Re: (article) "We recovered the laptop!" ... so what?

["B.K. DeLong" <bkdelong () pobox com>]

We should come up with a canned response to send spokespeople anytime
they're quoted in an article as saying the laptop was recovered and
"it appeared none of the data was affected".

On 2/12/07, Max Hozven <mhozven () tealeaf com> wrote:
> Or boot up on a Symantec Ghost boot disk, then blast the data over to a
> network drive or a connected USB drive.
>
> -Max
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of sawaba
> Sent: Sunday, February 11, 2007 9:09 PM
> To: blitz
> Cc: dataloss () attrition org
> Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so
> what?
>
> You don't even have to mess with mirroring it. You can create a Linux
> boot
> disk, specifically set up with scripts that search for juicy data, and
> then upload them to your server over Wi-Fi. On a fairly new laptop, you
> should have data (if there's any data to be had) within 30 minutes.
> You'll
> be done in an hour or two unless there is a huge amount of data you want
>
> to grab.
>
> And because you are mounting the Fat32 or NTFS volume read-only, no
> dates
> (or any other data for that matter) are changed. Ta-da, look ma, noone
> touched it.
>
> --Sawaba
>
> On Sat, 10 Feb 2007, blitz wrote:
>
> > How much trouble to set the date and time before the copy as well? and
> then
> > back?
> > Love USB 2.0....
> > As you and I know, mirroring the drive makes no changes  to it. I
> think
> > they're blowing smoke out their posterior porthole, HOPING it wasn't
> > accessed. Sure the screws weren't tampered with....right...ever seen a
> nylon
> > screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips
> and
> > Roberts.
> >
> > At 00:15 2/10/2007, you wrote:
> > > Wow, I've done my share of forensic investigations, and for the FBI
> to
> > > make this kind of claim is more than a little embarrassing. I
> remember
> > > reading the story when it originally came out, rolling my eyes, and
> moving
> > > on.
> > >
> > > Now that I take a closer look, it seems even more ridiculous, in part
> > > thanks to their official press release:
> > > http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm
> > --snip
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 146 million compromised records in 570 incidents over
> 7 years.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 146 million compromised records in 570 incidents over 7 years.


-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 570 incidents over 7 years.