Forensic Analysis of the Stolen VA Database

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

Wow, the FBI discovered MAC times.

[base3]

But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.

Victims have to assume it was accessed

[eln]

The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.

Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.

Easy cheesy

[MooseTick]

It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.

Obligatory conspiracy theory...

[Chabil Ha']

What if the whole examination is a hoax? Or the real results covered up? What do they stand to gain??? The government (and for that fact humanity) has an ego problem of not wanting to admit mistakes because a mistake of this magnitude merits a major change. If the information is found to have been access/copied/etc., you have insane public outcry. If the results come back negative, you still have people grumble about it, but the status quo doesn't have to change.

Re:Wow, the FBI discovered MAC times.

[HikingStick]

What frightens me most is that they surmise that making a bit copy would be unlikely, difficult, or technically compex (I've read the government's view on this from numerous sources). My six year old can do it. This is like assigning nearsighted guards to the top of a town's wall without corrective lenses: "yeah, sure, there are people out there--or are they animals? or maybe bushes?--either way they don't look threatening."

So in short, it's a bit of a gamble. But not much.

[ScentCone]

The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).

A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.

So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?

Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?

The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).

here's the conclusion we want, now come to it

[frovingslosh]

I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.

Re:So in short, it's a bit of a gamble. But not mu

[tftp]

A combination of your scenarios is even more likely:

1. A common burglar enters the house and takes anything that looks valuable.
2. That burglar then reads in newspapers what exactly he has in his hands.
3. That burglar then sells the laptop, as is, to identity thieves; from that point on, he is out of the picture.
4. The ID thief boots from a Ghost CD, and copies the contents of the drive to another computer.
5. The ID thief returns the laptop, so that he can maximize the value of the data, and stop the investigation.
6. The FBI concludes that the computer was not booted up for ages, and the data is safe. There will be no discernible fingerprints on the computer (of the owner, or of the thieves,) that is not unusual.

Re:So in short, it's a bit of a gamble. But not mu

[ScentCone]

Interesting. I think, believe it or not, that the hardest part for your average burglar is this:

That burglar then sells the laptop, as is, to identity thieves

Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"

No offense, but let them do their job

[Anonymous Coward]

While there is certainly "no way to be certain" that the data hadn't be compromised or copied, there is some rational thought that can be applied here, especially rational thought devoid of sarcastic and disrespectful post titles like your own.

First, since they're checking out a laptop, likely a government one no less, the chances of

(a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is essentially nil. So, if this is a case of your casual identity thief accessing the data, I sincerely doubt you'll find the laptop devoid of physical evidence indicating unauthorized access.

That being said, what if this was some elaborate operation by more professional thieves designed to steal the data?

(b)They would have scoped out their target and have had a fool-proof plan to steal the laptop, data, and make it appear to be a random theft. They would have used gloves and taken the laptop to a sterile environment immediately. They would have done many clever things that are beyond this post. And you know what? The FBI main computer forensic laboratory might be able to figure it out anyway.

In the case of (b), the scary, worst case scenario...what if encryption had been utilized? A key, perhaps, either software (password) based, or hardware (dongle, smart card, biometric) based, would be used, correct? Well, guess what? It would have stopped the thief that didn't know what he was doing, and consequently would have left tracks, and it would only prolong the amount of surveilance needed by the expert thieves to snag the laptop and the key.

Heck, if they were really good, they could have done the imaging of the drive on the spot. Write blockers and a second laptop are both very portable, as are wearing gloves. In every case except for biometrics (and even that can be duplicated -- sensors found on laptops and/or thumb drives are typically very unsophisticated and unable to stop the "gummy finger" trick), the key would have been in the house or on the person, and can be learned passively without tipping off the employee.

Finally, as an aside, the blog (a former computer forensics specialist) suggested the FBI would be looking at MAC times, not the FBI itself. The FBI simply stated that a thorough and detailed analysis would be conducted.

Also, for what it's worth, I'm also a computer forensics specialist, and believe me, MAC times aren't the end-all-be-all of my digital/professional world. A machine has many stories it can tell, and by default, tends to record more information about what you've done than you realize.

Re:So in short, it's a bit of a gamble. But not mu

[tftp]

That assumes that criminal world is somehow deficient and can't find its specialists with both hands and a mirror. But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.

If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.

Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.

Re:No offense, but let them do their job

[base3]

I understand what you're saying, but if I were the one testifying before Congress, I would have to say the data must be assumed compromised. Given that the machine was fenced, there were a number of people who had an opportunity to obtain the data and then put the machine back into the pawn circuit so that it looked like a ham-handed theft. I agree that the initial theft was a crime of opportunity, but wouldn't rule out a sophisticated grab of the data.

As far as the encryption hypothesis, given the PR fallout they were expecting by the way this event was "managed," I can be fairly certian that if the data had been encrypted the public would never have heard about the laptop theft.

Re:So in short, it's a bit of a gamble. But not mu

[denoir]

Not to mention that had the data been the target, that computer would have never been returned. It would have been degaussed, torched and thrown into a lake or something similar. ..unless of course they were really sneaky and made sure that they left no forensic evidence (physical or virtual) and returned it for the FBI to conclude that the data had not been accessed..

Bitwise copy is possible, but extremely unlikely

[TheFlyingGoat]

ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.

So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.

If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.

Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.

DRM.

[Anonymous Coward]

We have music that is DRM'ed by many people, why can't companies have their data DRM'ed.
What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.

Re:Wow, the FBI discovered MAC times.

[Cromac]

Yes, really tough to boot into INSERT (knoppix-based with partimage and USB support) and copy the drive image to an external usb drive.

How clever of you to parrot back what was in the article. He said if they made a bit by bit copy of the disk there would be no way to tell if it had actually been accessed. They might be able to show it has been compromised, they can't prove it hasn't.

I think the FBI is totally blowing smoke on this one.

Why would you say that? If you'd actually read the article you'd know this isn't about what the FBI did or didn't do at all. It's nothing but speculation from someone who says he's a forensic specalist at Zone labs.

From the article:

As a former Computer Forensic Specialist, I wanted to explain what's probably going on with this laptop now that the FBI has the system and is forensically examining it.

The post was not written by the FBI, by an FBI agent or by anyone associated with the FBI. The only thing the post says about what the FBI has done is quote a vague press release.

A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen. A thorough forensic examination is underway, and the results will be shared as soon as possible. The investigation is ongoing.

Re: Say what?

[Burpmaster]

As I said, the SMART setting in the BIOS changes nothing useful. It just reports the current status (good/bad) of the drive while booting, nothing more. And by the time you've used the tool to turn SMART off on the drive, it has already spun up and logged a power-on.

It's worth the effort to try to account for all power cycles, because unlike checking access times, if you get the expected result here, you have a reasonable guarantee that the data wasn't accessed while the laptop was missing. The amount of effort and expertise required to cover this up is far far greater than what's required to preserve the old access times. Without creating evidence of tampering, you have to either insert new startup/shutdown entries into the Windows event log at believable times from before the laptop was stolen (hard), or you'd have to change the SMART data on the drive (very hard).

The only real problem with power cycle accounting is that it does not give a very conclusive result if the expected and actual cycles don't match, because there might be an authorized power cycle that was unaccounted for. In short, to the question "was this data accessed?" checking the access times will either give you a conclusive "yes" answer, or "undetermined", while power cycle accounting will either give you a reasonably certain "no" or "undetermined." Both forensic tests are worth doing.