An interesting speculative post on the forensics techniques that would most likely be used by the FBI during the investigation of the recovered Veteran’s Administration laptop.

Most of them are pretty straight forwards if you have any kind of experience with digital forensics and data recovery (disaster recovery, incident response etc.)

As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).

The two main areas cover physical examination and digital examination, physical would be looking for fingerprints and looking for evidence of tampering (screw heads, case scratches etc.).

A little discussion on MAC times and so on, if anyone is interested in this area, I might elaborate later.

As I said in the previous article, there isn’t much they can do if someone knew what they were doing.

The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.

Indeed.

Source: Zonelabs

Ah, so finally they got it back, from a street corner of all places.

Let’s hope they shall be a little more careful in the future yah?

The missing laptop and hard drive that contained veterans’ personal information has been found, Veterans Administration Chief Jim Nicholson announced Thursday.

The announcement came at the beginning of a hearing before the House Veterans’ Affairs Committee hearing.

“It was confirmed to me by the deputy attorney general that law enforcement has in their possession the … laptop and hard drive,” Nicholson said in a statement at the hearing. “The serial numbers match.”

Of course the FBI will roll out it’s forensics experts to testify the data has not been accessed, but let’s face it, how hard is it to mount the drive read only and clone it?

Not very right..

Experts were conducting forensic tests on the laptop and hard drive, Nicholson said. It was not immediately clear if the data on the equipment had been copied or compromised, but Nicholson said “there is reason to be optimistic.”

He did not say how the equipment was recovered, on where it’s been during the past two months. The equipment was found Wednesday; Nicholson said he wasn’t aware of any arrests made in connection with the incident.

An FBI spokesman said the laptop computer was recovered “in the area,” but could not provide more specific information. Forensics tests showed “the sensitive files were not accessed,” according to special agent in charge Bill Chase.

We’ll look at the forensics techniques in more depth later.

Source: MSNBC