Slashdot Mirror
Forensic Analysis of the Stolen VA Database
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.
Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
I really like the "worst-case scenario" that article posts ...
Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.
As with any physical evidence, looking for material containing DNA is standard procedure.
Translation: it was used to surf porn...
If you want news from today, you have to come back tomorrow.
Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!
It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.
Ninjas don't carry tic tacs
While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.
Sure, the filestamp could be "last accessed: before this thing was stolen."
But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.
Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
What if the whole examination is a hoax? Or the real results covered up? What do they stand to gain??? The government (and for that fact humanity) has an ego problem of not wanting to admit mistakes because a mistake of this magnitude merits a major change. If the information is found to have been access/copied/etc., you have insane public outcry. If the results come back negative, you still have people grumble about it, but the status quo doesn't have to change.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server. After all, servers are much harder to carry out of the building than a laptop is.
The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).
A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.
So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?
Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?
The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
Don't disappoint your bird dog. Go to the range.
I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.
I'm an American. I love this country and the freedoms that we used to have.
Maybe, but having your way with the laptop would surely leave some DNA evidence.
Interesting. I think, believe it or not, that the hardest part for your average burglar is this:
That burglar then sells the laptop, as is, to identity thieves
Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
Don't disappoint your bird dog. Go to the range.
If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.
Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.
As far as the encryption hypothesis, given the PR fallout they were expecting by the way this event was "managed," I can be fairly certian that if the data had been encrypted the public would never have heard about the laptop theft.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Not to mention that had the data been the target, that computer would have never been returned. It would have been degaussed, torched and thrown into a lake or something similar. ..unless of course they were really sneaky and made sure that they left no forensic evidence (physical or virtual) and returned it for the FBI to conclude that the data had not been accessed..
ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.
So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.
If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.
Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
According to one history of the 1991 Gulf War that I read, a British planning officer in London lost his portable computer (they weren't laptops then) with quite a bit of critical information on it. The London police let it be known among their contacts that it would _really_ be best if it were to be returned no-questions-asked, and it was dropped off at a police station within a day.
In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a bar known to be frequented by hardened criminals and striking up a bargain with a willing thug (don't ask me why we had so many of those cases in that burg!). In all 4 cases the thug went right to the police and got fitted out for a wire. As one of them said in an interview, "I am a professional burgler but that doesn't mean I don't have standards".
So maybe the guy who stole it decided it was best not to have the entire FBI and US Army on his tail and turned it back in.
sPh
Do this kind of stuff in my day job, normally contracted as an expert witness to the UK court system. The software we all use is Encase. It taks a snaphost of the HD, does stuff like MD% etc across all files. The main thing is the last_accessed date of files (presumably its Windows). The image can be "browsed" by the date.. eg one can see someones "mind" as they surf various web sites at various hours of the day from years ago sometimes. The only snag would be if the user moved the date of the BIOS clock backwards.. but there again the "cache" and "page" files order would be a bit strange. Pretty mundane stuff that would take about a day; 8 hours to "clone/image" the disk, 50 mins to verify the disk and be in a position to analyse. then 10 seconds to get the last accessed date of a set of files.
"Most thefts are done by low-brow thieves." Of a US givernment laptop. From a US government employee. Somehow, the whole idea of "inside job" seems to be echoing through the halls somewhere and no one in slashdotland is seemingly listening.
Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.
But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes.
With that many identities on the drive, the cash value of the data alone is astronomical. And for someone on the GSA payscale, that's a LOT of incentive to pull an inside job. Look for people who quit the VA in the next year or so and seem to hit it big at a casino or playing the ponies. Watch their accounts and their spending habits. Outgo will NOT equal income for someone - or several someones. And THAT will be your pool of "most likely to have copped the laptop" people.
But, by then, the damage will have been done to a large number of the people whose information was stolen anyway.
Once again, the government proves that its security measures are far behind those of the real world's.
Lee Darrow, C.H.
The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS. You'd have to question the owner of the laptop about anything he's done that might start the drive without booting the OS.
And if there's a SMART daemon on the system, you might have a log of those statistics, made on a regular basis. You could then figure out if the hard drive has been started without the SMART statistics being logged by the daemon.
That's not truly "raw" access to the hard drive. It's the logical data of the disk, not the physical data, and you are still going through the drive's logic. You won't modify the filesystem, but the SMART data will still be updated. And to respond to the GP, it doesn't matter if you disable SMART in the BIOS, because all that setting does is control whether the BIOS checks the SMART status of drives and warns you of a failure before booting. There's a seperate tool to enable/disable SMART on the drive itself, but you'd still bump up the power cycle by the time you've started the system in order to use the tool. And you'd have to turn SMART back on at the end.
Okay, it's "possible" that the data was stolen, but highly unlikely.
AFAIK we need the original crooks to either be experts AND know that they didn't want to change access times*, etc. (bare in mind that they don't initially know that there's valuable stuff on the HD) OR to not turn on the PC, but instead sell it directly to identity thieves who know what they are doing. These guys then take the risk of reselling the item in the hope that it's recovered, but that their actions are not noticed, in the hope of fooling the FBI.
IMHO the chain of events that ends up with the PC recovered and no dodgy access times is just so unlikely as to be reasonably discounted. Occam's razor indeed. Tin hats off.
* BTW it seems safe to assume that, unless the PC was never turned on during the entire time it was missing, that the access times of some files were changed.
As I said, the SMART setting in the BIOS changes nothing useful. It just reports the current status (good/bad) of the drive while booting, nothing more. And by the time you've used the tool to turn SMART off on the drive, it has already spun up and logged a power-on.
It's worth the effort to try to account for all power cycles, because unlike checking access times, if you get the expected result here, you have a reasonable guarantee that the data wasn't accessed while the laptop was missing. The amount of effort and expertise required to cover this up is far far greater than what's required to preserve the old access times. Without creating evidence of tampering, you have to either insert new startup/shutdown entries into the Windows event log at believable times from before the laptop was stolen (hard), or you'd have to change the SMART data on the drive (very hard).
The only real problem with power cycle accounting is that it does not give a very conclusive result if the expected and actual cycles don't match, because there might be an authorized power cycle that was unaccounted for. In short, to the question "was this data accessed?" checking the access times will either give you a conclusive "yes" answer, or "undetermined", while power cycle accounting will either give you a reasonably certain "no" or "undetermined." Both forensic tests are worth doing.