BreachExchange mailing list archives

Re: (article) "We recovered the laptop!" ... so what?

From: "Max Hozven" <mhozven () tealeaf com>
Date: Sun, 11 Feb 2007 22:27:33 -0800

Or boot up on a Symantec Ghost boot disk, then blast the data over to a
network drive or a connected USB drive.

-Max

-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of sawaba
Sent: Sunday, February 11, 2007 9:09 PM
To: blitz
Cc: dataloss () attrition org
Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so
what?

You don't even have to mess with mirroring it. You can create a Linux
boot 
disk, specifically set up with scripts that search for juicy data, and 
then upload them to your server over Wi-Fi. On a fairly new laptop, you 
should have data (if there's any data to be had) within 30 minutes.
You'll 
be done in an hour or two unless there is a huge amount of data you want

to grab.

And because you are mounting the Fat32 or NTFS volume read-only, no
dates 
(or any other data for that matter) are changed. Ta-da, look ma, noone 
touched it.

--Sawaba

On Sat, 10 Feb 2007, blitz wrote:

How much trouble to set the date and time before the copy as well? and

then

back?
Love USB 2.0....
As you and I know, mirroring the drive makes no changes  to it. I

think

they're blowing smoke out their posterior porthole, HOPING it wasn't 
accessed. Sure the screws weren't tampered with....right...ever seen a

nylon

screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips

and

Roberts.

At 00:15 2/10/2007, you wrote:

Wow, I've done my share of forensic investigations, and for the FBI

to

make this kind of claim is more than a little embarrassing. I

remember

reading the story when it originally came out, rolling my eyes, and

moving

on.

Now that I take a closer look, it seems even more ridiculous, in part
thanks to their official press release:
http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm

--snip

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 570 incidents over
7 years.


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 570 incidents over 7 years.

Current thread:

Re: (article) "We recovered the laptop!" ... so what? Max Hozven (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 12)
- <Possible follow-ups>
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 12)
  - Re: (article) "We recovered the laptop!" ... so what? Al Mac (Feb 12)
  - Re: (article) "We recovered the laptop!" ... so what? blitz (Feb 13)
    - Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 13)
    - Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 13)
    - Message not available
    - Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 16)
    - Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 16)
    - Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 16)
    - Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 17)

(Thread continues...)