Re: structuring the stolen laptop problem

[krymson () gmail com]

I'll try to get an answer in first so I can cover the easy stuff. =) Let's assume the h4x0r knows this device has 
sensitive information on it, and wants to get at it. Let's also assume the h4x0r doesn't care if he is stealthy or not. 
We will also assume the h4x0r is after only the data on the laptop, and not going to use things like temporary files, 
caches, secrets, or OS passwords to expand his attacks to other systems and apps (shared passwords anyone? social 
engineering targets? you visit your daughter's myspace page whom I can use as an asset?)


If turned on and password protected (hibernating):
- turn it off.

Ok, seriously, unless: you know that the system will refresh its IP, you know the network it is on, or you know it will 
attach to open wireless networks...just turn it off. If you know any of the above, feel free to put it on a 
non-internet-connected network and scan/probe to your heart's content. You might find an unpatched vuln that you can 
get inside, or open shares. Fine, you might make a few token attempts at guessing the password to unhibernate the 
laptop, but you're shooting in the dark, most likely. You could check out the domain/username, however and file that 
away for future reference.


If turned off (in no particular order):
- Attempt to boot it up and see if there is a BIOS password or disk/encryption password. If so, narrow the research 
down to resetting the BIOS on that model laptop or default passwords/hacking the disk/encryption protection. Good luck!

- If the system boots into something like a Windows logon prompt, see if you can get it on a non-internet-connected 
network with a DHCP server, and see if it grabs an IP. Start probing!

- Boot into a LiveCD of your choice, mount the drive, and attempt to read it.

- Mount the drive in another system and attempt to read it.

- Once you can read the drive, attempt to reset the admin password or just export all the files you want. Feel free to 
examine empty space for deleted but non-overwritten files.

> From here, you're down to localized encryption, obfuscated files and weird file types that don't open easily unless 
> you have the proprietary apps for them, and so on. Research as needed.

If you do run into passwords on files or encryption passwords, you can rig up some brute forcing mechanisms and hope 
the passwords are relatively weak. You might want to assume the following:

a) The sensitive data may be valid for many, many years (think SSN or medical histories, or even bank and credit 
accounts)
b) The attacker is motivated enough to wait years for cracking to occur (think government espionage)

This means even if you lost a laptop that is encrypted, if you use poor passwords, a motivated attacker may still get 
in months after the incident, or longer.



Ahh the attacker/defender conundrum! The attacker has a lot of things he/she will need to be good at to get into a 
secured laptop. But even a terrible attacker may know the one trick that your laptop is vulnerable to. It's quite the 
situation, which is why we do as much as we can about securing the laptop, and make sure as little data as possible is 
on such devices.




<- snip ->
Hi experts,

I am doing an overview of protection of laptops.

The scenario is as fallows:

1. laptop with sensitive information is stolen

2. the laptop is either hibernating or turned off when brought to the super hacker.

3. the super hacker does this for a living, and uses a structured approach to get the sensitive information from the 
laptops that are given to him

I need to create a report that is very similar to the super hacker's in order to find possible vulnerabilities I can 
concentrate my research on.

I would be very grateful for any input; as links, tricks, or previous work, as well as any ideas you might come up to.