- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
June 29, 2006 | Comments: (0)
How can anyone be sure stolen VA laptop data wasn't taken?
There are dozens of ways that any computer's data can be taken without modifying a single forensic's bit on the original hard drive.
News sources today are announcing that the VA's stolen laptop (with millions of identity records) has been recovered.
Most sources are claiming that the VA and its forensic experts are claiming the data was not touched or extracted. I hope this is an oversimplification, because there are dozens of ways the data could have been read/copied and the data left untouched. How?
Here's two easy ways:
1. Boot on any device except the hard drive (e.g. floppy disk, CD-ROM, DVD, USB device, etc.). Use an NTFS-compatible version of Linux (e.g. Knoppix, Backtrack, Nubuntu, etc.) and steal away.
2. Ghost the hard drive and manipulate the copy
I can come up with a dozen ways in a few minutes.
Every computer security forensic person is required by their job to be able to access other people's hard drives and data without modifying a single original bit. So, while common thieves wouldn't know how, there's probably tens of thousands of computer professionals that do.
So, I'm hoping the VA and the news sources are oversimplifying the case. A better opinion would have been, "We have found no evidence to indicate the data was not read or copied." not "After examining the evidence we are SURE the data was not copied or read."
These are two big different statements.
Posted by Roger Grimes on June 29, 2006 01:45 PM
RATE THIS ARTICLE:
-
- COMMENTS
You are correct that its very common to "image" hard drives. Corporations do it all the time to clone computers or make exact backup copies. As you mention there are also several customized Linux distributions available as bootable CD ISO's that can do the same thing. Or simply take the whole thing to your local Geek Squad and ask them to do it. Or heck, just ask the neighbor kid. Its that easy.
But I do think the FBI was correct that the data was never accessed. A true FBI forensics expert would have done much more than check file Windows dates. They would have carefully looked at other evidence as well. Like whether the hard drive had been removed. Whether the computer was to boot from a CD. The charge state of the battery and whether a power supply was with the laptop. Dust on the laptop compared to where it was stored. Fingerprints on the CD eject button. Along with questioning the thief and analyzing the motivations and sophistication of the criminal. Etc. Etc. To believe that all they did was look at Windows file dates is not giving the FBI much credit.
But the problem of large companies and government agencies loosing our personal data has not become a DAILY occurrence. See the Non-Encrypted Hall of Shame for the daily update http://www.nist.org/nist_plugins/content/content.php?content.54
Posted by: John Herron at NIST.org at June 29, 2006 08:06 PMUntil I hear different, I bet the FBI's expert didn't say, "The hard drive was not accessed." I bet they did say, "There is no evidence the hard drive was accessed." I'm not blaming the FBI for poor analysis. I bet they did a super professional job. I'm just guessing that someone else mis-quoted them to put a more positive spin on it.
I'll say it again. You cannot prove the data wasn't accessed. You can only prove the data was accessed if done by the regular method. Fingerprints can be erased. Hard drives can be removed and replaced without any clues being left behind. Odds are that none of this occurred, but in the world of forensics and legal testimony, you can only testify to the evidence found or not found, and you can form opinions. But it is not a fact the data was not accessed, even if the thief says he didn't. Facts are facts and can't be changed.
And again, you can't prove that data isn't lost on a daily basis. You can only report on the lost or stolen data that is reported to yourself, your company, the media, or some other public list. Since only 13 states require lost or stolen data to be reported, I'm sure the vast majority of stolen or lost data goes unreported. And even if it really isn't a daily basis, lost or stolen data is 1/3rd of all U.S. adults in this year alone. With a number this big, does it really matter whether it is daily or weekly?
Posted by: Roger A. Grimes at June 30, 2006 03:37 AMIn response to Mr. Herron...
- I didn't read anywhere that Mr. Grimes was suggesting the FBI was relying on Windows file dates to determine whether data was accessed.
- Not sure how one can tell forensically when (point in time) a hard drive is removed.
- One changes BIOS to boot from a CD. One can easily change it back when done.
- Charge state of the battery - how will they know what it was when it was stolen so they can compare it to what it was when they recovered it?
- Dust on the laptop - again, how do they know anything about dust at the point when it was stolen?
- Questioning the thief - they don't know who stole it.
There's no way anyone (even the FBI) can definitively say data contained on the laptop or the external hard drive was not compromised. They can't undo what's been done. Just fess-up, change your policies and procedures and do better from now on.
Posted by: Bob at June 30, 2006 07:34 AM"To believe that all they did was look at Windows file dates is not giving the FBI much credit."
Umm; this is the agency that doesn't have Email for all its staffers??
I'm half-kidding; if they farmed it out to a top specialist (we can only hope...), they would have performed those additional examinations...
All great technical comments had we'd been dealing with a sophisticated criminal mind. The laptop was stolen by someone who cared less about the information and more about the immediate cash they could get by selling the hardware to their local fence. Really smart information thieves wouldn't have taken the laptop - they would have imaged it in place. Why set off the alarm when you could have sold the information long before anyone knew data had been compromised - much less where it came from?
In response to Bob - try to keep your comments from being personal attacks (e.g. spelling of 'loosing'). It's not very professional. The purpose of a post should be to stimulate debate - not to conduct an ad hominem personal attack.
Posted by: Morgan Wright at July 3, 2006 03:46 PMAn analysis of the OS logs and fingerprints on the cables could _help_ tell if someone imaged it; but what if they booted onto a diagnostic CD? (or if the CMOS supported it, USB memory stick...) And then they backed up the data over the network jack??
There is some mention above about checking the battery charge -it is unlikely you would have a baseline for that. As for fingerprints on the eject button -for all we know, they could have been wiped.
Maybe there were some supplemental clues (maybe not even technical in nature...) that indicated that was not likely.
Fact is, we really won't know until some months have passed. If the info has been pilfered, you will be able to trace separate incidents of theft back and see the correlation of their source data. Unless the guy(s) are going to be very careful and just pick a few prestigous and hard to trace marks. But generally, greediness dictates that _most_ criminals do not do that...
It's back to basics: You can not prove that something did not occur, you can only prove that something did occur. The absence of evidence does not prove that something did not happen.
I believe this is a case of OSI layer 8 (where 8=politics, 9=religion) trumps the lower 7.
-Bob-
Agreed!
You can only ascribe a hand-waving probability to it; ultimately a copy of the stolen data could nonetheless be sitting safely in someone's den.
People want the "illusion of control"; they want to live life like it's a Sherlock Holmes novel. But one has to be humble and admit there are things we may never know; and we fall back to probabilities and suppositions to cope with it all...
