From: security curmudgeon (jerichoattrition.org)
Date: Wed Jan 28 2009 - 01:20:19 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I realize Dave proclaimed the thread dead, but..

: Living in Madison and working in IT Security, I do know that Madison
: Police Department has a unit that conducts IT forensics on electronic
: devices. They have the appropriate staff, resources and training to make
: such determinations. Additionally they have state and university
: resources at their availability with more than adequate training and
: experience in IT forensics. I am aware of this because I have had the
: opportunity to observe and work with them on other IT Security related
: issues.

The media invariably uses terminology like this. Law enforcement or
companies suffering breaches speak in absolutes. The simple fact is, a
smart criminal that wants to remove data from a computer w/o leaving a
trace, can do so. Years ago we (the heathens running datalossdb)
speculated that as criminals began to understand the value of such
information, the more likely we would see 'odd' crimes where a computer
was stolen and then miraculously found days or a week later, with no
visible signs of damage or data access. What better way to potentially
steal tens of thousands of dollars worth of information (much more
valuable than a few hundred from pawning the laptop), and not raise any
suspicion for weeks or months (if ever)?

In this story, the laptop is stolen and then magically appears, no harm
done! What criminal, even the dumb ones, don't pawn / hide / destroy
stolen property? They may have a top notch forensics team, but I doubt
they have developed cutting-edge technology that allows them to say with
certainty, if data was or was not accessed.

With regards to 'forensic certainty', this has been covered before:

http://attrition.org/security/rants/forensics.html
"We recovered the laptop!" ... so what?
Wed Feb 07 21:55:51 EDT 2007
Jericho and Lyger

: I hope this addresses your questions regarding the professionalism of
: the Madison Police Department. Please remember that this is a public
: forum and casting such doubts is not beneficial for those who are
: working towards solutions in preventing data loss. As a CISSP I hope
: that you are supportive of your colleagues in these efforts.

I'm sure the Madison Police Department does a good job, within the limits
of their technical expertise and resources available. The officer who ends
up being a PR flack though, probably does not share the integrity of the
forensic examiners. The PR flack's job is citizen assurance. All is well!

Last, if being a CISSP means you blindly accept media articles and
'support colleagues' without question, renounce your certification
immediately. Even CISSPs are entitled to their very own thoughts once in a
while.

- jericho

_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]