Forensic Analysis of the Stolen VA Database

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

Correct, useless

Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

Re:Correct, useless

[Homology]

> Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

What most forget (i.e. dont know) is that a modern IDE drive collects alot of
information (number of recycles, hours used, errors, bla bla), at least
if S.M.A.R.T is enabled. I'm sure that this information is helpful.

In any case, booting from CD and copy files from the harddisk may very well
leave traces that this maight have happened, contrary to what people believe.

trust

[Lord+Ender]

Sure, the filestamp could be "last accessed: before this thing was stolen."

But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.

Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.

Re:Wow, the FBI discovered MAC times.

But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse.

Well, if you'd RTFA then you would have known that they combine it with physical evidence (finger prints on the drive itself, as well as on areas such as the cd eject button and whatever keys you use to get to the bios setup on that laptop). True, you can't be 100% sure that the thieves were aware of this and removed any fingerprints (though that in and of itself could provide a clue). That's when you take a look at who you think stole it and where/how you recovered it.

So your flippant comment, while amusing at first blush, is yet another example of /. populist spewing from the mouth and provides no true "insight", but will get modd'ed up anyway by the unwashed hordes.

Lapse of security?

What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server. After all, servers are much harder to carry out of the building than a laptop is.

Re:So in short, it's a bit of a gamble. But not mu

[sphealey]

According to one history of the 1991 Gulf War that I read, a British planning officer in London lost his portable computer (they weren't laptops then) with quite a bit of critical information on it. The London police let it be known among their contacts that it would _really_ be best if it were to be returned no-questions-asked, and it was dropped off at a police station within a day.

In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a bar known to be frequented by hardened criminals and striking up a bargain with a willing thug (don't ask me why we had so many of those cases in that burg!). In all 4 cases the thug went right to the police and got fitted out for a wire. As one of them said in an interview, "I am a professional burgler but that doesn't mean I don't have standards".

So maybe the guy who stole it decided it was best not to have the entire FBI and US Army on his tail and turned it back in.

sPh

my day job

[mashmorgan]

Do this kind of stuff in my day job, normally contracted as an expert witness to the UK court system. The software we all use is Encase. It taks a snaphost of the HD, does stuff like MD% etc across all files. The main thing is the last_accessed date of files (presumably its Windows). The image can be "browsed" by the date.. eg one can see someones "mind" as they surf various web sites at various hours of the day from years ago sometimes. The only snag would be if the user moved the date of the BIOS clock backwards.. but there again the "cache" and "page" files order would be a bit strange. Pretty mundane stuff that would take about a day; 8 hours to "clone/image" the disk, 50 mins to verify the disk and be in a position to analyse. then 10 seconds to get the last accessed date of a set of files.

Re:Wow, the FBI discovered MAC times.

[Khyber]

The fact that I can wear gloves and never once touch the hard-drive physicially yet copy it without leaving a trace except for maybe the last access time leaves practically NO EVIDENCE - no DNA, maybe the MAC address of where the information was being sent (if that exists, but it's useless if it was put on another harddrive, then copied over after decryption to another drive and the middle-transfer drive destroyed,) but the original post is still pretty much 100% accurate - I've done plenty of consumer-untracable data recovery/transfer/copying (note I said consumer and not government, please,) and nobody's yet been able to tell what's happened to their data - even when I did it on my machine with them watching me and with them being computer users far better (I.E. Linux-versed to a degree where I'm sure they could create their own OS/API layer) than I will ever be, admittedly.

Re: Say what?

[Burpmaster]

Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.

The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS. You'd have to question the owner of the laptop about anything he's done that might start the drive without booting the OS.

And if there's a SMART daemon on the system, you might have a log of those statistics, made on a regular basis. You could then figure out if the hard drive has been started without the SMART statistics being logged by the daemon.

Just do dd if=/dev/hda of=/mnt/nfs/stolen-hard-drive.diskimg Since dd will be reading the raw bytes of the hard drive, it's not going to modify any filesystem data structures.

That's not truly "raw" access to the hard drive. It's the logical data of the disk, not the physical data, and you are still going through the drive's logic. You won't modify the filesystem, but the SMART data will still be updated. And to respond to the GP, it doesn't matter if you disable SMART in the BIOS, because all that setting does is control whether the BIOS checks the SMART status of drives and warns you of a failure before booting. There's a seperate tool to enable/disable SMART on the drive itself, but you'd still bump up the power cycle by the time you've started the system in order to use the tool. And you'd have to turn SMART back on at the end.

Re:Easy cheesy

[HiThere]

I'm no conspiracy theorist - but in true reality, this smells like other countries making hardware under specifications that do not match ours - and therefore may pose a security risk to us. Yea - I know, far-fetched. Damned far-fetched. But think about it. The greatest threat/companoin to us right now truly is China - they hold the majority of our worldwide currency, and they produce a damned-good percentage of our products. If they withdrew, and took our money with them, and left us our debt - we'd be in some DEEP shit. We'd be 3rd-world classification without any warning.

Try it this way: Many companies, in this country and others, cut corners where they don't think it will show. One of the things they do is claim to be compliant with standards that they haven't actually done the hard parts of being compliant with. ...

Actually, sometimes it isn't that "innocent", like the non-compliant CDs, but frequently it's done without malice, but only greed as a driver.

Occam's Razor

[tomandlu]

Okay, it's "possible" that the data was stolen, but highly unlikely.

AFAIK we need the original crooks to either be experts AND know that they didn't want to change access times*, etc. (bare in mind that they don't initially know that there's valuable stuff on the HD) OR to not turn on the PC, but instead sell it directly to identity thieves who know what they are doing. These guys then take the risk of reselling the item in the hope that it's recovered, but that their actions are not noticed, in the hope of fooling the FBI.

IMHO the chain of events that ends up with the PC recovered and no dodgy access times is just so unlikely as to be reasonably discounted. Occam's razor indeed. Tin hats off.

* BTW it seems safe to assume that, unless the PC was never turned on during the entire time it was missing, that the access times of some files were changed.