Re: [Full-disclosure] FBI Says Data on VA Laptop Not Accessed

On 6/29/06, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
Would any of the forensics experts out there care to comment on the
claims in this story?

http://tinyurl.com/m43cw

Good question. I addressed this question at the link
below, I won't reprint the whole article here, but this
is something to consider:

http://blog.zonelabs.com/blog/2006/06/forensics_looki.html

While it's good they got the *hardware* back, recovering the laptop it
self doesn't mean the data wasn't stolen.

Speaking to this concern, another report stated this:

The FBI, in a statement from its Baltimore field office, said:
A preliminary review of the equipment by computer forensic teams d
etermined that the database remains intact and has not been accessed s
ince it was stolen. A thorough forensic examination is underway, and t
he results will be shared as soon as possible. The investigation is on
going.

As a former Computer Forensic Specialist, I wanted to explain what's p
robably going on with this laptop now that the FBI has the system and
is forensically examining it. This explanation assumes the data was pr
esent on the hard drive (not a CD-Rom or other storage medium).

...

Worst case scenario:
The laptop thieves really know what they are doing. They remove the
hard drive from the laptop, and mount it read-only (no modifications to
the file system) on another computer, access the sensitive data and
re-insert the hard drive into the stolen laptop. This is the same process
the forensic examiner would use to prevent the examination from modifying
the data contained on the laptop -- and this is why I mentioned
what the FBI might look for during the physical examination -- marks on
the screws or finger prints on the internal hard drive casing (which gloves
would obviously prevent).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Travel with encrypted hard drive
    ... China doesn't care what's on your hard drive. ... you might have your laptop inspected or even seized by DHS. ... Personally, I've never had a problem with U.S. Customs, but I've found ... forensic examination. ...
    (rec.travel.air)
  • Stolen VA Laptop Turned in to FBI
    ... Stolen VA Laptop Turned in to FBI ... By Steven Donald Smith American Forces Press Service ... WASHINGTON, June 29, 2006 - The stolen Department of Veterans Affairs ...
    (soc.veterans)
  • Re: NFS4 authentification / fsuid
    ... Pay somebody to build me a better physical chassis for my laptop ... capture PGP passphrases but *not* anything that was typed online). ... that in every single case that the FBI encountered encryption, ... They never *did* break Anthony Pellicano's PGP key, ...
    (Linux-Kernel)
  • Network transfer speeds
    ... What speed do you get when transferring a small amount ... Maybe the file system and ... >("I've set up a network between my laptop and my desktop ... Using my broadband connection I am getting ...
    (microsoft.public.windowsxp.network_web)
  • Panic during attempted power-off ("halt -p")
    ... Starting background file system checks in 60 seconds. ... My laptop is finishing up it's "make kernel" as I type, ... the panic is an SMP machine. ... SMP box back up and poke at it, if anyone would care to provide guidance ...
    (freebsd-current)