As mentioned in this post, the laptop containing Veteran’s Administration data was recovered. While it’s good they got the *hardware* back, recovering the laptop itself doesn’t mean the data wasn’t stolen.
Speaking to this concern, another report stated this:
FBI Says Data on VA Laptop Not Accessed
The FBI, in a statement from its Baltimore field office,
said:
A preliminary
review of the equipment by computer forensic teams determined that the
database remains intact and has not been accessed since it was stolen.
A thorough forensic examination is underway, and the results will be
shared as soon as possible. The investigation is ongoing.
As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).
Physical Examination:
As with any physical evidence, looking for latent fingerprints or material containing DNA is standard procedure. Next, the investigator will attempt to determine if anyone removed the physical hard drive from the computer (looking at the screws, prints on the hard drive casing inside the system). It’s possible they even have some exotic voltage measuring tools that can accurately determine how long a capacitor has been without power.
Digital Examination:
The first step is taking a bit-for-bit image of the hard drive. This technique makes an exact copy of the data on the laptop so the forensic examiner is reviewing a copy of the stolen disk, not the actual disk itself. Next, the investigator will want to determine the last date and time the system was powered up and booted. This is fairly simple.
To determine if the Veteran’s sensitive information was accessed (as they mentioned in the news article quoted above), there are a couple possible options, with specific drawbacks as well.
Using file system access times (a-times):
The common PC file systems have various properties that can be used to gather forensic evidence. These properties are often called MAC-times (Modify, Access, Change). One of these properties is the "access times" of the files on the system. An access time is updated whenever a file is opened for reading (and various other operations). If you open a previously created document (or even just browse to the directory the file is located), it will update the a-time. Using a search tool to find a specific file on your system could update (erase) all the previous a-times on your system. Since it’s so easy to erase or lose the a-time data it is considered highly volatile.
MAC time data looks like this:
2004-03-21 19:20:36|.A.|/SUBJECT/usr/lib/crti.o
2004-03-21 19:20:36|.A.|/SUBJECT/usr/lib/crtn.o
2004-03-21 19:20:36|.A.|/SUBJECT/usr/lib/libgcc.a
2004-03-21 19:20:36|MAC|/SUBJECT/tmp/tsh3ll
Based on the example above, if the investigator found a-time information that was *after* possession of the laptop was lost, that would indicate someone accessed the laptop during the stolen time-period.
The FBI would look at the a-times on the system in question and see if the times coincide with the times and dates the laptop was in possession of the VA employee. If the a-time was after the employee lost possession of the laptop, that would indicate someone other than the VA employee was accessing those files.
How reliable are file system MAC times?
In a paper I co-wrote a long while back, we added this caveat regarding file system MAC times:
Timestamp analysis can provide valuable clues as to what the intruder may have been doing or what files were affected. However, because timestamps can be altered, their implications must be considered carefully (even cautiously). Where possible, attempt to gather evidence that independently supports the story that your timestamps are telling you.
There is also this from Dan Farmer in Doctor Dobb’s Journal:
And while NTFS is hampered in that atimes are not always updated when a file is accessed (Microsoft, please change this, or at least make it an option for administrators!)…
[there is no indication if the laptop was using NTFS or another file system at this time]
Worst case scenario:
The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.
I’ll post more updates as this investigation continues.
[UPDATE: 6/29]
The VA disclosed two more data breaches and the Chief Security Officer (CSO) has resigned.
Thursday, June 29, 2006
You probably heard that they found (somewhere) that stolen laptop with the tons of veterans’ personal data on it. Here’s a former computer forensics guy writing about what kind of evidence might have led them to the happy conclusion that the personal d…
What if the bad guys did this?
1. Boot the computer and log on the operating system
2. Access files, copy files, do whatever they want
3. Go to the BIOS and modify the date and time
4. Run a command like “find /” or “dir c: /s”, but accessing every file (even system and hidden files). They had now effectively changed all the a-times
5. Go to the BIOS and set the correct date and time
6. Hand the computer over to the FBI
It’s easy to do.
Or even better, do step 3 first.
The first time they boot, change the date and time in the bios to before the laptop was stolen. Access whatever they want. Set the date and time in the bios back to current. Then wouldn’t anything that was accessed look like it was the valid laptop owner? Plus no need to run any command that would update any files.
If you browse the files on any given computer for more than a few moments, one will realize that not all the files have the same access times.
Therefore, changing all of the a-times at once to the same date and time, even if that time were displayed as before the laptop was stolen, would be a sure indication of tampering and would alert authorities immediately.
“What if the bad guys did this?”
Why go to all that trouble. Boot the laptop from a linux live CD, mount hda as read-only then copy all the data to another machine over the network. No screws removed, no altered timestamps….
Hey, but they want to know if they accessed the files at all. Doing it your way of acessing every file at a preveous date would be a shure give away that they have acessed the data and they are trying to hide the fact.
There was no need to remove the drive from the laptop to image it. Just use Knoppix or a similar Linux distribution to boot from CD and copy the drive image to another computer over the network.
a is correct. Low-level tequniques to access individual files or even copy the entire disk would not leave a mark on the drive. Booting from a CD or USB drive would allow the computer to boot without accessing the hard drive, except for the boot sector. The drive could then be imaged and uploaded to who knows where.
In my experience and opinion, there is no way it can be known for sure that the record have not been leaked. If evidence is found that they have been, then that proves that. But if no evidence is found it could mean that there was no leak, or that the thieves simply know what they’re doing.
Stolen VA laptop – CheckPoints take on the forensic analysis
The Internet Security Zone Blog (a blog by CheckPoint/Zone Labs, the makers of Zone Alarm) take a look at how the FBI might be investigating the stolen and recovered VA laptop to determine whether it was accessed.
While the reports that the dat…
Sorry, I realized I’m slightly incorrect above…
The hard drive would not be accessed at all if you booted from a CD or USB key.
hi Pau Garcia/Erik,
If all the files and directories have changes their timestamp, would that FACT itself not give a clue to the investigators ? The fact that all the file dates were touched would indicate that somebody did INDEED touch it and is also trying to cover up.
The investigators want to know if anybody accessed the system and if yes, which files.
If you’ve ever tried to do something like that, it takes more than 1 second to touch all the files in the system which means that all the files will NOT have the same timestamp.
It appears that the best way to do the *crime* is as the article suggested — remove hard drive and copy contents in read-only mode.
BR,
~A
Using the registry, I always turn off the A time file modifier. Using this trick you don’t even need to jump through hoops with the neat linux suggestion. Just copy the data and turn the A time file modifier back on.
“Using the registry, I always turn off the A time file modifier”
But by that time a number of system files would already have been touched, so the investigators would know the system had been booted. Using the linux tricks there would be no indication that the machine had even been powered on during the time it was missing
I agree with the Linux CD option, but how about ghost with a sector by sector copy to another drive? Then put that drive in another system to evaluate the data. You can do this over USB and make it effectively an identical copy of the drive rather than copy files. This quite scary because the thief could sit on the data for a year or so after the free credit checks expire and use the data to steal the identities of Vets. With the FBI saying the data looks like it wasn’t accessed, people will be lulled into thinking everything is ok. By that time leads are cold, attention is no longer focused on what was stolen. People have short memories I am afraid… There are only two possible options here for the type of thief: A Two-bit criminal with no idea what he had, or a sophisticated thief that had his eyes on the particular data for a while and knew where to get it, and covered his/her tracks very well.
In regards to the booting from a Linux live CD. I am curious to know, what if:
1) They had an encrypted FS? Sure taking an image of it would be useful, but how much computing power would you need to crack it? A lot in fact.
2) What if the BIOS was locked and configured to boot from, and only from the internal HD? Removing the HD would be the only option. Some notebook BIOSes are next to impossible to break into with out the password. I had a friend who lost his, he had to physically modify his Thinkpad in an attempt to recover it (it worked).
Also, depending on the file system used, you would not have to even mount it as read only, linux mounting tools have a “noatime” option, which disables the a-time attribute of a file. I am not sure if windows has this ability ouside of using the registry.
Better yet, just pxe boot the unit over a private lan and copy the image.
> “These properties are often called MAC-times (Modify, Access, Change)”
Wouldn’t it make more sense if this stood for “Modify, Access, and Create”? …being that “modify” and “change” are synonymous and sometimes it is interesting to know a file’s birthday…
“They had an encrypted FS?”
You wouldn’t attack the EFS directly but rather go for the ‘easy target’ of pulling the SAM and brute forcing the user’s password.
“What if the BIOS was locked and configured to boot from, and only from the internal HD?”
This would be the biggest obstacle, and would require removing the drive from the machine. Surgical rubber gloves, plastic screwdrivers, jar of threadlock and patience should make it difficult to detect
If they used encrypted harddrives (with strong encryption) there wouldn’t such a fuss about the whole story.
With 512 bit AES or Blowfisch encryption and a strong password/authentification token the damage had been just the lost $2000 for the laptop…
Response: “1) They had an encrypted FS? Sure taking an image of it would be useful, but how much computing power would you need to crack it? A lot in fact.”
With in encrypted FS, the computing power would have to be very large. The question is how high bit is the encription. 64-128 bit encription would take months to crack on a large based CPU system. If this indiviudal knew what he had and did something with it, based on all the bad scenerios, that would give him the time he needs to crack the encription.
ATA drives can be password protected. This means that if the drive is moved from one machine to another it would not matter. This would require the drive being “sent in” to a data recovery specialist to have the password removed. They would definatly want to know what is on the drive and I am sure all the companies that have the tools to do this are in with the gov. Here is some info to get you started: http://www.dataclinic.co.uk/password-protected-hard-drive.htm
Umm…If ANYONE will recall the original story….a VA laptop AND external hard drive was stolen.
My guess is that the database (given it’s size) was probably actually on the external drive.
That would mean that there would be no need to remove any screws, no fingerprints, just hook the drive up read-only…no evidence.
I would just take the HD out, make an image copy (I typically use norton ghost). Pop the orginal HD back in and just use that image.
@b: Wouldn’t it make more sense if this stood for “Modify, Access, and Create”?
The post is correct, the “Change time (ctime) is the time of last change of file status, such as permissions or ownership.” See: http://en.wikipedia.org/wiki/MAC_times
-QUOTE- Mario Lenz
“With in encrypted FS, the computing power would have to be very large. The question is how high bit is the encription. 64-128 bit encription would take months to crack on a large based CPU system. If this indiviudal knew what he had and did something with it, based on all the bad scenerios, that would give him the time he needs to crack the encription.”
-END QUOTE-
No no no…
By using dm-crypt, they could have encrypted the entire hard drive, and it wouldnt be very slow (assuming you are not using this laptop as a server!). dm-crypt uses 256-bit AES to encrypt the data. This is the same level of encryption used on your bank’s website — and that data is far more available to hackers.
dm-crypt uses cipher-block chaining to encrypt the drive, so even with the key you need the whole drive (i think).
Your assessment that 128-bit encryption is easy to crack is ridiculous. 2^128 is a massive number. Here is an example:
Assume a computer today can test 65,550 keys per second, which is about right (thats 2^16 roughly). If we took a million computers that are each 1,000 times faster than a computer today, it would still take 166,933,412,000,000,000 years to test all keys. That is longer than the existance of the universe. Now, this is all beside the point that 256-bit encryption is 128 orders of magnitude larger than a 128 bit key. Each order is TWICE the number of keys.
In short, NO. An encrypted file system can NOT be brute forced in a reasonable amount of time. The weaknesses in modern encryption are not due to brute force testing all possible keys… that is not practical. Rather, current encryption schemes are broken due to weaknesses in other areas (not enough bits in the key, weak password, weak IV, flawed encryption algorithm, etc).
The math in my numbers is here: [url]http://www.google.com/search?hl=en&lr=&safe=off&c2coff=1&client=safari&rls=en&q=%28%28%282%5E128%29+%2F+%28%282%5E16%29*1%2C000%29%29+%2F+1%2C000%2C000+%29+%2F+%283600*24*360%29&btnG=Search”[/url]
Interesting theories/ideas. But most of you aren’t taking into consideration the thief factor. Thieves don’t typically steal laptops for data. The steal them for the hardware to sell. Standard investigative techniques will be the best indicator of the reason for stealing the laptop. If a 49 year old drug addict stole the laptop MAC times with supporting evidence will probably be sufficient. If a 49 year old computer expert with a history of identity theft stole the laptop very different techniques would need to be used. Without more information on the thief you don’t know if you’re way over thinking the issue.
But just for the conversation value, if the database was indeed on the external drive, it likely has a USB or firewire connection. Both of them, when connected to a windows machine, create a registry entry when connected identifying the drive. These registry keys include model and/or serial number information for the external drive and stay even after the drive is removed and the machine rebooted. Mac and Linux machines leave similar traces, though not as easily located. Unless of course the CD boot option was used, which is by far the best way to go. But, again, you would have to consider your thief.
I also haven’t seen anyone discuss an exam of the pagefile.sys file. Any database copy will surely be partially paged. Since most users don’t utilize the wipe pagefile at shutdown it can provide a wealth of information.
A couple comments about some previous comments:
Calling the ctime “Change” instead of “Create” makes more sense (on a unix fs) because it refers to when the _inode_ was _changed_ (create, link/unlink, mode change), not when the _data_ was _modified_.
With regards to encryption, cipher-block chaining doesn’t chain every block on the disk to the previous block (think about this for a second and you’ll realize it’s just not remotely practical), it chains the cipher’s blocks (128-bit in AES) together within a larger block on the disk (several kilobytes). Also, people have stated that brute-forcing even AES’s weakest key length is practically impossible, that might not be necessary, since encryption software generally uses a passphrase to generate the real key with a hash or another encryption. If they didn’t pick passphrases carefully, they may be vulnerable to dictionary attacks
Regarding the encription brute forcing theories and the million years it would take to break the code and the impossibility to do so, let me reming you that thats only a theory for the worst cenarios.
If you have a one letter password it would take 26 attempts to brute force it, for sure. But if the password was C it would take only 3.
Encription keys are either based on the user’s password, a dictionary brute force can help, or they are random, in this case it could take 1 second or really millions of years.
And don’t forget there’s no unbreakable encription – there are always flaws there to be discovered
This is a very interesting conversation, but I don’t see why anyone would go to the trouble of covering their tracks in this instance. It’s like stealing a car and trying to hide the fact that you used the radio. That they recovered the laptop at all and there was any data intact tells you a lot about the thief. Now, if they broke into an office to access the data and wanted to leave the hardware in place so nobody would be the wiser… then I can see this. But when somebody actually removed the equipment from the premises long enough for it to be noticed as missing? I don’t see that the thief would care.
Thank you for the more detailed forensic analysis. The one thing I was unsure of was if copying could be detected (through log and disk analysis) in the case of a hard drive being pulled and copied without recourse to booting the laptop. I know it’s difficult to judge what might have happened with the laptop since the details are being kept out of the news.
While I’m nearly certain there wasn’t encryption the list of things we don’t know is staggering. Primarily the OS and its set up (what version, what updates, what logging), also whether or not this machine had ever been serviced since the sale (had it been opened before – I think that would obscure some recent signs of entry), etc.
In this case we end up having to rely on what the FBI tells us. Which may be the truth or it may not – depending on the investigation and what they’re trying to find. It’s a mess that’s for sure. Anyhow, thanks for the insight. I’ve got to say that computer forensics is a fascinating subject.
I guess this page got slashdotted. The comments are inane.
Timestomp renders all file times useless in an forensic investigation, NTFS included. Nuff said.
http://www.metasploit.com/projects/antiforensics/
Why not copy all the data you want and dump the hard drive on the bottom of some lake along with the laptop encased on concrete. Why even return the computer? What’s the point of that?
I can assure you, when my EFS enabled laptop had a progressive drive failure, it was EASY to recover the encrypted files.
The only “secret” I needed was my login password – which could be cracked with L0pht or JtR. Then you in turn use the key files to decrpyt the files.
MS have a KB article on it, and even a utility that propmpt for you password and then imports the ‘old’ key, so you can decrypt your files on a different system.
Oh, and key, just boot backtrack on the laptop, and the only trace of access with be the hard drive SMART cold/warm start attributes, which no OS I know of actually utilises – which is a pity because that being recorded (securely, somehow) by the OS would give a neat flag “Warning – this system was cold/warm started, but the OS was not started.”
Again, there is a paper on SMART forensics and this kind of anti-forensic attack available through google
[the author notes that a copy of the disk can never have the same smart attributes, and this can be used as part of the crypto key to ensure that only the REAL disk, not a copy, can be used to successfully decrypt data, neat eh?]
This whole exercise is all about MONEY.
If the government can somehow ‘prove’ that the data wasn’t accessed — they don’t have to pay the $100 for each person to check and put a fraud watch on their credit records.
26 million people at $100 each is a pretty strong incentive to do whatever is necessary to avoid havng to pay.
Boot the laptop with Knoppix. DD the entire hard-drive out to a network device.
Folks we’re missing the big legal picture.
You can’t (legally) document a negative. In other words, you can not with any degree of authority guarantee that the data was not accessed.
I’m inclined to think if someone was foolish enough to have such a database on their laptop, and careless enough to lose it that there wasn’t any extra ordinary measures in place to safe guard the data.
Even if it were, even if it were 128 bit encryption, an inexpensive parallel processing cluster could brute force that in well under a year. As others have noted, anyone realizing the data they happened upon would not be foolish enough to use it right away, they would wait a year for the free credit checks to expire.
A common thief would immediately turn on the laptop to see if it functioned then pawn it. This would be detected.
Someone who knew what they were taking would not.
Or, the laptop was never stolen to begin with.
If the FBI is indicating no access times were changed, it can only be one of the last two possibilities.
I think you’ll find the final announcement by the FBI to be very carefully worded, as in “It does not appear to have been accessed”. If the FBI proclaims that it definately was not accessed, and thousands of vets become victims of identity theft – there goes the credibility of the FBI forensics team.
Either way, what a sad (and sadly avoidable) mess.
Who cares about the LAPTOP. It was the external hard-drive that contained the VA database records.
So, again, don’t need to worry about taking that thing apart. Can you ever really tell if someone plugged in a USB harddrive, booted with linux, mounted read-only, and copied the data?
Yosemite got close to the point. If the laptop was taken by standard Joe, it is likely to have been powered on and timestamps will attest to that. It is entirely possible that standard Joe has tried a good few login attempts which, if configured, will show up in the event logs. If there is evidence of this, but no time-stamping on the data, it is possible to elicit a nice warm fuzzy feeling that the data has not been accessed.
BUT, as was mentioned above, the data was almost certainly stored on the external HDD. I find it unbelievable that, given all the press around this case, that SOMEONE (either Joe or his technically competent friend) would have /tried/ to access the database. Yes, with all the Linux tools, NTFSDos would do, it would be very possible to copy the data without detection.
So, let us assume the an external element has the data. This raises the question as to wether the data was encrypted or not. Encrypted data could be subject to a dictionary attack and may succumb fairly quickly. If the dictionary attack does not work it is likely to be a nice strong password. Excellent. So, did the VA insist that the contractor learn the password before leaving their premises or did the laptop leave with a post-it?
Now, put yourself in that contractors shoes. You’ve written down the password to all that data, you’ve had your laptop stolen. Are YOU going to admit to having the password go with it?
CSI: Laptop
The FBI recovered that laptop stolen from an employee of the Veterans Administration, and the agency says their computer forensics guys are certain that the sensitive data on the laptop hasn’t been compromised. How do they know?…
>This is a very interesting conversation, but I don’t see why anyone would go to the trouble of covering their tracks in this instance…
If the victim believes that the data wasn’t accessed/copied, then the victim won’t bother to protect it, or see if their credit is messed up.
It is in the interest of the administration to pretend that the data wasn’t accessed to draw attention away from bad data protection policies.
A smart thief would have done what is mentioned above, and in addition, they’d wait a year or more before using the data to engage in “itentity theft.” After all, the administration made a big deal about providing only 1 year’s worth of credit watching.
Finally, given this administration’s record of lies about Iraq, did this laptop really get turned in? Or is it really still out there? Is this another case of Rumsfeld saying “we know where the WMD are located” while there are none?
Better yet. Think down to the levels of hardware here. Don’t you think with the size of hardware key stroke loggers and data miners that it’s possible they put security at the embedded hardware level? Single Board PC mounted elsewhere in the chassis that runs off batt power or runs prepost tasks like starting embeded heartbeat trackers in the nics firware and the bios(whenever connected to an ethernet port, sends out beacon of IP, etc….)which is prob how they caught this guy.
Link della settimana
Exploiting Cisco RoutersHacking into CollegeBasic journey of a packetHow to Bypass BIOS PasswordsWardriving with Ubuntu Linux and Google EarthForensics: Looking Inside the Stolen VA LaptopA Chronology of Data BreachesA scanner for wireless interlopersRaw
Forensic analysis of the stolen laptop
The Internet Security Zone Blog published an interesting article about the FBI forensic analysis of the stolen veterans administration laptop that was recently recovered.
…
A very interesting site, I think. The Idea of Technometry was new for me but worth to be read and thought abot it (although I’m not a native english-speaker and have some difficulties whith this language)
Internet Security Zone Blog: Forensics: Looking Inside the Stolen VA Laptop
Internet Security Zone Blog: Forensics: Looking Inside the Stolen VA Laptop
Quite a beautiful website. I recently built mine and i was looking for some design ideas and you gave me a few. The website was developed by you?
Cheers