Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Forensic Analysis of the Stolen VA Database

timothy posted more than 8 years ago | from the overconfidence-perhaps dept.

144

An anonymous reader writes "As you have probably heard, the FBI has recovered the stolen Veteran's Administration laptop. The FBI even said "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen." This article looks at what the FBI forensic lab is doing to determine the sensitive information hasn't been accessed and how the thieves might have covered their tracks — thereby rendering the forensic results useless."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

Wow, the FBI discovered MAC times. (5, Insightful)

base3 (539820) | more than 8 years ago | (#15651696)

But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse. And as a bonus, I'll bet this breach will be used as an example of something pervasive "trusted" computing could have prevented.

Re:Wow, the FBI discovered MAC times. (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15651770)

But someone taking an image copy of the disk wouldn't touch the MAC times. There is no way they can be certain those data weren't copied, though I'm sure their announcement will help mollify the millions of current and former servicemen and women whose vitals are subject to misuse.

Well, if you'd RTFA then you would have known that they combine it with physical evidence (finger prints on the drive itself, as well as on areas such as the cd eject button and whatever keys you use to get to the bios setup on that laptop). True, you can't be 100% sure that the thieves were aware of this and removed any fingerprints (though that in and of itself could provide a clue). That's when you take a look at who you think stole it and where/how you recovered it.

So your flippant comment, while amusing at first blush, is yet another example of /. populist spewing from the mouth and provides no true "insight", but will get modd'ed up anyway by the unwashed hordes.

Re:Wow, the FBI discovered MAC times. (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15651834)

You're an idiot. You don't have to open the case to image the drive. And if you can't figgure out how to wipe off buttons, you're an even bigger idiot.

Re:Wow, the FBI discovered MAC times. (1)

LocalH (28506) | more than 8 years ago | (#15651917)

Or if you can't figure out how to prevent the fingerprints from getting on the machine in the first place. It's not that difficult.

Re:Wow, the FBI discovered MAC times. (0)

Anonymous Coward | more than 8 years ago | (#15651849)

Translation -- I'm bummed I couldn't grab the karma for my troll ID with the idea first.

Re:Wow, the FBI discovered MAC times. (2, Interesting)

Khyber (864651) | more than 8 years ago | (#15652548)

The fact that I can wear gloves and never once touch the hard-drive physicially yet copy it without leaving a trace except for maybe the last access time leaves practically NO EVIDENCE - no DNA, maybe the MAC address of where the information was being sent (if that exists, but it's useless if it was put on another harddrive, then copied over after decryption to another drive and the middle-transfer drive destroyed,) but the original post is still pretty much 100% accurate - I've done plenty of consumer-untracable data recovery/transfer/copying (note I said consumer and not government, please,) and nobody's yet been able to tell what's happened to their data - even when I did it on my machine with them watching me and with them being computer users far better (I.E. Linux-versed to a degree where I'm sure they could create their own OS/API layer) than I will ever be, admittedly.

Re:Wow, the FBI discovered MAC times. (0)

Anonymous Coward | more than 8 years ago | (#15651773)

Yes, really tough to boot into INSERT (knoppix-based with partimage and USB support) and copy the drive image to an external usb drive. I think the FBI is totally blowing smoke on this one.

Re:Wow, the FBI discovered MAC times. (3, Insightful)

Cromac (610264) | more than 8 years ago | (#15653226)

Yes, really tough to boot into INSERT (knoppix-based with partimage and USB support) and copy the drive image to an external usb drive.

How clever of you to parrot back what was in the article. He said if they made a bit by bit copy of the disk there would be no way to tell if it had actually been accessed. They might be able to show it has been compromised, they can't prove it hasn't.

I think the FBI is totally blowing smoke on this one.

Why would you say that? If you'd actually read the article you'd know this isn't about what the FBI did or didn't do at all. It's nothing but speculation from someone who says he's a forensic specalist at Zone labs.

From the article:

As a former Computer Forensic Specialist, I wanted to explain what's probably going on with this laptop now that the FBI has the system and is forensically examining it.
The post was not written by the FBI, by an FBI agent or by anyone associated with the FBI. The only thing the post says about what the FBI has done is quote a vague press release.
A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen. A thorough forensic examination is underway, and the results will be shared as soon as possible. The investigation is ongoing.

Re:Wow, the FBI discovered MAC times. (2, Insightful)

HikingStick (878216) | more than 8 years ago | (#15651783)

What frightens me most is that they surmise that making a bit copy would be unlikely, difficult, or technically compex (I've read the government's view on this from numerous sources). My six year old can do it. This is like assigning nearsighted guards to the top of a town's wall without corrective lenses: "yeah, sure, there are people out there--or are they animals? or maybe bushes?--either way they don't look threatening."

Re:Wow, the FBI discovered MAC times. (0)

Anonymous Coward | more than 8 years ago | (#15652012)

What frightens me most is that they surmise that making a bit copy would be unlikely, difficult, or technically compex (I've read the government's view on this from numerous sources)

Why would you assume that when the very first thing they do is to make a bitwise copy of the drive? Funny how people are quick to believe items fed by the govt when they wish to ("hey Martha look, dem gobment folks aint smart enuff to think dat bidwise copyin is possibul") but dismiss anything that makes them actually look like they know what they are doing (well, of course one would often be correct to take this approach, but man, open your eyes and look at the evidence, these guys know full well the level of effort).

Re:Wow, the FBI discovered MAC times. (1)

HikingStick (878216) | more than 8 years ago | (#15652150)

Perhaps its their spin doctors then. I've read numerous feeds and interviews that have FBI folks stating that (to the effect of) making a bit-copy is technically difficult and unlikely. All I'm stating is that making such a copy is not difficult for a would-be attacker, and would be the preferred method if they planned for the laptop to be "found" after a period of absence.

No offense, but let them do their job (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15651983)

While there is certainly "no way to be certain" that the data hadn't be compromised or copied, there is some rational thought that can be applied here, especially rational thought devoid of sarcastic and disrespectful post titles like your own.

First, since they're checking out a laptop, likely a government one no less, the chances of

(a) the typical thief going in, opening the case, removing the HD, using a write-blocker to protect a bit-by-bit cloning, and then having a method to return it to authorities is essentially nil. So, if this is a case of your casual identity thief accessing the data, I sincerely doubt you'll find the laptop devoid of physical evidence indicating unauthorized access.

That being said, what if this was some elaborate operation by more professional thieves designed to steal the data?

(b)They would have scoped out their target and have had a fool-proof plan to steal the laptop, data, and make it appear to be a random theft. They would have used gloves and taken the laptop to a sterile environment immediately. They would have done many clever things that are beyond this post. And you know what? The FBI main computer forensic laboratory might be able to figure it out anyway.

In the case of (b), the scary, worst case scenario...what if encryption had been utilized? A key, perhaps, either software (password) based, or hardware (dongle, smart card, biometric) based, would be used, correct? Well, guess what? It would have stopped the thief that didn't know what he was doing, and consequently would have left tracks, and it would only prolong the amount of surveilance needed by the expert thieves to snag the laptop and the key.

Heck, if they were really good, they could have done the imaging of the drive on the spot. Write blockers and a second laptop are both very portable, as are wearing gloves. In every case except for biometrics (and even that can be duplicated -- sensors found on laptops and/or thumb drives are typically very unsophisticated and unable to stop the "gummy finger" trick), the key would have been in the house or on the person, and can be learned passively without tipping off the employee.

Finally, as an aside, the blog (a former computer forensics specialist) suggested the FBI would be looking at MAC times, not the FBI itself. The FBI simply stated that a thorough and detailed analysis would be conducted.

Also, for what it's worth, I'm also a computer forensics specialist, and believe me, MAC times aren't the end-all-be-all of my digital/professional world. A machine has many stories it can tell, and by default, tends to record more information about what you've done than you realize.

Re:No offense, but let them do their job (3, Insightful)

base3 (539820) | more than 8 years ago | (#15652087)

I understand what you're saying, but if I were the one testifying before Congress, I would have to say the data must be assumed compromised. Given that the machine was fenced, there were a number of people who had an opportunity to obtain the data and then put the machine back into the pawn circuit so that it looked like a ham-handed theft. I agree that the initial theft was a crime of opportunity, but wouldn't rule out a sophisticated grab of the data.


As far as the encryption hypothesis, given the PR fallout they were expecting by the way this event was "managed," I can be fairly certian that if the data had been encrypted the public would never have heard about the laptop theft.

Always done by the FEDs.. (0)

Anonymous Coward | more than 8 years ago | (#15652115)

...the very first thing they do when performing a cyberforensics analysis on any computer disk they get, is to make a clone copy themselves while employing a hardware write-blocker [nist.gov] connected to the source drive, and then performing their examinations upon the copy, not the original.

Correct, useless (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15651698)

Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

Re:Correct, useless (4, Interesting)

Homology (639438) | more than 8 years ago | (#15651924)

> Yeah, especially if they had done what I would have done: boot from CD and copy files out the ethernet port to another HD.

What most forget (i.e. dont know) is that a modern IDE drive collects alot of
information (number of recycles, hours used, errors, bla bla), at least
if S.M.A.R.T is enabled. I'm sure that this information is helpful.

In any case, booting from CD and copy files from the harddisk may very well
leave traces that this maight have happened, contrary to what people believe.

Re:Correct, useless (0)

Anonymous Coward | more than 8 years ago | (#15652464)

Well duh, then take the platters out of the drive and put it in another drive.

Point is, since the drive was gone for so long, you don't know what someone could have done.

Say what? (1)

tetromino (807969) | more than 8 years ago | (#15652554)

What most forget (i.e. dont know) is that a modern IDE drive collects alot of information (number of recycles, hours used, errors, bla bla), at least if S.M.A.R.T is enabled.

Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.

In any case, booting from CD and copy files from the harddisk may very well leave traces that this maight have happened, contrary to what people believe.

Say what? Just do dd if=/dev/hda of=/mnt/nfs/stolen-hard-drive.diskimg Since dd will be reading the raw bytes of the hard drive, it's not going to modify any filesystem data structures. The only way dd will leave any traces is the hard drive has a flash-memory cache -- but at the moment, hard drives with a flash-memory cache are extremely rare and expensive, and it is extraordinarily unlikely that the VA laptop was equipped with one.

Re: Say what? (2, Interesting)

Burpmaster (598437) | more than 8 years ago | (#15653010)

Indeed, SMART collects information about the number of powercycles. However, unless the VA employees kept a record of the number of times they powercycled their machines, this information is pretty much useless for forensics.

The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS. You'd have to question the owner of the laptop about anything he's done that might start the drive without booting the OS.

And if there's a SMART daemon on the system, you might have a log of those statistics, made on a regular basis. You could then figure out if the hard drive has been started without the SMART statistics being logged by the daemon.

Just do dd if=/dev/hda of=/mnt/nfs/stolen-hard-drive.diskimg Since dd will be reading the raw bytes of the hard drive, it's not going to modify any filesystem data structures.

That's not truly "raw" access to the hard drive. It's the logical data of the disk, not the physical data, and you are still going through the drive's logic. You won't modify the filesystem, but the SMART data will still be updated. And to respond to the GP, it doesn't matter if you disable SMART in the BIOS, because all that setting does is control whether the BIOS checks the SMART status of drives and warns you of a failure before booting. There's a seperate tool to enable/disable SMART on the drive itself, but you'd still bump up the power cycle by the time you've started the system in order to use the tool. And you'd have to turn SMART back on at the end.

Re: Say what? (1)

AK Marc (707885) | more than 8 years ago | (#15653054)

The system event log in Windows keeps track of every startup/shutdown. If the system is relatively new and has never had its OS reinstalled, you can expect this information to match (or be off by one in a predictable way) unless the hard drive has been started without booting the OS. You'd have to question the owner of the laptop about anything he's done that might start the drive without booting the OS.

The event log is, by default, 512kb (or is it kB?) and loops after that. The total boots is likely lost, since the file wouldn't be complete. But, even if it was, I know I couldn't tell you the number of times I've, say, hit the power button (starting up the hard drive) then deciding I didn't really want to bother with it then and powering down during POST before Windows starts. Or the few times I go into the BIOS. There are a number of legitimate reasons for the numbers not to match, and I would suspect that a place so careless with their data certainly wouldn't be tracking them.

Re: Say what? (0)

Anonymous Coward | more than 8 years ago | (#15653574)

In any case, there are simply too many variables involved to the point where an expert witness could *never* stand in the witness box and state "I put my reputation on..."

Smart is not helpfull, as the drive would have been tested by the manufacturer, and them imaged by the Laptop vendor, then imaged by VA as part of their standard install process.

Analysis of the screws is also not usefull, as the article states that the drive was seperate from the laptop, therefore - it was removed...

We will never know. What is clear is that the data is compromised by virtue of the fact that it was uncontrolled. It is actually now a policy problem that no amount of forensics will help with.

Re:Correct, useless (0)

Anonymous Coward | more than 8 years ago | (#15652634)

So, you keep an accurate, current record of your SMART data at all times, just in case your laptop is stolen and you need to check the number of times the drive has been power-cycled?

Unless you have valid data at n-1 moments before theft, comparison now is worthless; HDD's don't have clocks for timestamping the SMART data, y'know...

Victims have to assume it was accessed (3, Insightful)

eln (21727) | more than 8 years ago | (#15651706)

The data was unaccounted for for a fairly significant period of time. Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft.

Even if the data really wasn't accessed, the fact that it was unaccounted for (even that it was taken to someone's house) is inexcusable. Just because the VA managed to dodge a bullet this time doesn't mean they're in the clear on this.

Re:Victims have to assume it was accessed (1)

JWtW (875602) | more than 8 years ago | (#15652477)

"Anyone whose data was on that laptop..."

But that's the question, isn't it? How does one know if their information was on that disc? I recieved my letter, from the VA, informing me of the possible exposure in about two weeks after first hearing about it on the news. My Dad, also a veteran, has yet to recieve his. The last paragraph reads as follows:

In accordance with current policy, the Internal Revenue Service has agreed to forward this letter because we do not have current addresses for all affected individuals. The IRS has not disclosed your address or any other tax information to us.

So, by the use of "affected individuals" can one assume that if you didn't get a letter, so kindly forwarded by the IRS, that you're in the clear, or should the fact that tens of millions of veterans and dependants may have been exposed prevail, and you should beware no matter what?

By the way, if you didn't recieve your letter, and you prefer to err on the side of caution, they did say that "...the VA has teamed up with the Federal Trade Commmission and has a Web site [firstgov.gov] ...

Re:Victims have to assume it was accessed (1)

nwbvt (768631) | more than 8 years ago | (#15652966)

"Anyone whose data was on that laptop still have to assume the data was accessed, and take appropriate steps to protect themselves from identity theft."

Which is the exact same thing people who did not have data on the computer should do. There are a lot of easier ways to steal someone's identity out there. This is hardly an unique case.

Re:Victims have to assume it was accessed (1)

BobSutan (467781) | more than 8 years ago | (#15653032)

Agreed. Contact the credit agency of your choice to put a fraud watch on your file. The agency you contact will notify the other two for you.

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013

TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

Its also a good idea to call 1-888-5OPTOUT to prevent banks, insurance companies, and those pesky fakers (remember the ChoicePoint fiasco) from getting ahold of your credit report. All 3 agencies use that same number for the opt out process. That should significantly cut down on those pre-approved credit card offers you get in the mail that can be stolen and used in your name as well.

And for the Active Duty members in the crowd that happen to be TDY, you should consider getting an Active Duty military alert placed in your name in addition to a fraud alert. You can never be too safe when it comes to preventing ID theft. However, no matter what you do there's still no guarantee you won't fall victim to the random oddity that can occur (such as a bartender swiping your card # and going nuts on Amazon).

For more info on how to minimize the risks of ID theft, or how to recover from it, check out the FTC's website at www.ftc.gov/idtheft

Worst Case Scenario (4, Informative)

neonprimetime (528653) | more than 8 years ago | (#15651709)

I really like the "worst-case scenario" that article posts ...

Worst case scenario: The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop -- and this is why I mentioned what the FBI might look for during the physical examination -- marks on the screws or finger prints on the internal hard drive casing.

Re:Worst Case Scenario (0)

Anonymous Coward | more than 8 years ago | (#15651722)

As another poster pointed out, they wouldn't need to have opened the case to have taken a bit-for-bit image of the drive.

Re:Worst Case Scenario (5, Informative)

fireduck (197000) | more than 8 years ago | (#15651844)

The worst case scenario is quite likely, given that the hard drive was found separate from the computer, as described here [msnbc.com] :
Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.

Re:Worst Case Scenario (1)

fm6 (162816) | more than 8 years ago | (#15651902)

If the thieves were that well-prepared, it presupposes some complex conspiracy of the sort you only see in movies. Like, "ELINT from the VA indicates that Subject X will take his laptop home this weekend. Field operatives are directed to acquire the laptop. IT Intelligence will download the database, being careful to not leave any signs that the database was actually accessed. We will then return the laptop for the reward, so the entire operation will have the appearance of a casual theft."

The FBI has to be thorough, of course, since this case affects so many people. But it should be obvious by now that the thieves were just looking for stuff they could fence for a few dollars. That's what almost all laptop thefts are about, not stealing data. Indeed, the more professional thieves always wipe the drives right away, since that's evidence that they're holding stolen property.

Of course, this might change now that laptops with sensitive data have been in the news so much lately.

The hard drive was removed... (1)

WebHostingGuy (825421) | more than 8 years ago | (#15652061)

As quoted here (http://redtape.msnbc.com/2006/07/what_happened_t. html) it appears the laptop and hard drive were for sale separately. That means the hard drive had been removed from the computer. The buyer states he bought both items at the same time and he (the buyer) probably put both back together. That means the hard drive was out of the laptop for some time.

It was an external harddrive (1)

bhmit1 (2270) | more than 8 years ago | (#15652351)

It was an external harddrive that they were searching for, and presumably found, separate from the laptop:

http://www.wtop.com/?sid=813030&nid=25 [wtop.com]

Re:Worst Case Scenario (1)

scdeimos (632778) | more than 8 years ago | (#15652418)

I've got a better worst-case scenario: Thief boots laptop up with a Ghost CD and images the hard disk across a network or to an external drive connected by USB or FireWire, leaving no trace that the contents have been read since none of the a-times (assuming they're even turned on) have changed on the original filesystem.

The hard drive they're worried about in this case is an actually external USB drive (from memory), but you could do the same with that.

Translation... (5, Funny)

Frosty Piss (770223) | more than 8 years ago | (#15651720)

FTA:

As with any physical evidence, looking for material containing DNA is standard procedure.

Translation: it was used to surf porn...

Highly Secret FBI Technique (5, Funny)

SvetBeard (922070) | more than 8 years ago | (#15651721)

Click "Start." Select "Documents." Look for VA-Confidential-ID-Info-DO-NOT-STEAL.xls. It's not there! We're Golden!

Easy cheesy (4, Insightful)

MooseTick (895855) | more than 8 years ago | (#15651724)

It is trivial to copy the contents from a hard drive and leave NO sign that the data was read. There would be NO way to forensically determine whether the data had been compromised. You could do a best guess, but that would only be a guess.

Re:Easy cheesy (1)

Homology (639438) | more than 8 years ago | (#15652024)

> It is trivial to copy the contents from a hard drive and leave NO sign that the data was read.

So you claim, but if S.M.A.R.T is enabled, then for sure you have left traces
that the hard disk has at least been booted.

Re:Easy cheesy (1)

base3 (539820) | more than 8 years ago | (#15652159)

But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.

Re:Easy cheesy (1)

Homology (639438) | more than 8 years ago | (#15652269)

> But when? The times logged by smart are aggregates (e.g. time under load) and aren't pegged to an external clock.

I objected to the statement that no trace was left that the
harddisk had been accessed when booting from a CD. If the user kept
logs it should be possible to determine that the harddisk have been
accessed, though you probably cannot conclude that it has not, though.

Re:Easy cheesy (1)

base3 (539820) | more than 8 years ago | (#15652334)

Ah--so if Windows (which I assume it was running, they'd have probably hung the poor guy if he had been running Linux) logs the S.M.A.R.T. times, they could be compared. Thanks.

Re:Easy cheesy (3, Informative)

dattaway (3088) | more than 8 years ago | (#15652071)

Actually you can determine if the hard drive was copied. If you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics. This information can be logged by a paranoid host operating system to check for unaccounted time.

Unfortunately, I doubt anyone at Microsoft has ever thought of this nor even bothered to patent something so "novel."

Re:Easy cheesy (1)

Khyber (864651) | more than 8 years ago | (#15652592)

f you look into the hdparm utilities, you can access a drive's runtime, last smartcheck time, and other statistics.

Not if the drive isn't S.M.A.R.T. capable - which I've found many drives that claim to be so but are really not capable of that capability. Infact - my drive claims to have S.M.A.R.T. yet every tool I run t check on it doesn't say it's compatible - yet my main OS drive is. Makes me a little suspicious that other companies around the world might be falsely selling hardware - e.g. the Dragonwhatever chip that was just some illegally rebaged low-end consumer processor.

I'm no conspiracy theorist - but in true reality, this smells like other countries making hardware under specifications that do not match ours - and therefore may pose a security risk to us. Yea - I know, far-fetched. Damned far-fetched. But think about it. The greatest threat/companoin to us right now truly is China - they hold the majority of our worldwide currency, and they produce a damned-good percentage of our products. If they withdrew, and took our money with them, and left us our debt - we'd be in some DEEP shit. We'd be 3rd-world classification without any warning.

Re:Easy cheesy (1)

Khyber (864651) | more than 8 years ago | (#15652636)

Mod me down for my poor HTML $k1ll$.

Re:Easy cheesy (3, Interesting)

HiThere (15173) | more than 8 years ago | (#15653141)

I'm no conspiracy theorist - but in true reality, this smells like other countries making hardware under specifications that do not match ours - and therefore may pose a security risk to us. Yea - I know, far-fetched. Damned far-fetched. But think about it. The greatest threat/companoin to us right now truly is China - they hold the majority of our worldwide currency, and they produce a damned-good percentage of our products. If they withdrew, and took our money with them, and left us our debt - we'd be in some DEEP shit. We'd be 3rd-world classification without any warning.

Try it this way: Many companies, in this country and others, cut corners where they don't think it will show. One of the things they do is claim to be compliant with standards that they haven't actually done the hard parts of being compliant with. ...

Actually, sometimes it isn't that "innocent", like the non-compliant CDs, but frequently it's done without malice, but only greed as a driver.

Re:Easy cheesy (1)

ScrewMaster (602015) | more than 8 years ago | (#15653329)

True enough, and when you try to market to a country like the U.S. that has multiple standards with which you must comply for even a simple electronic device, the requisite testing and verification can get very expensive and time-consuming. And if you fail testing, you have to go back to your production line and fix the problem. Domestic manufacturers are, presumably, less likely to cheat because if they get caught they are immediately subject to prosecution, but if you're a vendor in China or Malaysia or wherever, whose products are remarketed and repackaged and sold under multiple brand names ... well. Odds are you aren't all that concerned about standards compliance from the get-go, because you'll never be held accountable anyway.

Is this just some guy's blog entry? (3, Informative)

IANAAC (692242) | more than 8 years ago | (#15651747)

Because nowhere in his blog does he say that this is really what the FBI is doing, as the summary suggests.

While it's nice a forensic specialist can lend some insight, it's misleading to suggest this is what the FBI is actually doing.

trust (3, Interesting)

Lord Ender (156273) | more than 8 years ago | (#15651760)

Sure, the filestamp could be "last accessed: before this thing was stolen."

But there is no way they can be sure the drive was not removed, imaged (dd if=/dev/hdc1 of=SSNDBimage), then put back.

Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.

Re:trust (1)

tftp (111690) | more than 8 years ago | (#15651798)

Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed.

Ok, imagine that I tell you that the connector was installed three times, and there are seven small scratches on the sides of the HDD. What will you conclude from that? You do not know how many there were before the system was stolen.

Re:trust (1)

jonbryce (703250) | more than 8 years ago | (#15651957)

It tells you that this line of enquiry is inconclusive.

If it had been exactly as fitted in the factory with no movements since, then it would be reasonably safe to conclude that it didn't happen.

Re:trust (1)

ptbarnett (159784) | more than 8 years ago | (#15651810)

Now, if they can do something like looking at the scratches in the IDE pins in the HD, to see how many times it has been plugged in to something, I would be seriously impressed. That would be unprecedented in forensics, as far as I know.

But it still wouldn't prove the data hasn't been copied, because there's no need to remove the drive at all.

Boot the laptop from CD (using DamnSmallLinux, Knoppix, or any similar distribution), copy the drive image to another system over the network, and shutdown.

Re:trust (1)

Lord Ender (156273) | more than 8 years ago | (#15652266)

You're right! You win the thought experiment. There really is NO WAY anyone could possibly show that the data his not been stolen.

Paranoia (2, Informative)

dreddnott (555950) | more than 8 years ago | (#15651765)

The first two times I clicked on the Read More... link, I got the ol' 404 "Nothing to see here, move along" message.

I think my tinfoil hat is on a bit too tight.

Regarding the article links, especially the second link, hopefully the FBI can show the other departments a thing or two about computer security.

At the recycling company I work at, we get dozens of hard drives full of data every day. An unscrupulous person could make a great deal of money off of just thrift store-level personal data, but you rarely see that kind of thing getting done. The typical thief is uneducated, particularly about the mystical inner workings of a computer, but I suspect that is about to change in the New Era of identity theft. I have almost no doubt that a typical thief jacked that laptop to look at MySpace in the park or some other ridiculously pedestrian abuse of hardware...

Obligatory conspiracy theory... (2, Insightful)

Chabil Ha' (875116) | more than 8 years ago | (#15651779)

What if the whole examination is a hoax? Or the real results covered up? What do they stand to gain??? The government (and for that fact humanity) has an ego problem of not wanting to admit mistakes because a mistake of this magnitude merits a major change. If the information is found to have been access/copied/etc., you have insane public outcry. If the results come back negative, you still have people grumble about it, but the status quo doesn't have to change.

Lapse of security? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15651785)

What I want to know is why they kept a highly sensitive database on a laptop, rather than on a server. After all, servers are much harder to carry out of the building than a laptop is.

Re:Lapse of security? (1)

elessar12 (952713) | more than 8 years ago | (#15652225)

That is something that bothered me all along. Granted the government has our information in databases, but why can that information be copied locally at any point in time? Shouldn't there be a guard against copying sensitive data to removable drives, laptops, etc? Couldn't this person work on the data at work or over a vpn instead of locally on his laptop?? I should get a job with the VA, seems like a cakewalk for IT. My company post SOX doesn't even allow IPODs because you can potentially copy client data to them. That's if you know how to export from the database to a file in the first place.

So in short, it's a bit of a gamble. But not much. (5, Insightful)

ScentCone (795499) | more than 8 years ago | (#15651793)

The thrust of his comments are this: if we're dealing with casual laptop theives (as the circumstances of the house burglary suggest), then the usual built-in flags and dates that the O/S uses will tell the tale. If we're dealing with someone clever enough to do what they (the foresics lab) likely did, they'd have removed the drive and used other equipment to make a passive bit-for-bit copy, and then re-installed the drive... and he's suggesting that it would fairly hard to do that without leaving some tell-tale signs inside the case (tool marks, DNA, mechanical changes to connectors, etc).

A response to his blog entry suggests that someone might have booted the machine with another external O/S and copied the data that way (with the drive in read-only mode, as seen from the other O/S). I presume we're talking knoppix, etc. There'd be very little to find on the machine, if that were the case.

So the gamble comes down to this: are we dealing with very advanced spooky thieves that happened to know this guy would have that data on his machine, and were staking out his house to catch the laptop there unguarded, and then faked a very pedestrian looking robbery, and clean-roomed the machine, and then turned it into the FBI?

Or, did Mr. Occam come along, rob the house, grab the laptop and other portable goodies from the house (which happened), and then later realize that the machine wasn't exactly fenceable (especially with US Government Property markings on it, etc), and he either passed it off to someone else or made arrangements for indirect involvement in turning it into the Baltimore FBI office for a shot at the $50k reward money?

The second scenario seems a lot more likely, since in the first, an operation that polished usually has other ways to get the data, and even if laying hands on the laptop WAS the only way to get the data, they could have done so in place in a matter of minutes (since the guy the would have to have been casing was already gone from the house), and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).

Re:So in short, it's a bit of a gamble. But not mu (3, Insightful)

tftp (111690) | more than 8 years ago | (#15651903)

A combination of your scenarios is even more likely:

  1. A common burglar enters the house and takes anything that looks valuable.
  2. That burglar then reads in newspapers what exactly he has in his hands.
  3. That burglar then sells the laptop, as is, to identity thieves; from that point on, he is out of the picture.
  4. The ID thief boots from a Ghost CD, and copies the contents of the drive to another computer.
  5. The ID thief returns the laptop, so that he can maximize the value of the data, and stop the investigation.
  6. The FBI concludes that the computer was not booted up for ages, and the data is safe. There will be no discernible fingerprints on the computer (of the owner, or of the thieves,) that is not unusual.

Re:So in short, it's a bit of a gamble. But not mu (3, Insightful)

ScentCone (795499) | more than 8 years ago | (#15651943)

Interesting. I think, believe it or not, that the hardest part for your average burglar is this:

That burglar then sells the laptop, as is, to identity thieves

Because most break-ins are committed by very low-brow thieves. Most are looking for quick cash to fuel a drug habit, or by kids trying to lay hands on gear they want but can't buy (game consoles, DVDs, etc). Tracking down a connection to a big-ticket ID-theft person/ring is well outside the normal criminal relations of your average B&E punk. Not saying impossible, just not likely. Most of them would be scared to death once they heard what they had, and would have either chucked it in the river or (my guess), looked for a way to say "uh... I guy I know stole this... can I have the fifty large, now, in small bills?"

Re:So in short, it's a bit of a gamble. But not mu (4, Insightful)

tftp (111690) | more than 8 years ago | (#15652047)

That assumes that criminal world is somehow deficient and can't find its specialists with both hands and a mirror. But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.

If someone works as a thief, he knows other thieves, and he surely knows people who buy stolen stuff. The laptop could go through several hands before he landed with an ID thief, and there is a reason for that - each layer of resellers would try to maximize the value of the item. Even a stupidest thief would be smart enough to sell the laptop with valuable data for $500 instead of selling it as a generic notebook for $50.

Such a long chain of custody can explain, actually, why the laptop was out of sight for so long. Each owner would need several days to make a few phone calls or meetings before a deal is made and money changes hands. The last owner would need an hour at most, and once the data is copied and verified there is no reason to hold onto the hardware.

Re:So in short, it's a bit of a gamble. But not mu (1)

Dun Malg (230075) | more than 8 years ago | (#15652750)

But we usually know people who are like us. If you work with computers, you have friends and acquaintances of similar sort. When I was in computer contracting business I could have linked you with tens, if not hundreds, of people who specialize in this and that.
There's one critical difference between you and your legit computer contracting pals and the "criminal underground". Legit operators benefit by getting their name out there and "networking", whereas criminals that do that generally end up nicked. The chain of people between your average housebreaking junkie and the sort of identity theft ring that would pay for such a database is unlikely to be particularly communicative, if it even exists at all. You speak as if "breaking the law" is some sort of common bond that gets people talking with each other. Criminals generally benefit from secrecy. You never know if the guy you're talking to is gonna get nabbed the next day for something stupid and decide to rat you out.

Besides, what identity theft ring operator in his right mind would return the item by any means, risking further exposure? It's not like the feds were going to issue 26.5 million new SS numbers if the laptop wasn't recovered.

Re:So in short, it's a bit of a gamble. But not mu (1)

fishybell (516991) | more than 8 years ago | (#15652761)

Let me tell you something about the real world.

First off, assuming that "If someone works as a thief, he knows other thieves" is a very, very large assumption. Most thieves are either opportunistic (unnattended laptop = free laptop!) and/or desperate (laptop = food/drugs/alcohol). Most criminals don't have some sort of underground orgonisation where they can all go to and chat about tactics and such. The thief will (hopefully) know who buys stolen goods, but of course any one will buy stolen goods if you don't let on that it's stolen.

Second off, 50 large != $50.

Lastly, there likely was at most three people in the "chain of custody." The person who did the actual theft (drug addict looking for easy money), the buyer/seller (bought used goods, sells out of back of pickup truck), and the person who turned in the data. The first and second people could very well be the same person, but not terribly likely. Now if any of these three people had indeed been an ID thief then you must assume that that person was a very, very bright ID thief. Not only had he recovered the data without leaving any forensic evidence, but he also turned in the laptop to the FBI so that everone assumes that the data was not stolen.

I may be a bit naive, but that's a lot of assumptions to take about a stolen laptop. Laptops get stolen all the time, but they don't usually contain information of hundreds of thousands of veterans, so why would a thief (or even an ID thief) assume they would to the point of not touching the hard drive at all. If any person had truly been an ID thief, wouldn't it be safe to assume that before the news of the stolen laptop even hit the shelves they would have already looked for data, probably while not being as careful? A truly industrious ID thief would just buy hard drives off of eBay and recover data from them. Nobody is looking for them, and hardly anyone seems capable of thoroughly cleaning them before sale.

Re:So in short, it's a bit of a gamble. But not mu (2, Informative)

misterhypno (978442) | more than 8 years ago | (#15652506)

"Most thefts are done by low-brow thieves." Of a US givernment laptop. From a US government employee. Somehow, the whole idea of "inside job" seems to be echoing through the halls somewhere and no one in slashdotland is seemingly listening.

Ghosted CD bootup, copied in read-only mode on another system - piece of cake to most hackers and almost any high school kid who knows anything about system ops - and that's a LOT of them.

But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes.

With that many identities on the drive, the cash value of the data alone is astronomical. And for someone on the GSA payscale, that's a LOT of incentive to pull an inside job. Look for people who quit the VA in the next year or so and seem to hit it big at a casino or playing the ponies. Watch their accounts and their spending habits. Outgo will NOT equal income for someone - or several someones. And THAT will be your pool of "most likely to have copped the laptop" people.

But, by then, the damage will have been done to a large number of the people whose information was stolen anyway.

Once again, the government proves that its security measures are far behind those of the real world's.

Lee Darrow, C.H.

Re:So in short, it's a bit of a gamble. But not mu (1)

Ira_Gaines (890529) | more than 8 years ago | (#15653206)

But as far as the original perp goes, to be honest, I would doubt that the perp is a low-brow thief. More likely, the thief, if there WAS a thief, was someone on the inside at the VA, who knew EXACTLY what he, or she, was doing and what he, or she, was taking, and for exactly what purposes. I assumed all along that it was an "inside job" in one form or another. And if you assume that the guy who worked for the VA was in on it all along, you have to assume that the accomplishes would have researched exactly what needed to be done to steal the data and cover their tracks.

Re:So in short, it's a bit of a gamble. But not mu (2, Interesting)

sphealey (2855) | more than 8 years ago | (#15652222)

According to one history of the 1991 Gulf War that I read, a British planning officer in London lost his portable computer (they weren't laptops then) with quite a bit of critical information on it. The London police let it be known among their contacts that it would _really_ be best if it were to be returned no-questions-asked, and it was dropped off at a police station within a day.

In a similar case in one city I was living in, 4 people in two years tried to get their spouse murdered by hanging out at a bar known to be frequented by hardened criminals and striking up a bargain with a willing thug (don't ask me why we had so many of those cases in that burg!). In all 4 cases the thug went right to the police and got fitted out for a wire. As one of them said in an interview, "I am a professional burgler but that doesn't mean I don't have standards".

So maybe the guy who stole it decided it was best not to have the entire FBI and US Army on his tail and turned it back in.

sPh

Good news, everybody! (1)

The_REAL_DZA (731082) | more than 8 years ago | (#15651993)

The second scenario seems a lot more likely...they could have done so in place in a matter of minutes...and left the laptop right where it is, thus making the stolen data much more valuable (since its theft would have not been broadcast to the world).

 
"It has been broadcast to the world that the data was not accessed, so our carefully-made copy (and the several dozen copies we've since made of that copy, etc.) is now back at peak value!"

Re:So in short, it's a bit of a gamble. But not mu (2, Insightful)

denoir (960304) | more than 8 years ago | (#15652091)

Not to mention that had the data been the target, that computer would have never been returned. It would have been degaussed, torched and thrown into a lake or something similar. ..unless of course they were really sneaky and made sure that they left no forensic evidence (physical or virtual) and returned it for the FBI to conclude that the data had not been accessed..

Silly thieves .... don' they know ? (1)

Dale549 (680107) | more than 8 years ago | (#15651796)

from TFA: " The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only"..
But why bother removing the drive ? Wouldn't it be simpler just to boot up a Knoppix CD , mount as read-only, and have your way with the laptop ?

Re:Silly thieves .... don' they know ? (3, Funny)

eln (21727) | more than 8 years ago | (#15651863)

Maybe, but having your way with the laptop would surely leave some DNA evidence.

This deserves a funny or two! (0)

Anonymous Coward | more than 8 years ago | (#15651911)

lol, good one.

here's the conclusion we want, now come to it (4, Insightful)

frovingslosh (582462) | more than 8 years ago | (#15651824)

I doubt very much that the "experts" that the FBI has looking into this are so lame that they don't realize that a Live CD like Knoppix or any of the hundreds of others couldn't have been used to make a copy of the data without changing the "last accessed dates". Heck, that is likely what they are doing themselves when they made the forensic copy of the data that they examined. It seems much more likely that they have been told what result it would be in their best interest to come to, and baring any extremely obvious indications otherwise, we will be told what the government wants to tell us.

Re:here's the conclusion we want, now come to it (1)

rhizome (115711) | more than 8 years ago | (#15652276)

Exactly. The first thing I thought about when this story first started wending its way around was that they were only checking access times. I guess they needed to get some good news out there quick so as not to piss off the veterans.

Well (1)

Sv-Manowar (772313) | more than 8 years ago | (#15651850)

What worries me is the way that they seem to think that by it not being accessed then it is all OK, if anything I think it not being touched is much worse as it indicates that it has been replicated or transferred in order for those who took it to work on it without leaving a bread-trail for the authorities to follow them by. Of course no forensic evidence will be of use, if they were smart enough to copy and not disturb the database itself then they will not have been in physical contact with the laptop for very long and they will have most definitely worn gloves and other protective equipment. It's a shame to see the ever-alert cybercrimes department not realising what is the obvious course of action for these thieves.

Re:Well (1)

Dun Malg (230075) | more than 8 years ago | (#15652796)

What worries me is the way that they seem to think that by it not being accessed then it is all OK, if anything I think it not being touched is much worse as it indicates that it has been replicated or transferred in order for those who took it to work on it without leaving a bread-trail for the authorities to follow them by. Of course no forensic evidence will be of use, if they were smart enough to copy and not disturb the database itself then they will not have been in physical contact with the laptop for very long and they will have most definitely worn gloves and other protective equipment. It's a shame to see the ever-alert cybercrimes department not realising what is the obvious course of action for these thieves.
What worries me is that there are people of voting age out there who think a thief sophisticated enough to not leave any trace of access would be stupid enough to risk allowing the laptop to be found at all, rather than concealing any potential evidence an easier and more effective way, e.g. duct taping it to a cinder block and dropping it in the Potomac.

Does it Matter? (1)

spykemail (983593) | more than 8 years ago | (#15651865)

Ultimately, does it really matter if it was accessed or not? Given the sensitive nature of the data and assuming the FBI cannot publicly prove that the data was not accessed shouldn't everyone assume that it was and act accordingly?

Lessons learned (1)

ch-chuck (9622) | more than 8 years ago | (#15651880)

So the best cyber-crime technique is:

1) Obtain notebook containing sensitive data
2) Wearing rubber gloves, carefully remove disk drive. Do not scratch case
or otherwise mar screws.
3) Image disk drive.
4) Reassemble and allow notebook to be recovered.
5) Enjoy politicians spinning and shouting that the data has not been read.

Re:Lessons learned (0)

Anonymous Coward | more than 8 years ago | (#15652050)

With a bootable Linux cd, you don't even to remove the drive. Boot up and use a combination of dd and ssh to stream the drive contents to a remote machine. Hell, save $$$ on rubber gloves by using a boot cd that has a known root password and ssh auto-started - do the work remotely. Just make sure you don't use your thumb on the eject button.

Imagine being the dumb SOB who stole it. (0)

Anonymous Coward | more than 8 years ago | (#15651891)

How many laptops (other than those owned by the rich and powerful) get dusted for prints by anal-retentive crime lab people after they're stolen?

So should we look for... (1)

Capt James McCarthy (860294) | more than 8 years ago | (#15651968)

A web site advertizing "find information on any VA for only $29.99"

atime (1)

Richard W.M. Jones (591125) | more than 8 years ago | (#15651997)

Obviously they wouldn't be looking at 'last' and the atime fields .. no that would be far too simple.

Rich.

Not Impossible (1)

Effugas (2378) | more than 8 years ago | (#15652046)

There's more storage in a hard drive than just what exists on the disc.

S.M.A.R.T. is an obscure, but very useful logging mechanism.

Re:Not Impossible (1)

base3 (539820) | more than 8 years ago | (#15652117)

I'm not sure how much use the S.M.A.R.T. attributes would be, unless the hard disk had a built-in clock. Now spare sectors, on the other hand . . .

Re:Not Impossible (1)

jafiwam (310805) | more than 8 years ago | (#15652431)

S.M.A.R.T. is something that can be disabled in the BIOS, no?

All one would need is the existing IDE controller (if it can talk to a non-smart drive) or a different controller that can...

And the knowledge to boot to BIOS first to make the setting change (and boot from a CD).

Not really all that hard to imagine.

Granted, the complexity of doing the task goes up with each step, further reducing the probability that someone has the data as the number of people that know, and have a motive for that shrinks.

They also get an easier time catching the people and finding out exactly what happened to the laptop with that.

Though, considering the hard drive was out of the case, someone was interested in the contents and it wasn't just plunked on a counter and sold as "used".

Not that I do that stuff, MY first act would be to wipe then shred the drive with a bootable CD and put a copy of WindowsXP all warzed and trojaned to heck on it, then wipe the drive again (this time not so well). Just to make them think the data wasnt pulled off of it in any meaningful way, and that the laptop was simply resused as "used".

Unless S.M.A.R.T. was specifically designed to retain data for forensic analysis later (It is not) then counting on it's use for that purpose shouldn't be done.

Re:Not Impossible (1)

nairb774 (728193) | more than 8 years ago | (#15652446)

Let's not forget about ATA security specs. (http://www.dataclinic.co.uk/password-protected-ha rd-drive.htm) This would help a whole lot of things.

Bitwise copy is possible, but extremely unlikely (4, Insightful)

TheFlyingGoat (161967) | more than 8 years ago | (#15652099)

ScentCone's comment hits it on the head, but I'll take it a bit further. Even though it is pretty simple to set a drive to read-only or make a bitwise copy of it, you'd have to ask WHY someone would do that. If the person that stole the laptop was actually out to steal sensitive data, they would do so and then destroy the laptop instead of risking having it tracked back to them.

So, if they were smart psychic criminals that knew the data was on the laptop, they'd not worry about covering their tracks the hard way... they'd just destroy the laptop once they had the data. After all, the data would be worth far more than the laptop itself.

If it was a criminal that just stole a bunch of high tech gear from the house, which is far more likely, then if the FBI really is using these methods, then the data wasn't accessed.

Just more tinfoil hat comments dominating the responses, though. In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.

Re:Bitwise copy is possible, but extremely unlikel (1)

iminplaya (723125) | more than 8 years ago | (#15652385)

In any case, EVERYONE, not just people whos data might have been compromised, should check their credit reports regularily and pay close attention to their financial information.

They should also demand That the finance institutions find better ways to secure the info...without causing undue incovenience to the customer. They are the people that are leaving the door wide open for this kind of problem. Data privacy laws are as worthless as an EULA and will always be virtually impossible to enforce worldwide. Plus, turning info into contraband will just make it more profitable to abuse and will actually increase the probability of your data being used against you. Vote with your wallet and burn your credits cards until they fix the problem. We, the customer, are cutting them way too much slack. Stop believing the lies. The problem is solvable, or at least controllable. Make data security their problem, and then it will be fixed.

Re:Bitwise copy is possible, but extremely unlikel (1)

Khyber (864651) | more than 8 years ago | (#15652719)

So while you put in a comment about tinfoil-hat responses to this problem mocking them, your own response warrants one in return? C'mon, hypocrite. Welcome to the new millenium - cracker/hackers/n00bs are dominating the black market and all you can offer is a simple explanation. You must not have a clue of what the new generation of homo sapiens can do. If I could program in BASIC on a TI 99/4A and create a blocky person then at age FIVE, then I'm quite sure someone today could do the same thing, plus more, at the age I'm at now. Don't delude yourself, nor anyone else, please. Human intelligence is a very random variable in factoring what will happen today or in the future - let's hope yours is up to par, as well as hope mine is as well.

It wasn't just a laptop that was stolen (0)

Anonymous Coward | more than 8 years ago | (#15652113)

In testimony to Congress, it was stated that it was a laptop AND an external hard drive. Just because the laptop may not have been accessed either directly or by floppy/CD bootable operating system (Knoppix or Barts PE disks come to mind), doesn't mean that the external hard drive wasn't accessed also.

my day job (2, Interesting)

mashmorgan (615200) | more than 8 years ago | (#15652238)

Do this kind of stuff in my day job, normally contracted as an expert witness to the UK court system. The software we all use is Encase. It taks a snaphost of the HD, does stuff like MD% etc across all files. The main thing is the last_accessed date of files (presumably its Windows). The image can be "browsed" by the date.. eg one can see someones "mind" as they surf various web sites at various hours of the day from years ago sometimes. The only snag would be if the user moved the date of the BIOS clock backwards.. but there again the "cache" and "page" files order would be a bit strange. Pretty mundane stuff that would take about a day; 8 hours to "clone/image" the disk, 50 mins to verify the disk and be in a position to analyse. then 10 seconds to get the last accessed date of a set of files.

Data recovery experts (0)

Anonymous Coward | more than 8 years ago | (#15652263)

I wonder, would they [kuert-group.com] have left traces?

DRM. (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15652287)

We have music that is DRM'ed by many people, why can't companies have their data DRM'ed.
What is the hold up? Why do we see DRM on silly things like music, yet hardly anyone uses it in the workplace to protect data.

BUT... (1)

hurfy (735314) | more than 8 years ago | (#15652341)

I thought this was an external HD.

I can't find a specific reference at the moment tho, everything simply says 'Laptop and HD', but you don't usually use 'and' for built-in components.

Even the forensics article assumes an internal drive :O

Am i getting prematurely senile or did everyone miss something here?

Does it make any diference?

And can one tell if True Image has been run on a USB drive to copy?

dont use the filesystem to read it (0, Redundant)

sl4shd0rk (755837) | more than 8 years ago | (#15652413)

use dump or dd. Access times wont be affected.

If they are that good... (1)

Kaenneth (82978) | more than 8 years ago | (#15652482)

If a sophisticated technical person wanted to steal the data in the first place, I'd think they would have copied the data and put the laptop back exactly as it was; once it's known the data was stolen, it's a lot less useful.

While it may have been stolen by a 'low brow' (as another posted put it), then sold to someone with skill; why would they they sell the laptop again with possible fingerprints, hairs, skin flakes, and such that could ID them, as well as allow someone else to copy the data, reducing it's usefulness?

No really skilled master criminal hacker would be famous for it, noone would even know they exist.

Another niche for Apple! (1)

Ythan (525808) | more than 8 years ago | (#15652819)

In other news, the Veterans Affairs Department is switching to MacBooks to ensure that all fingerprints are permanent captured and recorded.

No mention of battery analysis (1)

zenst (558964) | more than 8 years ago | (#15652907)

An anysysis of the battery would at basic show amount of battery power left and from full charge and natural decay a level could be worked out. Though alot of betteries now count the number of times charged and probably the date and time as well.

I'm sure they could even work out the last time the battery even saw a charge or use. Heck sure capacitors on the laptop mobo that would hold a slight charge for a while.

I also didn;t see any mention of measuring the magnetic feild strength upon the drive head of disc itself as another way to determine when last used.

If somebody wanted this data they would of removed the hard drive and copyied it using some bit copying software of choice and then popped it back without even powering up the laptop.

The solution isn't better more secure laptops, its a working thin-client with no data stored localy period. WIMAX/WIFI - all doable and TBH employee's with that kind of data shouldn;t be woorking in un-athorised zones the data isn;t allowed and a thin client gives you that. Also wont need any hard drive and woudl probably get something very small compact and light that has great battery life.

But glad they got it back, I'm going with the some theif saw heart on this one and leave the rest to the consipiracy thearists. That said I would hope that monitoring of potential use of such data would still be maintained.

pissed (1)

theaddkid.com (983011) | more than 8 years ago | (#15652953)

Well it almost makes me feel better that they got it back cause they sent me some letter about how my name is on that list oh wait I am still pissed never mind.

What can they really prove? (1)

Zero__Kelvin (151819) | more than 8 years ago | (#15652959)

"The first step is take a bit-for-bit image of the hard drive. This technique makes an exact copy of the data on the laptop so the forensic examiner is reviewing a copy of the stolen disk, not the actual disk itself."
It's a good thing that a criminal intent on stealing the database couldn't do the same thing .. er .. ah .. nevermind.

They cannot ever prove unequivocally that the database is not owned. Even if they see activity that show lot's of amateur activity, and no database accesses made, they have proved absolutely nothing.

What makes them think a smart data theif wouldn't make the bit for bit copy and then go back later and make it look like it was an amateur job? They could even let some patsy get his fingerprints all over it before returning it. There is never even any need to remove the hard drive even if it is internal (Ever heard of booting from a live CD FBI "experts")

My guess is that the FBI experts couldn't possibly be so ignorant as to not know all of this, and this is merely damage control.

Don't worry folks ... nothing to see hear ... mystery solved ... no data leaked ... move along now!!!!

Re:What can they really prove? (0)

Anonymous Coward | more than 8 years ago | (#15653299)

TFA mentions that it's just the guy's opinion on what's probably being done, not a statement from the FBI. The FBI will probably be trying several of these tricks to determine if it's been accessed. Maybe they'll issue a statement saying something like "We do not believe that the sensitive data was accessed" or something, which will be mostly PR spin because they know there will be no 100% sure way of proving that it wasn't accessed. But they can prove it if the drive was accessed, which is what they're probably trying to do.

So yeah, blame the guy who wrote the article, not the FBI. There are probably some capable intelligent people there, if the management lets them work.

Feel Safer? (-1, Troll)

Doc Ruby (173196) | more than 8 years ago | (#15652989)

Which is scarier: the FBI knows they can't really tell whether someone wore gloves and imaged the drive, but is lying to us to pretend they're protecting us, or they actually believe their own BS?

Wow, the FBI thinks I'm a K00L Hacker DooD! (1)

smchris (464899) | more than 8 years ago | (#15653624)

Where do I apply for a job!!!!

The laptop thieves really know what they are doing.

As per my comment last week that I routinely boot Knoppix to run PartImage backups of several machines to a USB drive. True, I've only removed one laptop hard drive and, dang, the idea of wearing gloves didn't even come to mind at the time.

I don't know. I guess it's easy to make light of one's competence but people catch up, you know? Is it still really that esoteric to know that you can boot from removable media and ghost a drive? I was doing that back when I was booting DriveImage from a floppy to back up the 1996 P100 laptop to Zip disks I should think.

Basically, all we are getting here are more technically detailed restatements of hope that the thief or thieves were _prooooobably_ not too bright.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?