Data on stolen VA Laptop not accessed?

After forensic analysis of the previously stolen VA Laptop,

the FBI

claimed it has “determined that the data base remains intact and has not

been accessed since it was stolen”.  This

is a very interesting statement; questions of how the FBI would be able to

determine this have started to be asked. 

While reading an article on Slashdot I found this interesting

discussion of the possible steps which the FBI would have taken to analyse

the Laptop and data.


  1. Physical

    examination – Checking the casing for fingerprints, screws for signs of

    use and even the hard disk for signs of removal (fingerprints).
  2. Digital

    examination – This would focus on the file access times (a-times), if

    these were dated after the laptop was stolen, the data has been accessed.


The problem is, neither of these method can be called

reliable.  If the Laptop was stolen by

professional fraudsters, specifically for the purpose of identity theft, they

would be well prepared.  Physical

examination can easily be cheated, latex gloves and plastic screwdrivers being

the tools of choice.  However, there is a

method of stealing the data without opening up the computer, or even booting

from the hard disk (therefore meaning a-times will not be altered at all)—by

simply booting from a Linux live CD like Knoppix, the internal hard disk can be

mounted as read only and then an exact copy made to either a removable disk or

network share.  The duplicate disk could

then be used to access information and the Laptop returned to the


The first thing the FBI will do is make a 1:1 duplicate of

the disk so that investigative work does not have any effect on the

original.  I really don’t know why they

think a professional data thief would do any different.