Forensic Analysis of the Stolen VA Database 144
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
Wow, the FBI discovered MAC times. (Score:5, Insightful)
Victims have to assume it was accessed (Score:4, Insightful)
Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
Easy cheesy (Score:5, Insightful)
Obligatory conspiracy theory... (Score:3, Insightful)
Re:Wow, the FBI discovered MAC times. (Score:3, Insightful)
So in short, it's a bit of a gamble. But not much. (Score:5, Insightful)
A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.
So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?
Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?
The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
here's the conclusion we want, now come to it (Score:5, Insightful)
Re:So in short, it's a bit of a gamble. But not mu (Score:4, Insightful)
Re:So in short, it's a bit of a gamble. But not mu (Score:4, Insightful)
That burglar then sells the laptop, as is, to identity thieves
Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
No offense, but let them do their job (Score:1, Insightful)
First, since they're checking out a laptop, likely a government one no less, the chances of
(a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is essentially nil. So, if this is a case of your casual identity thief accessing the data, I sincerely doubt you'll find the laptop devoid of physical evidence indicating unauthorized access.
That being said, what if this was some elaborate operation by more professional thieves designed to steal the data?
(b)They would have scoped out their target and have had a fool-proof plan to steal the laptop, data, and make it appear to be a random theft. They would have used gloves and taken the laptop to a sterile environment immediately. They would have done many clever things that are beyond this post. And you know what? The FBI main computer forensic laboratory might be able to figure it out anyway.
In the case of (b), the scary, worst case scenario...what if encryption had been utilized? A key, perhaps, either software (password) based, or hardware (dongle, smart card, biometric) based, would be used, correct? Well, guess what? It would have stopped the thief that didn't know what he was doing, and consequently would have left tracks, and it would only prolong the amount of surveilance needed by the expert thieves to snag the laptop and the key.
Heck, if they were really good, they could have done the imaging of the drive on the spot. Write blockers and a second laptop are both very portable, as are wearing gloves. In every case except for biometrics (and even that can be duplicated -- sensors found on laptops and/or thumb drives are typically very unsophisticated and unable to stop the "gummy finger" trick), the key would have been in the house or on the person, and can be learned passively without tipping off the employee.
Finally, as an aside, the blog (a former computer forensics specialist) suggested the FBI would be looking at MAC times, not the FBI itself. The FBI simply stated that a thorough and detailed analysis would be conducted.
Also, for what it's worth, I'm also a computer forensics specialist, and believe me, MAC times aren't the end-all-be-all of my digital/professional world. A machine has many stories it can tell, and by default, tends to record more information about what you've done than you realize.
Re:So in short, it's a bit of a gamble. But not mu (Score:5, Insightful)
If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.
Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.
Re:No offense, but let them do their job (Score:3, Insightful)
As far as the encryption hypothesis, given the PR fallout they were expecting by the way this event was "managed," I can be fairly certian that if the data had been encrypted the public would never have heard about the laptop theft.
Re:So in short, it's a bit of a gamble. But not mu (Score:2, Insightful)
Bitwise copy is possible, but extremely unlikely (Score:5, Insightful)
So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.
If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.
Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
DRM. (Score:1, Insightful)
What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.
Re:Wow, the FBI discovered MAC times. (Score:4, Insightful)
How clever of you to parrot back what was in the article. He said if they made a bit by bit copy of the disk there would be no way to tell if it had actually been accessed. They might be able to show it has been compromised, they can't prove it hasn't.
I think the FBI is totally blowing smoke on this one.
Why would you say that? If you'd actually read the article you'd know this isn't about what the FBI did or didn't do at all. It's nothing but speculation from someone who says he's a forensic specalist at Zone labs.
From the article:
The post was not written by the FBI, by an FBI agent or by anyone associated with the FBI. The only thing the post says about what the FBI has done is quote a vague press release.Re: Say what? (Score:3, Insightful)
As I said, the SMART setting in the BIOS changes nothing useful. It just reports the current status (good/bad) of the drive while booting, nothing more. And by the time you've used the tool to turn SMART off on the drive, it has already spun up and logged a power-on.
It's worth the effort to try to account for all power cycles, because unlike checking access times, if you get the expected result here, you have a reasonable guarantee that the data wasn't accessed while the laptop was missing. The amount of effort and expertise required to cover this up is far far greater than what's required to preserve the old access times. Without creating evidence of tampering, you have to either insert new startup/shutdown entries into the Windows event log at believable times from before the laptop was stolen (hard), or you'd have to change the SMART data on the drive (very hard).
The only real problem with power cycle accounting is that it does not give a very conclusive result if the expected and actual cycles don't match, because there might be an authorized power cycle that was unaccounted for. In short, to the question "was this data accessed?" checking the access times will either give you a conclusive "yes" answer, or "undetermined", while power cycle accounting will either give you a reasonably certain "no" or "undetermined." Both forensic tests are worth doing.