Slashdot Mirror
Forensic Analysis of the Stolen VA Database
An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."
But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.
Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.
I really like the "worst-case scenario" that article posts ...
Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.
As with any physical evidence, looking for material containing DNA is standard procedure.
Translation: it was used to surf porn...
If you want news from today, you have to come back tomorrow.
Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!
It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.
Ninjas don't carry tic tacs
While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.
Sure, the filestamp could be "last accessed: before this thing was stolen."
But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.
Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).
A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.
So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?
Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?
The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).
Don't disappoint your bird dog. Go to the range.
I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.
I'm an American. I love this country and the freedoms that we used to have.
Maybe, but having your way with the laptop would surely leave some DNA evidence.
> Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.
What most forget (i.e. dont know) is that a modern IDE drive collects alot of
information (number of recycles, hours used, errors, bla bla), at least
if S.M.A.R.T is enabled. I'm sure that this information is helpful.
In any case, booting from CD and copy files from the harddisk may very well
leave traces that this maight have happened, contrary to what people believe.
Interesting. I think, believe it or not, that the hardest part for your average burglar is this:
That burglar then sells the laptop, as is, to identity thieves
Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"
Don't disappoint your bird dog. Go to the range.
If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.
Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.
As far as the encryption hypothesis, given the PR fallout they were expecting by the way this event was "managed," I can be fairly certian that if the data had been encrypted the public would never have heard about the laptop theft.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.
So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.
If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.
Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill