 @03:56PM (#15652047) Homepage
          That assumes that criminal world is somehow deficient and can't find its specialists with both hands and a mirror. But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.

          If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.

          Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.

          • But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.

            There's one critical difference between you and your legit computer contracting pals and the "criminal underground". Legit operators benefit by getting their name out there and "networking", whereas criminals that do that generally end up nicked. T

          • Let me tell you something about the real world.

            First off, assuming that "If someone works as a thief, he knows other thieves" is a very, very large assumption. Most thieves are either opportunistic (unnattended laptop = free laptop!) and/or desperate (laptop = food/drugs/alcohol). Most criminals don't have some sort of underground orgonisation where they can all go to and chat about tactics and such. The thief will (hopefully) know who buys stolen goods, but of course any one will buy stolen goods if you

          • Ok, so I looked into this back when it happened. I even read the police report.

            What was stolen (sometime in the afternoon, while the VA researcher was probably golfing) from the home was a laptop, an external hard-drive (assuming USB, heck might be firewire), and "some change". Now aside from the interesting question of why would you only take that, and not the CD-ROMs with even more VA data, that were laying nearby. Or, why would a petty, common thief not take more stuff? This was a 3pm-ish burglery
            • It's an old thread now, but why not to add a few comments? Not that any of us are very familiar with the criminal world, but everyone is a top specialist in things that he does not understand :-)

              Now aside from the interesting question of why would you only take that, and not the CD-ROMs with even more VA data, that were laying nearby.

              Because the lowly thief had no clue who the laptop belongs to, and the idea that CDs may be far more valuable than the computer probably never visited his mind (I admit th

        • "Most thefts are done by low-brow thieves." Of a US givernment laptop. From a US government employee. Somehow, the whole idea of "inside job" seems to be echoing through the halls somewhere and no one in slashdotland is seemingly listening.

          Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.

          But as far as the original perp goes, to be honest, I would doubt that the perp
        • because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc).

          The drugs thing is largely a myth. They are just bad people, they steal to buy petrol and clothing as well; they just don't care. But they do know other people who are smarter, case in point: kids break into my office an steal a couple of laptops. They notice the server racks and two weeks later we are

      • According to one history of the 1991 Gulf War that I read, a British planning officer in London lost his portable computer (they weren't laptops then) with quite a bit of critical information on it. The London police let it be known among their contacts that it would _really_ be best if it were to be returned no-questions-asked, and it was dropped off at a police station within a day.

        In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a
    • The second scenario seems a lot more likely...they could have done so in place in a matter of minutes...and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).

      "It has been broadcast to the world that the data was not accessed, so our carefully-made copy (and the several dozen copies we've since made of that copy, etc.) is now back at peak value!"

    • Not to mention that had the data been the target, that computer would have never been returned. It would have been degaussed, torched and thrown into a lake or something similar. ..unless of course they were really sneaky and made sure that they left no forensic evidence (physical or virtual) and returned it for the FBI to conclude that the data had not been accessed..
  • by frovingslosh (582462) on Monday July 03, 2006 @03:29PM (#15651824)
    I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.
  • What worries me is the way that they seem to think that by it not being accessed then it is all OK, if anything I think it not being touched is much worse as it indicates that it has been replicated or transferred in order for those who took it to work on it without leaving a bread-trail for the authorities to follow them by. Of course no forensic evidence will be of use, if they were smart enough to copy and not disturb the database itself then they will not have been in physical contact with the laptop fo
    • What worries me is the way that they seem to think that by it not being accessed then it is all OK, if anything I think it not being touched is much worse as it indicates that it has been replicated or transferred in order for those who took it to work on it without leaving a bread-trail for the authorities to follow them by. Of course no forensic evidence will be of use, if they were smart enough to copy and not disturb the database itself then they will not have been in physical contact with the laptop fo

  • Ultimately, does it really matter if it was accessed or not? Given the sensitive nature of the data and assuming the FBI cannot publicly prove that the data was not accessed shouldn't everyone assume that it was and act accordingly?
  • So the best cyber-crime technique is:

    1) Obtain notebook containing sensitive data
    2) Wearing rubber gloves, carefully remove disk drive. Do not scratch case
    or otherwise mar screws.
    3) Image disk drive.
    4) Reassemble and allow notebook to be recovered.
    5) Enjoy politicians spinning and shouting that the data has not been read.

  • A web site advertizing "find information on any VA for only $29.99"
  • Obviously they wouldn't be looking at 'last' and the atime fields .. no that would be far too simple.

    Rich.

  • There's more storage in a hard drive than just what exists on the disc.

    S.M.A.R.T. is an obscure, but very useful logging mechanism.
    • I'm not sure how much use the S.M.A.R.T. attributes would be, unless the hard disk had a built-in clock. Now spare sectors, on the other hand . . .
    • S.M.A.R.T. is something that can be disabled in the BIOS, no?

      All one would need is the existing IDE controller (if it can talk to a non-smart drive) or a different controller that can...

      And the knowledge to boot to BIOS first to make the setting change (and boot from a CD).

      Not really all that hard to imagine.

      Granted, the complexity of doing the task goes up with each step, further reducing the probability that someone has the data as the number of people that know, and have a motive for that shrinks.

      They al
    • Let's not forget about ATA security specs. (http://www.dataclinic.co.uk/password-protected-ha rd-drive.htm) This would help a whole lot of things.
  • by TheFlyingGoat (161967) on Monday July 03, 2006 @04:03PM (#15652099) Homepage Journal
    ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.

    So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.

    If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.

    Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
    • In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.

      They should also demand That the finance institutions find better ways to secure the info...without causing undue incovenience to the customer. They are the people that are leaving the door wide open for this kind of problem. Data privacy laws are as worthless as an EULA and will always be virtually impossible to enforce worldwide.
    • So while you put in a comment about tinfoil-hat responses to this problem mocking them, your own response warrants one in return? C'mon, hypocrite. Welcome to the new millenium - cracker/hackers/n00bs are dominating the black market and all you can offer is a simple explanation. You must not have a clue of what the new generation of homo sapiens can do. If I could program in BASIC on a TI 99/4A and create a blocky person then at age FIVE, then I'm quite sure someone today could do the same thing, plus more,
      • In your blind rage, you seemed to have forgotten how to comprehend English. Not once did I say that it wasn't possible for criminals to do the things that the tinfoil hat crowd (read: you) worry about, I said that in this case it's extremely unlikely. I even provided some basic supporting logic that you failed to comprehend.

        Before ranting about random bullshit, how about making sure you understand what someone is saying first. I'm also curious how my comment warrants a tinfoil hat. Am I somehow generati
  • my day job (Score:2, Interesting)

    by mashmorgan (615200)
    Do this kind of stuff in my day job, normally contracted as an expert witness to the UK court system. The software we all use is Encase. It taks a snaphost of the HD, does stuff like MD% etc across all files. The main thing is the last_accessed date of files (presumably its Windows). The image can be "browsed" by the date.. eg one can see someones "mind" as they surf various web sites at various hours of the day from years ago sometimes. The only snag would be if the user moved the date of the BIOS clock
    • I sure hope what you're describing is completely different from the procedure that would be necessary to determine if the data in the stolen laptop was compromised.

      Or are you saying that professional forensics workers assume that hard discs can only be mounted by the installed OS, and therefore *any* access can be traced by the files' atimes?

      If so, AIEEEEEE!
  • DRM. (Score:1, Insightful)

    by Anonymous Coward
    We have music that is DRM'ed by many people, why can't companies have their data DRM'ed.
    What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.
  • by hurfy (735314)
    I thought this was an external HD.

    I can't find a specific reference at the moment tho, everything simply says 'Laptop and HD', but you don't usually use 'and' for built-in components.

    Even the forensics article assumes an internal drive :O

    Am i getting prematurely senile or did everyone miss something here?

    Does it make any diference?

    And can one tell if True Image has been run on a USB drive to copy?
  • use dump or dd. Access times wont be affected.
  • If a sophisticated technical person wanted to steal the data in the first place, I'd think they would have copied the data and put the laptop back exactly as it was; once it's known the data was stolen, it's a lot less useful.

    While it may have been stolen by a 'low brow' (as another posted put it), then sold to someone with skill; why would they they sell the laptop again with possible fingerprints, hairs, skin flakes, and such that could ID them, as well as allow someone else to copy the data, reducing it'
  • An anysysis of the battery would at basic show amount of battery power left and from full charge and natural decay a level could be worked out. Though alot of betteries now count the number of times charged and probably the date and time as well.

    I'm sure they could even work out the last time the battery even saw a charge or use. Heck sure capacitors on the laptop mobo that would hold a slight charge for a while.

    I also didn;t see any mention of measuring the magnetic feild strength upon the drive head of
  • "The first step is take a bit-for-bit image of the hard drive. This technique makes an exact copy of the data on the laptop so the forensic examiner is reviewing a copy of the stolen disk, not the actual disk itself."

    It's a good thing that a criminal intent on stealing the database couldn't do the same thing .. er .. ah .. nevermind.

    They cannot ever prove unequivocally that the database is not owned. Even if they see activity that show lot's of amateur activity, and no database accesses made, they have pr

    • What makes them think a smart data theif wouldn't make the bit for bit copy and then go back later and make it look like it was an amateur job?

      They can never be sure. One problem, though: if it were a smart thief, would the drive have ever been recovered at all?

      This drive should have disappeared forever. If you want to outsmart the FBI, you don't copy the drive and give it to them for analysis. Instead, you just completely deny them the opportunity for analysis.

      • "if it were a smart thief, would the drive have ever been recovered at all?"
        ABSOLUTELY!!! The data is most valuable if they can convince the world it has never been stolen. Re-read my initial post. I allude to this, but don't quite state it explicitly. A TRULY smart data thief will leave the victim believing his data has never been compromised.
  • Where do I apply for a job!!!!

    The laptop thieves really know what they are doing.

    As per my comment last week that I routinely boot Knoppix to run PartImage backups of several machines to a USB drive. True, I've only removed one laptop hard drive and, dang, the idea of wearing gloves didn't even come to mind at the time.

    I don't know. I guess it's easy to make light of one's competence but people catch up, you know? Is it still really that esoteric to know that you can boot from removable media and ghost a
  • Occam's Razor (Score:2, Interesting)

    by tomandlu (977230)

    Okay, it's "possible" that the data was stolen, but highly unlikely.

    AFAIK we need the original crooks to either be experts AND know that they didn't want to change access times*, etc. (bare in mind that they don't initially know that there's valuable stuff on the HD) OR to not turn on the PC, but instead sell it directly to identity thieves who know what they are doing. These guys then take the risk of reselling the item in the hope that it's recovered, but that their actions are not noticed, in the hope

Swap read error. You lose your mind.

Working...