Would any of the forensics experts out there care to comment on the
claims in this story?
http://tinyurl.com/m43cw
The FBI, in a statement from its Baltimore field office, said a
preliminary review of the equipment by its computer forensic teams
"has determined that the data base remains intact and has not been
accessed since it was stolen." More tests were planned, however.
Regard,
Brian
Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

PGP SIGNED MESSAGE
Hash: SHA1

Yo Brian!

Thu, 29 Jun 2006, Brian Eaton wrote:

The FBI, in a statement from its Baltimore field office, said a
preliminary review of the equipment by its computer forensic teams
"has determined that the data base remains intact and has not been
accessed since it was stolen." More tests were planned, however.

Funny. If someone popped the drive out and did a dd on it there would
be not trace left behind. They should know that since that is standard
forensic procedure as well as good black hat procedure.

RGDS
GARY
-
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, R 97701
gem (AT) rellim (DOT) com Tel:+1(541)382-8588

PGP SIGNATURE
Version: GnuPG v1.4.3 (GNU/Linux)

Wui1um/ngdSQCgDvISUbmN0=
=x5Po
PGP SIGNATURE

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Thu, 29 Jun 2006 15:24:03 PDT, "Gary E. Miller" said:
Thu, 29 Jun 2006, Brian Eaton wrote:

The FBI, in a statement from its Baltimore field office, said a
preliminary review of the equipment by its computer forensic teams
"has determined that the data base remains intact and has not been
accessed since it was stolen." More tests were planned, however.

Funny. If someone popped the drive out and did a dd on it there would
be not trace left behind. They should know that since that is standard
forensic procedure as well as good black hat procedure.

If the info had been on the hard drive, you could check the various screws
and connectors for any tool marks indicating that the drive had been removed.
Barring any such tool marks, and any forensic evidence the machine had been
powered on (easy to check if it booted into Windows off the hard drive, a
bit more challenging if it was booted off a Knoppix CD or similar).

However, previous reports said the data was on a CD in the drive at the time,
and *that* is going to be a bitch forensically - if the guy didn't leave
his thumbprint on the CD Eject button, there's not really *any* way to be
sure if the CD was pulled, copied, and replaced

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/
PGP SIGNATURE
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

MYjAX7+eP6eJaBAKMTAb9Yc=
=tpyZ
PGP SIGNATURE

There appears to be no mention in article as to whether data was
encrypted or not. Kind of a critical omission. This is something public
would understand.

Government laptops probably have a boot screen with "official" badge or
logo at beginningthis alerts you to prize you have obtained. Then you
find files >10 GB and you then know you have something really good

mike

Brian Eaton wrote:
Would any of the forensics experts out there care to comment on the
claims in this story?

http://tinyurl.com/m43cw

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

PGP SIGNED MESSAGE
Hash: SHA1

Yo Valdis!

Thu, 29 Jun 2006, Valdis.Kletnieks (AT) vt (DOT) edu wrote:

If the info had been on the hard drive, you could check the various screws
and connectors for any tool marks indicating that the drive had been removed.

My laptop drives snapout with a little plastic latch. No screws. Sure
the drive is screwed in the caddy, but I can cable up to the drive
still in the caddy. You could never tell.

maybe boot to a live CD on a USB thumb drive and dd the HD and the CD
out the USB to a spare drive.

RGDS
GARY
-
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, R 97701
gem (AT) rellim (DOT) com Tel:+1(541)382-8588

PGP SIGNATURE
Version: GnuPG v1.4.3 (GNU/Linux)

BHRMKsvdAurRSdnujGryiCs=
=PUwh
PGP SIGNATURE

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

6/29/06, Brian Eaton <eaton.lists (AT) gmail (DOT) comwrote:
Would any of the forensics experts out there care to comment on the
claims in this story?

http://tinyurl.com/m43cw

Good question. I addressed this question at the link
below, I won't reprint the whole article here, but this
is something to consider:

While it's good they got the *hardware* back, recovering the laptop it
self doesn't mean the data wasn't stolen.

Speaking to this concern, another report stated this:

The FBI, in a statement from its Baltimore field office, said:
A preliminary review of the equipment by computer forensic teams d
etermined that the database remains intact and has not been accessed s
ince it was stolen. A thorough forensic examination is underway, and t
he results will be shared as soon as possible. The investigation is on
going.

As a former Computer Forensic Specialist, I wanted to explain what's p
robably going on with this laptop now that the FBI has the system and
is forensically examining it. This explanation assumes the data was pr
esent on the hard drive (not a CD-Rom or other storage medium).

Worst case scenario:
The laptop thieves really know what they are doing. They remove the
hard drive from the laptop, and mount it read-only (no modifications to
the file system) on another computer, access the sensitive data and
re-insert the hard drive into the stolen laptop. This is the same process
the forensic examiner would use to prevent the examination from modifying
the data contained on the laptop -- and this is why I mentioned
what the FBI might look for during the physical examination -- marks on
the screws or finger prints on the internal hard drive casing (which gloves
would obviously prevent).

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

6/29/06, Valdis.Kletnieks (AT) vt (DOT) edu <Valdis.Kletnieks (AT) vt (DOT) eduwrote:
However, previous reports said the data was on a CD in the drive at the time,
and *that* is going to be a bitch forensically - if the guy didn't leave
his thumbprint on the CD Eject button, there's not really *any* way to be
sure if the CD was pulled, copied, and replaced

The washington post says the data was unencrypted on an external hard drive.

http://tinyurl.com/ooo2k

It sounds like if someone wanted the data and took it the obvious way,
they would have left some evidence. But clearly someone knew exactly
what they had. They might have decided to copy the data on the sly,
and then claimed the reward as a bonus.

You'd have to be a real jerk to sell the personal info of 20 million vets.

Regards,
Brian

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

Cardoso schrieb:
I don't think they can detect some highly advanced techniques like using
Partition Magic to mirror the disk
--

As long as they didn't know the exact amount of hours the hdd was
running before it got stolen, i don't see any way to determine if the
data was copied away by some sector-by-sector copy-tool like Ghost or
True Image. Afaik you can see very clearly how many hours a drive has
run yet. If that data was the same as before the laptop was stolen, then
the disk didn't run. If the data differs, the drive did run.
I am not sure if one could alter that data.
the other hand i don't think that anyone knows that data all the
time, so they couldn't have known the running-time of the disk, unless
they knew the hdd was about to be stolen.

(pardon my bad english)

Michael

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

>The FBI, in a statement from its Baltimore field office, said a
>preliminary review of the equipment by its computer forensic teams
>"has determined that the data base remains intact and has not been
>accessed since it was stolen." More tests were planned, however.

Didn't the original "wanted" notice for this hardware specifically
mention an external (USB) drive?

Gee 'mount -t ntfs -o ro /dev/sda1 /mnt/goodies'

How are their "forensic" people going to determine if *that* happened?

Their argument about "a real crook wouldn't return the hardware"
well, why not? $50,000 to buy that fancy ID printer off eBay to get
yourself started.

/mike.

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/

I don't think they can detect some highly advanced techniques like using
Partition Magic to mirror the disk

Fri, 30 Jun 2006 10:07:46 -0400
Michael Holstein <michael.holstein (AT) csuohio (DOT) eduwrote:

MH>The FBI, in a statement from its Baltimore field office, said a
MH>preliminary review of the equipment by its computer forensic teams
MH>"has determined that the data base remains intact and has not been
MH>accessed since it was stolen." More tests were planned, however.
MH
MHDidn't the original "wanted" notice for this hardware specifically
MHmention an external (USB) drive?
MH
MHGee 'mount -t ntfs -o ro /dev/sda1 /mnt/goodies'
MH
MHHow are their "forensic" people going to determine if *that* happened?
MH
MHTheir argument about "a real crook wouldn't return the hardware"
MHwell, why not? $50,000 to buy that fancy ID printer off eBay to get
MHyourself started.
MH
MH/mike.
MH
MH
MHFull-Disclosure - We believe in it.
MHCharter:
MHHosted and sponsored by Secunia - http://secunia.com/
MH

year(now) + 1 o ano do linux!
Cardoso <cardoso (AT) pobox (DOT) com- SkypeIn: (11) 3711-2466 / (41) 3941-5299
vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com

Full-Disclosure - We believe in it.
Charter:
Hosted and sponsored by Secunia - http://secunia.com/