Forensic Analysis of the Stolen VA Database

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

Worst Case Scenario

[neonprimetime]

I really like the "worst-case scenario" that article posts ...

Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.

Is this just some guy's blog entry?

[IANAAC]

Because nowhere in his blog does he say that this is really what the FBI is doing, as the summary suggests.

While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.

Paranoia

[dreddnott]

The first two times I clicked on the Read More... link, I got the ol' 404 "Nothing to see here, move along" message.

I think my tinfoil hat is on a bit too tight.

Regarding the article links, especially the second link, hopefully the FBI can show the other departments a thing or two about computer security.

At the recycling company I work at, we get dozens of hard drives full of data every day. An unscrupulous person could make a great deal of money off of just thrift store-level personal data, but you rarely see that kind of thing getting done. The typical thief is uneducated, particularly about the mystical inner workings of a computer, but I suspect that is about to change in the New Era of identity theft. I have almost no doubt that a typical thief jacked that laptop to look at MySpace in the park or some other ridiculously pedestrian abuse of hardware...

Re:Worst Case Scenario

[fireduck]

The worst case scenario is quite likely, given that the hard drive was found separate from the computer, as described here [msnbc.com]:

Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.

Re:Easy cheesy

[dattaway]

Actually you can determine if the hard drive was copied. If you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics. This information can be logged by a paranoid host operating system to check for unaccounted time.

Unfortunately, I doubt anyone at Microsoft has ever thought of this nor even bothered to patent something so "novel."

Re:So in short, it's a bit of a gamble. But not mu

[misterhypno]

"Most thefts are done by low-brow thieves." Of a US givernment laptop. From a US government employee. Somehow, the whole idea of "inside job" seems to be echoing through the halls somewhere and no one in slashdotland is seemingly listening.

Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.

But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes.

With that many identities on the drive, the cash value of the data alone is astronomical. And for someone on the GSA payscale, that's a LOT of incentive to pull an inside job. Look for people who quit the VA in the next year or so and seem to hit it big at a casino or playing the ponies. Watch their accounts and their spending habits. Outgo will NOT equal income for someone - or several someones. And THAT will be your pool of "most likely to have copped the laptop" people.

But, by then, the damage will have been done to a large number of the people whose information was stolen anyway.

Once again, the government proves that its security measures are far behind those of the real world's.

Lee Darrow, C.H.

Re:Wow, the FBI discovered MAC times.

[Zemran]

When I was doing forensic work it was a legal requirement that there was no change whatsoever to the data on the disk when we imaged. It was not a complicated task and the instructions can be found on the internet. Although I do not imagine that the average thief would do this I think it is stupid in the extreme to assume that it has not been done.

Re:Worst Case Scenario

[Jack Johnson]

The HDD in question was external. I grew up in and still frequent the area in which they say the equipment was recovered. I seriously doubt anyone was doing back-of-truck sales there. More likely, it wound up in one of the 3 pawn shops in the recovery area or the guy who stole it in the first place is only a few degrees seperated from those who turned it in. Aspen Hill, where the VA worker is said to live is deceptively rotten (I lived there for 2.5 years) and I seriously doubt anyone burglarizing a home in that area would have the slightest interest in the data.