A Forensic Analysis of the Lost Veteran’s Administration Laptop

Use Netsparker


An interesting speculative post on the forensics techniques that would most likely be used by the FBI during the investigation of the recovered Veteran’s Administration laptop.

Most of them are pretty straight forwards if you have any kind of experience with digital forensics and data recovery (disaster recovery, incident response etc.)

As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).

The two main areas cover physical examination and digital examination, physical would be looking for fingerprints and looking for evidence of tampering (screw heads, case scratches etc.).

A little discussion on MAC times and so on, if anyone is interested in this area, I might elaborate later.

As I said in the previous article, there isn’t much they can do if someone knew what they were doing.

The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.

Indeed.

Source: Zonelabs

Posted in: Countermeasures, Forensics

, , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


5 Responses to A Forensic Analysis of the Lost Veteran’s Administration Laptop

  1. Pedro Pinheiro July 6, 2006 at 11:20 pm #

    What kind of traces would booting with a linux live CD leave…? As I understand (unless you delete/change files) when such live CDs mount an existing partition, they don’t write anything on it. Am I wrong?

  2. Darknet July 7, 2006 at 4:30 am #

    Pedro: You are right to a degree, it depends on the level of detail you go to. The thing is many of the modern bootable CD’s mount any FAT32/NTFS partitions they find read/write which would leave last accessed information for any files you copied off. Also there is informations stored on the IDE channels, last accessed, last booted etc.

  3. bj July 10, 2006 at 4:40 am #

    well; the real thing to do (if you were the bad guy) is to do a raw copy of the entire drive (dd / logicube) of the hard drive, then to do all your analysis on that….. that way you dont leave traces on the original drive (and not on the hardware if u use logicube or something equivalent).

  4. Pedro Pinheiro July 10, 2006 at 1:57 pm #

    And would it be possible to design a live CD that wouldn’t leave ANY traces? Such as reading first the IDE info and reflashing afterwards, and not writing anything on the disk? It would be an interesting alternative to opening the laptop to remove the disk (impossible not to leave any traces, imagine doing it on an iBook!).

  5. Joe July 26, 2006 at 1:55 am #

    usually they copy the hddd contents over and play with thise ones as the originals are evidnece in court. all processes are logged so that any results are re obtainalbe from another copy.