After forensic analysis of the previously stolen VA Laptop,
claimed it has determined that the data base remains intact and has not
been accessed since it was stolen. This
is a very interesting statement; questions of how the FBI would be able to
determine this have started to be asked.
While reading an article on Slashdot I found this interesting
discussion of the possible steps which the FBI would have taken to analysethe Laptop and data.
examination Checking the casing for fingerprints, screws for signs ofuse and even the hard disk for signs of removal (fingerprints).
examination This would focus on the file access times (a-times), ifthese were dated after the laptop was stolen, the data has been accessed.
The problem is, neither of these method can be called
reliable. If the Laptop was stolen by
professional fraudsters, specifically for the purpose of identity theft, they
would be well prepared. Physical
examination can easily be cheated, latex gloves and plastic screwdrivers being
the tools of choice. However, there is a
method of stealing the data without opening up the computer, or even booting
from the hard disk (therefore meaning a-times will not be altered at all)by
simply booting from a Linux live CD like Knoppix, the internal hard disk can be
mounted as read only and then an exact copy made to either a removable disk or
network share. The duplicate disk could
then be used to access information and the Laptop returned to theauthorities.
The first thing the FBI will do is make a 1:1 duplicate of
the disk so that investigative work does not have any effect on the
original. I really dont know why theythink a professional data thief would do any different.