Slashdot Mirror
Forensic Analysis of the Stolen VA Database
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.
Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
I really like the "worst-case scenario" that article posts ...
Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.
As with any physical evidence, looking for material containing DNA is standard procedure.
Translation: it was used to surf porn...
If you want news from today, you have to come back tomorrow.
Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!
It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.
Ninjas don't carry tic tacs
While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.
Sure, the filestamp could be "last accessed: before this thing was stolen."
But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.
Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The first two times I clicked on the Read More... link, I got the ol' 404 "Nothing to see here, move along" message.
I think my tinfoil hat is on a bit too tight.
Regarding the article links, especially the second link, hopefully the FBI can show the other departments a thing or two about computer security.
At the recycling company I work at, we get dozens of hard drives full of data every day. An unscrupulous person could make a great deal of money off of just thrift store-level personal data, but you rarely see that kind of thing getting done. The typical thief is uneducated, particularly about the mystical inner workings of a computer, but I suspect that is about to change in the New Era of identity theft. I have almost no doubt that a typical thief jacked that laptop to look at MySpace in the park or some other ridiculously pedestrian abuse of hardware...
I may make you feel, but I can't make you think.
What if the whole examination is a hoax? Or the real results covered up? What do they stand to gain??? The government (and for that fact humanity) has an ego problem of not wanting to admit mistakes because a mistake of this magnitude merits a major change. If the information is found to have been access/copied/etc., you have insane public outcry. If the results come back negative, you still have people grumble about it, but the status quo doesn't have to change.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server. After all, servers are much harder to carry out of the building than a laptop is.
The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).
A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.
So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?
Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?
The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
Don't disappoint your bird dog. Go to the range.
from TFA: " The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only"..
But why bother removing the drive ? Wouldn't it be simpler just to boot up a Knoppix CD , mount as read-only, and have your way with the laptop ?
I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.
I'm an American. I love this country and the freedoms that we used to have.
What worries me is the way that they seem to think that by it not being accessed then it is all OK, if anything I think it not being touched is much worse as it indicates that it has been replicated or transferred in order for those who took it to work on it without leaving a bread-trail for the authorities to follow them by. Of course no forensic evidence will be of use, if they were smart enough to copy and not disturb the database itself then they will not have been in physical contact with the laptop for very long and they will have most definitely worn gloves and other protective equipment. It's a shame to see the ever-alert cybercrimes department not realising what is the obvious course of action for these thieves.
Business Voyeur
Ultimately, does it really matter if it was accessed or not? Given the sensitive nature of the data and assuming the FBI cannot publicly prove that the data was not accessed shouldn't everyone assume that it was and act accordingly?
Haiku for you!
So the best cyber-crime technique is:
1) Obtain notebook containing sensitive data
2) Wearing rubber gloves, carefully remove disk drive. Do not scratch case
or otherwise mar screws.
3) Image disk drive.
4) Reassemble and allow notebook to be recovered.
5) Enjoy politicians spinning and shouting that the data has not been read.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
How many laptops (other than those owned by the rich and powerful) get dusted for prints by anal-retentive crime lab people after they're stolen?
lol, good one.
Interesting. I think, believe it or not, that the hardest part for your average burglar is this:
That burglar then sells the laptop, as is, to identity thieves
Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
Don't disappoint your bird dog. Go to the range.
A web site advertizing "find information on any VA for only $29.99"
There are no loopholes. It's either legal or it's not.
While there is certainly "no way to be certain" that the data hadn't be compromised or copied, there is some rational thought that can be applied here, especially rational thought devoid of sarcastic and disrespectful post titles like your own.
First, since they're checking out a laptop, likely a government one no less, the chances of
(a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is essentially nil. So, if this is a case of your casual identity thief accessing the data, I sincerely doubt you'll find the laptop devoid of physical evidence indicating unauthorized access.
That being said, what if this was some elaborate operation by more professional thieves designed to steal the data?
(b)They would have scoped out their target and have had a fool-proof plan to steal the laptop, data, and make it appear to be a random theft. They would have used gloves and taken the laptop to a sterile environment immediately. They would have done many clever things that are beyond this post. And you know what? The FBI main computer forensic laboratory might be able to figure it out anyway.
In the case of (b), the scary, worst case scenario...what if encryption had been utilized? A key, perhaps, either software (password) based, or hardware (dongle, smart card, biometric) based, would be used, correct? Well, guess what? It would have stopped the thief that didn't know what he was doing, and consequently would have left tracks, and it would only prolong the amount of surveilance needed by the expert thieves to snag the laptop and the key.
Heck, if they were really good, they could have done the imaging of the drive on the spot. Write blockers and a second laptop are both very portable, as are wearing gloves. In every case except for biometrics (and even that can be duplicated -- sensors found on laptops and/or thumb drives are typically very unsophisticated and unable to stop the "gummy finger" trick), the key would have been in the house or on the person, and can be learned passively without tipping off the employee.
Finally, as an aside, the blog (a former computer forensics specialist) suggested the FBI would be looking at MAC times, not the FBI itself. The FBI simply stated that a thorough and detailed analysis would be conducted.
Also, for what it's worth, I'm also a computer forensics specialist, and believe me, MAC times aren't the end-all-be-all of my digital/professional world. A machine has many stories it can tell, and by default, tends to record more information about what you've done than you realize.
"It has been broadcast to the world that the data was not accessed, so our carefully-made copy (and the several dozen copies we've since made of that copy, etc.) is now back at peak value!"
This space intentionally left (almost) blank.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
There's more storage in a hard drive than just what exists on the disc.
S.M.A.R.T. is an obscure, but very useful logging mechanism.
If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.
Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.
As quoted here (http://redtape.msnbc.com/2006/07/what_happened_t. html) it appears the laptop and hard drive were for sale separately. That means the hard drive had been removed from the computer. The buyer states he bought both items at the same time and he (the buyer) probably put both back together. That means the hard drive was out of the laptop for some time.
Quality Hosting e3 Servers
Not to mention that had the data been the target, that computer would have never been returned. It would have been degaussed, torched and thrown into a lake or something similar. ..unless of course they were really sneaky and made sure that they left no forensic evidence (physical or virtual) and returned it for the FBI to conclude that the data had not been accessed..
ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.
So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.
If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.
Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
In testimony to Congress, it was stated that it was a laptop AND an external hard drive. Just because the laptop may not have been accessed either directly or by floppy/CD bootable operating system (Knoppix or Barts PE disks come to mind), doesn't mean that the external hard drive wasn't accessed also.
...the very first thing they do when performing a cyberforensics analysis on any computer disk they get, is to make a clone copy themselves while employing a hardware write-blocker connected to the source drive, and then performing their examinations upon the copy, not the original.
According to one history of the 1991 Gulf War that I read, a British planning officer in London lost his portable computer (they weren't laptops then) with quite a bit of critical information on it. The London police let it be known among their contacts that it would _really_ be best if it were to be returned no-questions-asked, and it was dropped off at a police station within a day.
In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a bar known to be frequented by hardened criminals and striking up a bargain with a willing thug (don't ask me why we had so many of those cases in that burg!). In all 4 cases the thug went right to the police and got fitted out for a wire. As one of them said in an interview, "I am a professional burgler but that doesn't mean I don't have standards".
So maybe the guy who stole it decided it was best not to have the entire FBI and US Army on his tail and turned it back in.
sPh
Do this kind of stuff in my day job, normally contracted as an expert witness to the UK court system. The software we all use is Encase. It taks a snaphost of the HD, does stuff like MD% etc across all files. The main thing is the last_accessed date of files (presumably its Windows). The image can be "browsed" by the date.. eg one can see someones "mind" as they surf various web sites at various hours of the day from years ago sometimes. The only snag would be if the user moved the date of the BIOS clock backwards.. but there again the "cache" and "page" files order would be a bit strange. Pretty mundane stuff that would take about a day; 8 hours to "clone/image" the disk, 50 mins to verify the disk and be in a position to analyse. then 10 seconds to get the last accessed date of a set of files.
I wonder, would they have left traces?
We have music that is DRM'ed by many people, why can't companies have their data DRM'ed.
What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.
I thought this was an external HD.
:O
I can't find a specific reference at the moment tho, everything simply says 'Laptop and HD', but you don't usually use 'and' for built-in components.
Even the forensics article assumes an internal drive
Am i getting prematurely senile or did everyone miss something here?
Does it make any diference?
And can one tell if True Image has been run on a USB drive to copy?
It was an external harddrive that they were searching for, and presumably found, separate from the laptop:
http://www.wtop.com/?sid=813030&nid=25
In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
They should also demand That the finance institutions find better ways to secure the info...without causing undue incovenience to the customer. They are the people that are leaving the door wide open for this kind of problem. Data privacy laws are as worthless as an EULA and will always be virtually impossible to enforce worldwide. Plus, turning info into contraband will just make it more profitable to abuse and will actually increase the probability of your data being used against you. Vote with your wallet and burn your credits cards until they fix the problem. We, the customer, are cutting them way too much slack. Stop believing the lies. The problem is solvable, or at least controllable. Make data security their problem, and then it will be fixed.
What?
use dump or dd. Access times wont be affected.
Join the Slashcott! Feb 10 thru Feb 17!
If a sophisticated technical person wanted to steal the data in the first place, I'd think they would have copied the data and put the laptop back exactly as it was; once it's known the data was stolen, it's a lot less useful.
While it may have been stolen by a 'low brow' (as another posted put it), then sold to someone with skill; why would they they sell the laptop again with possible fingerprints, hairs, skin flakes, and such that could ID them, as well as allow someone else to copy the data, reducing it's usefulness?
No really skilled master criminal hacker would be famous for it, noone would even know they exist.
"Most thefts are done by low-brow thieves." Of a US givernment laptop. From a US government employee. Somehow, the whole idea of "inside job" seems to be echoing through the halls somewhere and no one in slashdotland is seemingly listening.
Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.
But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes.
With that many identities on the drive, the cash value of the data alone is astronomical. And for someone on the GSA payscale, that's a LOT of incentive to pull an inside job. Look for people who quit the VA in the next year or so and seem to hit it big at a casino or playing the ponies. Watch their accounts and their spending habits. Outgo will NOT equal income for someone - or several someones. And THAT will be your pool of "most likely to have copped the laptop" people.
But, by then, the damage will have been done to a large number of the people whose information was stolen anyway.
Once again, the government proves that its security measures are far behind those of the real world's.
Lee Darrow, C.H.
Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.
Say what? Just do dd if=/dev/hda of=/mnt/nfs/stolen-hard-drive.diskimg Since dd will be reading the raw bytes of the hard drive, it's not going to modify any filesystem data structures. The only way dd will leave any traces is the hard drive has a flash-memory cache -- but at the moment, hard drives with a flash-memory cache are extremely rare and expensive, and it is extraordinarily unlikely that the VA laptop was equipped with one.
So while you put in a comment about tinfoil-hat responses to this problem mocking them, your own response warrants one in return? C'mon, hypocrite. Welcome to the new millenium - cracker/hackers/n00bs are dominating the black market and all you can offer is a simple explanation. You must not have a clue of what the new generation of homo sapiens can do. If I could program in BASIC on a TI 99/4A and create a blocky person then at age FIVE, then I'm quite sure someone today could do the same thing, plus more, at the age I'm at now. Don't delude yourself, nor anyone else, please. Human intelligence is a very random variable in factoring what will happen today or in the future - let's hope yours is up to par, as well as hope mine is as well.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Besides, what identity theft ring operator in his right mind would return the item by any means, risking further exposure? It's not like the feds were going to issue 26.5 million new SS numbers if the laptop wasn't recovered.
If a job's not worth doing, it's not worth doing right.
First off, assuming that "If someone works as a thief, he knows other thieves" is a very, very large assumption. Most thieves are either opportunistic (unnattended laptop = free laptop!) and/or desperate (laptop = food/drugs/alcohol). Most criminals don't have some sort of underground orgonisation where they can all go to and chat about tactics and such. The thief will (hopefully) know who buys stolen goods, but of course any one will buy stolen goods if you don't let on that it's stolen.
Second off, 50 large != $50.
Lastly, there likely was at most three people in the "chain of custody." The person who did the actual theft (drug addict looking for easy money), the buyer/seller (bought used goods, sells out of back of pickup truck), and the person who turned in the data. The first and second people could very well be the same person, but not terribly likely. Now if any of these three people had indeed been an ID thief then you must assume that that person was a very, very bright ID thief. Not only had he recovered the data without leaving any forensic evidence, but he also turned in the laptop to the FBI so that everone assumes that the data was not stolen.
I may be a bit naive, but that's a lot of assumptions to take about a stolen laptop. Laptops get stolen all the time, but they don't usually contain information of hundreds of thousands of veterans, so why would a thief (or even an ID thief) assume they would to the point of not touching the hard drive at all. If any person had truly been an ID thief, wouldn't it be safe to assume that before the news of the stolen laptop even hit the shelves they would have already looked for data, probably while not being as careful? A truly industrious ID thief would just buy hard drives off of eBay and recover data from them. Nobody is looking for them, and hardly anyone seems capable of thoroughly cleaning them before sale.
><));>
In other news, the Veterans Affairs Department is switching to MacBooks to ensure that all fingerprints are permanent captured and recorded.
An anysysis of the battery would at basic show amount of battery power left and from full charge and natural decay a level could be worked out. Though alot of betteries now count the number of times charged and probably the date and time as well.
I'm sure they could even work out the last time the battery even saw a charge or use. Heck sure capacitors on the laptop mobo that would hold a slight charge for a while.
I also didn;t see any mention of measuring the magnetic feild strength upon the drive head of disc itself as another way to determine when last used.
If somebody wanted this data they would of removed the hard drive and copyied it using some bit copying software of choice and then popped it back without even powering up the laptop.
The solution isn't better more secure laptops, its a working thin-client with no data stored localy period. WIMAX/WIFI - all doable and TBH employee's with that kind of data shouldn;t be woorking in un-athorised zones the data isn;t allowed and a thin client gives you that. Also wont need any hard drive and woudl probably get something very small compact and light that has great battery life.
But glad they got it back, I'm going with the some theif saw heart on this one and leave the rest to the consipiracy thearists. That said I would hope that monitoring of potential use of such data would still be maintained.
Well it almost makes me feel better that they got it back cause they sent me some letter about how my name is on that list oh wait I am still pissed never mind.
TheADDkid.com
They cannot ever prove unequivocally that the database is not owned. Even if they see activity that show lot's of amateur activity, and no database accesses made, they have proved absolutely nothing.
What makes them think a smart data theif wouldn't make the bit for bit copy and then go back later and make it look like it was an amateur job? They could even let some patsy get his fingerprints all over it before returning it. There is never even any need to remove the hard drive even if it is internal (Ever heard of booting from a live CD FBI "experts")
My guess is that the FBI experts couldn't possibly be so ignorant as to not know all of this, and this is merely damage control.
Don't worry folks
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes. I assumed all along that it was an "inside job" in one form or another. And if you assume that the guy who worked for the VA was in on it all along, you have to assume that the accomplishes would have researched exactly what needed to be done to steal the data and cover their tracks.
Where do I apply for a job!!!!
The laptop thieves really know what they are doing.
As per my comment last week that I routinely boot Knoppix to run PartImage backups of several machines to a USB drive. True, I've only removed one laptop hard drive and, dang, the idea of wearing gloves didn't even come to mind at the time.
I don't know. I guess it's easy to make light of one's competence but people catch up, you know? Is it still really that esoteric to know that you can boot from removable media and ghost a drive? I was doing that back when I was booting DriveImage from a floppy to back up the 1996 P100 laptop to Zip disks I should think.
Basically, all we are getting here are more technically detailed restatements of hope that the thief or thieves were _prooooobably_ not too bright.
From "TFA":
Speaking to this concern, another report stated this:
I must have misconstrued the statement "FBI Says Data on VA Laptop Not Accessed" as meaning that The FBI claims the data on the laptop was not accessed. Silly me 8^}
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
From my understanding of low-brow burglar types, if they've been around for a while, they no longer go straight to the consumer market with the goods. Generally, they will have a ready fence, who pays far less than street value, and who in turn sells at street values, but through distribution channels, and not directly. This fence also tends to be a little smarter than the average bear (likely doesn't steal or do drugs himself) and is better situated to both a) understand the value of "odd" goods like this lappy, and b) can figure out how to maximise return on such goods.
This might sould elaborate, but this is how it really works.
How do you find out what to cover when you steal a laptop & don't want anyone knowing you actually accessed the data ?
Steal one, make a stink, give it back.
Disgruntled employees are bound to open their mouths sooner or later.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
ID Theft = Thanks for our service on behalf of a grateful nation.
Lets not forget the fact it may not have even been actually found.
I was one of the people hit with this and got my letter from the VA. So it was a glimmer of good news the computer was recovered. On the other hand the hard drive was out of it. They recovered the hard drive at the same time and place ... but the hard drive was out of the machine. Not a good sign. Explainable ... but ....
... Had permission to take this data off site.
.. er .. had?
Thanks VA dot GOV. My service to my country just keeps paying dividends over thirty years later.
And the guy who had his computer lifted
So what does FED GOV do to help us out.... Well they recommend we check our credit reports.
I've got a novel idea. How about the VA take a snap shot of all those credit reports like right god damn now and then monitor them while reporting any significant variance to the potential victims as such things may be detected. No, that would be proactive and taking responsibility for the screw up. Over time they might even be able to ascertain if the data was actually compromised or not. Of course paying lip service is the cheaper and easier road while on the other hand, who wants the Veterans Administration harboring any more data than they already have
The content of the letter was nothing more than what was either written or broadcast weeks earlier and regurgitating old news in some official VA mass mailing appears to be their actionable limit. The VA is not accepting responsibility for their screw up although they advise all veterans whose account information may have been breached take responsibility for it. But the possibly affected did get a letter at least so the VA did manage to extend an olive branch even if it was in the form of a reach around.
Promising to look into possible measures as may be applicable now that the horse has left the barn is not accepting responsibility nor dealing with the problem they created. They are promising to look into the possibility of exercising due diligence at some point in the future and assure us that they will be getting right on that.
Thanks Fuckers
So, no.. the internal drive was not necessarily removed
I'm mostly impressed that they didn't just secure such data in the first place. 1. Encrypt 2. Backup 3. Profit! (Default) Surely that wouldn't make any headlines though, and WHO KNOWS what we'd be discussing then?
"Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?"
Wait, they know the last name of the guy who stole it?
In your blind rage, you seemed to have forgotten how to comprehend English. Not once did I say that it wasn't possible for criminals to do the things that the tinfoil hat crowd (read: you) worry about, I said that in this case it's extremely unlikely. I even provided some basic supporting logic that you failed to comprehend.
Before ranting about random bullshit, how about making sure you understand what someone is saying first. I'm also curious how my comment warrants a tinfoil hat. Am I somehow generating a conspiracy theory without even knowing it? The only thing that remotely relates to conspiracy theories is the comment about credit reports, but then your comment would just be asinine since credit problems as a result of identity theft is proven fact, not the stuff of tinfoil hats.
I guess I should put on a tinfoil hat because I wear a seatbelt too.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
"and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc)."
Not true!, a LiveCD and a external USB hard drive will do the trick nicely... alternatively, you can just use a LiveCD and the NIC to clone the drive with netcat. If you want to leave zero physical traces then boot the notebook over the network with the built-in wifi and then clone the drive with netcat, remember to always wear goves and to first put the notebook in a clean sealed clear platic bag that you can type through... I'm just getting warmed up, their are many other variations I think of that will defeat his logic... You must assume the data is compromised!
The drugs thing is largely a myth. They are just bad people, they steal to buy petrol and clothing as well; they just don't care. But they do know other people who are smarter, case in point: kids break into my office an steal a couple of laptops. They notice the server racks and two weeks later we are hit by professionals which cleared us out. And somehow managed to shift large amounts of obscure hardware. You don't see a lot of Sun on the black market.
I'm sure I could make a few phone calls right now to the correct people and find a purchaser for such data as was on this laptop. Six degrees of separation etc.
Okay, it's "possible" that the data was stolen, but highly unlikely.
AFAIK we need the original crooks to either be experts AND know that they didn't want to change access times*, etc. (bare in mind that they don't initially know that there's valuable stuff on the HD) OR to not turn on the PC, but instead sell it directly to identity thieves who know what they are doing. These guys then take the risk of reselling the item in the hope that it's recovered, but that their actions are not noticed, in the hope of fooling the FBI.
IMHO the chain of events that ends up with the PC recovered and no dodgy access times is just so unlikely as to be reasonably discounted. Occam's razor indeed. Tin hats off.
* BTW it seems safe to assume that, unless the PC was never turned on during the entire time it was missing, that the access times of some files were changed.
The "last smartcheck time" and other time variables on hard drives are just measured in total runtime minutes. Though the OS could warn the user if it was discovered on startup that the hard drive had been running for long since the last shutdown, that could just mean that someone powered on the computer and entered the BIOS setup, since last shutdown.
What someone could have done, and the article doesn't mention is booting the laptop from a CD like Auditor, mount a network volume and then do a copy of the laptop's hard drive with "dd if=/dev/hda of=/mnt/nfs/GovVolume.img"
As long as you're using protection (gloves), that leaves absolutely no trace whatsoever.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Ok, so I looked into this back when it happened. I even read the police report.
What was stolen (sometime in the afternoon, while the VA researcher was probably golfing) from the home was a laptop, an external hard-drive (assuming USB, heck might be firewire), and "some change". Now aside from the interesting question of why would you only take that, and not the CD-ROMs with even more VA data, that were laying nearby. Or, why would a petty, common thief not take more stuff? This was a 3pm-ish burglery on a quiet street in a crime-ridden D.C./Virginia area.
I'm glad the forensics guys know the laptop was not taken apart, but how hard is it to dump the external harddrive data? Sure, if you are dumb and use WindowsXP or something, there will be a last-access time (assuming NTFS). But wouldn't a data thief use some other means? And why not destroy the disks after you make a copy? If it was idiot thieves that didn't know what they had, odds are they did boot it up and mess around. Heck they probably traced it's MAC address to find it. (That would be a more interesting article) But sadly it talks about laptop forensics and doesn't mean anything. What if someone accessed the data? Can you prove no one copied the external harddrive?
I have trouble believing a burgler would hold on to a laptop for a month, and then sell it. Or if they did immediately pawn it, how did both the laptop and harddrive end up back together in the police posession?
If you want to leave zero physical traces then boot the notebook over the network with the built-in wifi and then clone the drive with netcat, remember to always wear goves and to first put the notebook in a clean sealed clear platic bag that you can type through
I do understand this. My (second) point was that anyone that sophisticated would have done just that, in a matter of minutes, probably doing it to the laptop right where it sat... and walked back out of the house without there being any sign of the data having been stolen. I truly sleek, inside job would have been far more graceful than what we saw happen, which is why I'm guessing it was more likely to be exactly what it appeared to be (a clumsy theft by a non-tech-savvy burglar and then a transparent reach for the reward money when the heat came on).
Don't disappoint your bird dog. Go to the range.