NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2009-01

Re: [Dataloss] follow-up: Stolen city laptop recovered; workers' personal data not accessed

From: Dennis Dow (dennismybesteducation.com)
Date: Tue Jan 27 2009 - 10:55:38 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To clarify what a forensic examination can and cannot suggest about data
loss. When data are copied from a hard drive using the OS running on
the hard drive, an examiner can identify a number of indicators that the
data were copied. If the same drive is connected as a slave drive
running under another operating system there may be no indicators that
the data were copied or viewed. If the drive is copied using a write
blocker or drive duplicator, there will be no indicators that the data
were copied. It is reasonable to believe that the average thief
wouldn't know to take these unusual measures. I would content that it's
unreasonable to exclude the possibility however since not all thieves
are average.

As to the issue as to why the laptop were abandoned on a bus and not
pawned, I can only guess. Since there will be more investigation, it
seems wise to wait for additional information.

Dennis Dow, CISSP, CCE
Seahorse Security LLC

Stefan Wahe wrote:
> Living in Madison and working in IT Security, I do know that Madison
> Police Department has a unit that conducts IT forensics on electronic
> devices. They have the appropriate staff, resources and training to
> make such determinations. Additionally they have state and university
> resources at their availability with more than adequate training and
> experience in IT forensics. I am aware of this because I have had the
> opportunity to observe and work with them on other IT Security related
> issues.
>
> I hope this addresses your questions regarding the professionalism of
> the Madison Police Department. Please remember that this is a public
> forum and casting such doubts is not beneficial for those who are
> working towards solutions in preventing data loss. As a CISSP I hope
> that you are supportive of your colleagues in these efforts.
>
> My question is if the thief was interested steeling sensitive
> information off the device, would they then leave the device on city
> bus? What is their motivation in that action?
>
> Stefan Wahe
> _________________________________
> Stefan Wahe
> University of Wisconsin - Madison
> DoIT Applications and Information Security
> smwahewisc.edu

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]