As mentioned in this post, the laptop containing Veteran’s Administration data was recovered. While it’s good they got the *hardware* back, recovering the laptop itself doesn’t mean the data wasn’t stolen.
Speaking to this concern, another report stated this:
FBI Says Data on VA Laptop Not Accessed
The FBI, in a statement from its Baltimore field office,
review of the equipment by computer forensic teams determined that the
database remains intact and has not been accessed since it was stolen.
A thorough forensic examination is underway, and the results will be
shared as soon as possible. The investigation is ongoing.
As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).
As with any physical evidence, looking for latent fingerprints or material containing DNA is standard procedure. Next, the investigator will attempt to determine if anyone removed the physical hard drive from the computer (looking at the screws, prints on the hard drive casing inside the system). It’s possible they even have some exotic voltage measuring tools that can accurately determine how long a capacitor has been without power.
The first step is taking a bit-for-bit image of the hard drive. This technique makes an exact copy of the data on the laptop so the forensic examiner is reviewing a copy of the stolen disk, not the actual disk itself. Next, the investigator will want to determine the last date and time the system was powered up and booted. This is fairly simple.
To determine if the Veteran’s sensitive information was accessed (as they mentioned in the news article quoted above), there are a couple possible options, with specific drawbacks as well.
Using file system access times (a-times):
The common PC file systems have various properties that can be used to gather forensic evidence. These properties are often called MAC-times (Modify, Access, Change). One of these properties is the "access times" of the files on the system. An access time is updated whenever a file is opened for reading (and various other operations). If you open a previously created document (or even just browse to the directory the file is located), it will update the a-time. Using a search tool to find a specific file on your system could update (erase) all the previous a-times on your system. Since it’s so easy to erase or lose the a-time data it is considered highly volatile.
MAC time data looks like this:
Based on the example above, if the investigator found a-time information that was *after* possession of the laptop was lost, that would indicate someone accessed the laptop during the stolen time-period.
The FBI would look at the a-times on the system in question and see if the times coincide with the times and dates the laptop was in possession of the VA employee. If the a-time was after the employee lost possession of the laptop, that would indicate someone other than the VA employee was accessing those files.
How reliable are file system MAC times?
In a paper I co-wrote a long while back, we added this caveat regarding file system MAC times:
Timestamp analysis can provide valuable clues as to what the intruder may have been doing or what files were affected. However, because timestamps can be altered, their implications must be considered carefully (even cautiously). Where possible, attempt to gather evidence that independently supports the story that your timestamps are telling you.
There is also this from Dan Farmer in Doctor Dobb’s Journal:
And while NTFS is hampered in that atimes are not always updated when a file is accessed (Microsoft, please change this, or at least make it an option for administrators!)…
[there is no indication if the laptop was using NTFS or another file system at this time]
Worst case scenario:
The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.
I’ll post more updates as this investigation continues.
The VA disclosed two more data breaches and the Chief Security Officer (CSO) has resigned.