Re: (article) "We recovered the laptop!" ... so what?

[sawaba <sawaba () forced attrition org>]

Wow, I've done my share of forensic investigations, and for the FBI to 
make this kind of claim is more than a little embarrassing. I remember 
reading the story when it originally came out, rolling my eyes, and moving 
on.

Now that I take a closer look, it seems even more ridiculous, in part 
thanks to their official press release: 
http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm

Maybe I just haven't thought "deeply" enough about it, or the FBI has some 
special "tamper detection" device that they've kept secret. Otherwise, 
there is no middle ground. Either there was evidence that the drive was 
accessed after being stolen, or you just DON'T KNOW. There is no "highly 
confident" it was not compromised when it was gone for days, weeks or 
months.

It is simply too easy to copy a drive or investigate it while mounted 
read-only. Now, if they said that they believed it wasn't accessed based 
solely based on investigative facts, it might have been plausible. But 
they didn't. They asked IBM for some magic pixie dust, sprinkled it on the 
laptop, and decided to say that the forensic examination helped give 
confidence that nothing was accessed.

I could go on and on, but this lays it out pretty well:
http://blog.zonelabs.com/blog/2006/06/forensics_looki.html

--Sawaba

P.S. - His "Worst Case Scenario" is quite likely if the criminals had any 
clue and knew how to use Google. The materials needed would have cost them 
nothing (or next to nothing if they bought latex gloves).


On Thu, 8 Feb 2007, lyger wrote:

> http://attrition.org/dataloss/forensics.html
>
> Wed Feb 07 21:55:51 EDT 2007
> Jericho and Lyger
>
>  In May of 2006, the United States Department of Veterans Affairs publicly
> disclosed the fact that "Personal data on about 26.5 million U.S. military
> veterans was stolen from the residence of a Department of Veterans Affairs
> data analyst who improperly took the material home", prompting a mass
> concern that the information, if in the wrong hands, could have led to
> multiple cases of identity theft. At the very least, the fear that even a
> government entity could have let such sensitive data fall into the wrong
> hands led many to wonder about the data security of less protected
> sources. The additional fact that the breach wasn't disclosed for almost
> three weeks after the theft did little to initially ease those fears.
>
> Weeks later, the stolen laptop and hard drive were recovered from the back
> of a truck at a black market sale and sent to the United States Federal
> Bureau of Investigation for analysis. At the end of June 2006, the FBI
> issued a declaration that "the personal data on the hardware was not
> accessed by thieves" to which VA Secretary R. James Nicholson stated "This
> is a reason to be optimistic. It's a very positive note in this entire
> tragic event." The question that needs to be asked, however, is how could
> they be absolutely sure that the data wasn't accessed? Simply because the
> FBI said so?
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 146 million compromised records in 562 incidents over 7 years.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 566 incidents over 7 years.