[Dataloss] (article) "We recovered the laptop!" ... so what?
sawaba
sawaba at forced.attrition.org
Mon Feb 12 00:08:49 EST 2007
You don't even have to mess with mirroring it. You can create a Linux boot
disk, specifically set up with scripts that search for juicy data, and
then upload them to your server over Wi-Fi. On a fairly new laptop, you
should have data (if there's any data to be had) within 30 minutes. You'll
be done in an hour or two unless there is a huge amount of data you want
to grab.
And because you are mounting the Fat32 or NTFS volume read-only, no dates
(or any other data for that matter) are changed. Ta-da, look ma, noone
touched it.
--Sawaba
On Sat, 10 Feb 2007, blitz wrote:
> How much trouble to set the date and time before the copy as well? and then
> back?
> Love USB 2.0....
> As you and I know, mirroring the drive makes no changes to it. I think
> they're blowing smoke out their posterior porthole, HOPING it wasn't
> accessed. Sure the screws weren't tampered with....right...ever seen a nylon
> screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips and
> Roberts.
>
> At 00:15 2/10/2007, you wrote:
>> Wow, I've done my share of forensic investigations, and for the FBI to
>> make this kind of claim is more than a little embarrassing. I remember
>> reading the story when it originally came out, rolling my eyes, and moving
>> on.
>>
>> Now that I take a closer look, it seems even more ridiculous, in part
>> thanks to their official press release:
>> http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm
> --snip
More information about the Dataloss
mailing list