Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensic Analysis of the Stolen VA Database

Posted by ryuzaki0 on from the overconfidence-perhaps dept.

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

5 of 144 comments (clear)

  1. Worst Case Scenario by neonprimetime · · Score: 4, Informative

    I really like the "worst-case scenario" that article posts ...

    Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.

    1. Re:Worst Case Scenario by fireduck · · Score: 5, Informative
      The worst case scenario is quite likely, given that the hard drive was found separate from the computer, as described here:
      Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.
  2. Is this just some guy's blog entry? by IANAAC · · Score: 3, Informative
    Because nowhere in his blog does he say that this is really what the FBI is doing, as the summary suggests.

    While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.

  3. Re:Easy cheesy by dattaway · · Score: 3, Informative

    Actually you can determine if the hard drive was copied. If you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics. This information can be logged by a paranoid host operating system to check for unaccounted time.

    Unfortunately, I doubt anyone at Microsoft has ever thought of this nor even bothered to patent something so "novel."

  4. Re:Wow, the FBI discovered MAC times. by Zemran · · Score: 3, Informative

    When I was doing forensic work it was a legal requirement that there was no change whatsoever to the data on the disk when we imaged. It was not a complicated task and the instructions can be found on the internet. Although I do not imagine that the average thief would do this I think it is stupid in the extreme to assume that it has not been done.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.