From: Ray, Scott (Scott.RayCCA-US.com)
Date: Tue Jan 27 2009 - 16:37:49 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ferdie,

This is untrue. I am shamelessly quoting hackaday.com here

"Full drive encryption stores the key in RAM while the computer is
powered on. The RAM's stored data doesn't immediately disappear when
powered off, but fades over time"

Anyone can basically power down a system and boot it from a usb drive
and then make a copy of RAM. So much for disk encryption.

You can mitigate disk encryption hacks by doing several things, but
fully thwarting it ... not unless there is a change in hardware design
at the root.

-----Original Message-----
From: dataloss-bouncesdatalossdb.org
[mailto:dataloss-bouncesdatalossdb.org] On Behalf Of Ferdie Mazon
Sent: Tuesday, January 27, 2009 4:05 PM
To: datalossdatalossdb.org
Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered;workers'
personal data not accessed

"There is no indication the data had been abused" is a true statement.
"The data had not been accessed" is not a true statement because it is
not possible to know.

A $99 Whole Disk Encryption product could have averted the whole
situation. Unless, of course, the laptop had a Post-It with the
encryption password.

-----Original Message-----
From: dataloss-bouncesdatalossdb.org
[mailto:dataloss-bouncesdatalossdb.org] On Behalf Of DAIL, WILLARD A
Sent: Tuesday, January 27, 2009 10:27 AM
To: datalossdatalossdb.org
Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered;workers'
personal data not accessed

Doesn't risk management play into this as well though? Yes, true, one
could argue the likelihood of any number of possibilities, both probable
and remote. However, if a suspect is a known common thief, the laptop
is recovered, no malware is found to be installed on the system, then
most likely the device was stolen to be sold as a piece of hardware.
Perhaps one cannot argue beyond a reasonable doubt as to what happened,
but I personally would have no problem stating there is no indication
the data had been abused.
 
The law of parsimony does come into play for some of this (in my
opinion).

________________________________

From: dataloss-bouncesdatalossdb.org on behalf of Chris Walsh
Sent: Tue 1/27/2009 11:09 AM
To: datalossdatalossdb.org
Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered;workers'
personal data not accessed

The general point, which has been made many times on this list, is that
it is not possible -- even with the greatest of forensic skills -- to
make a technical determination that the information was not accessed.
It just cannot be done, period. Ironically, if it were not possible to
copy the data in a manner that didn't alter the disk, the police
themselves would be unable to gather evidence, since by the very act of
doing so they would be changing it!

Now, this may be sloppy reporting, and certainly the laws of physics
apply to the police, so this is in no way a criticism of them. It's
just the way it is. Had the report said "Based on the circumstances of
the case, their knowledge of local crime patterns, and results of
forensic examination of the laptop, police are nearly certain the data
was not accessed following the theft", I think there would be much less
questioning. Such press reports are rare, unfortunately.

On Tue, Jan 27, 2009 at 8:37 AM, Stefan Wahe <smwahewisc.edu> wrote:

        Living in Madison and working in IT Security, I do know that
Madison Police Department has a unit that conducts IT forensics on
electronic devices. They have the appropriate staff, resources and
training to make such determinations. Additionally they have state and
university resources at their availability with more than adequate
training and experience in IT forensics. I am aware of this because I
have had the opportunity to observe and work with them on other IT
Security related issues.

This message and any files transmitted with it is intended solely for
the designated recipient and may contain privileged, proprietary or
otherwise private information. Unauthorized use, copying or distribution
of this e-mail, in whole or in part, is strictly prohibited. If you have
received it in error, please notify the sender immediately and delete
the original and any attachments.
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This e-mail, including attachments, is intended for the exclusive use of the
person or entity to which it is addressed and may contain confidential or
privileged information. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified that
any dissemination, distribution or copying of this e-mail is prohibited. If
you think that you have received this e-mail in error, please advise the
sender by reply e-mail of the error and then delete this e-mail immediately.
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]