Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensic Analysis of the Stolen VA Database

Posted by ryuzaki0 on from the overconfidence-perhaps dept.

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

11 of 144 comments (clear)

  1. Wow, the FBI discovered MAC times. by base3 · · Score: 5, Insightful

    But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
  2. Worst Case Scenario by neonprimetime · · Score: 4, Informative

    I really like the "worst-case scenario" that article posts ...

    Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.

    1. Re:Worst Case Scenario by fireduck · · Score: 5, Informative
      The worst case scenario is quite likely, given that the hard drive was found separate from the computer, as described here:
      Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.
  3. Translation... by Frosty+Piss · · Score: 5, Funny
    FTA:

    As with any physical evidence, looking for material containing DNA is standard procedure.

    Translation: it was used to surf porn...

    --
    If you want news from today, you have to come back tomorrow.
  4. Highly Secret FBI Technique by SvetBeard · · Score: 5, Funny

    Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!

  5. Easy cheesy by MooseTick · · Score: 4, Insightful

    It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.

    --
    Ninjas don't carry tic tacs
  6. So in short, it's a bit of a gamble. But not much. by ScentCone · · Score: 5, Insightful

    The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).

    A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.

    So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?

    Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?

    The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).

    --
    Don't disappoint your bird dog. Go to the range.
  7. here's the conclusion we want, now come to it by frovingslosh · · Score: 4, Insightful

    I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  8. Re:Correct, useless by Homology · · Score: 4, Interesting

    > Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

    What most forget (i.e. dont know) is that a modern IDE drive collects alot of
    information (number of recycles, hours used, errors, bla bla), at least
    if S.M.A.R.T is enabled. I'm sure that this information is helpful.

    In any case, booting from CD and copy files from the harddisk may very well
    leave traces that this maight have happened, contrary to what people believe.

  9. Re:So in short, it's a bit of a gamble. But not mu by tftp · · Score: 4, Insightful
    That assumes that criminal world is somehow deficient and can't find its specialists with both hands and a mirror. But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.

    If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.

    Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.

  10. Bitwise copy is possible, but extremely unlikely by TheFlyingGoat · · Score: 4, Insightful

    ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.

    So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.

    If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.

    Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill