June 29, 2006 at 9:16 PM ET
How can the FBI be sure that vets are out of the woods? After two months of fretting, will all 26.5 million veterans believe their data -- missing for two months -- never fell into the wrong hands?
By now you've probably heard that the Veterans Administration on Thursday announced it had found our country's most famous lost laptop computer. When combined with a companion portable hard drive, the missing hardware stored more than 26 million Social Security numbers and caused about two months worth of embarrassment for the federal government. But the prodigal hardware made its way to the FBI's Baltimore office on Wednesday. And that wasn't the only good news. Forensics tests produced the best possible results; the data had not been accessed, the FBI said.
For two months, veterans and current GIs were told be extra vigilant about their credit reports. Now, are we to believe it was all just a false alarm? Are vets to believe their data is safe and sound? How can FBI computer forensics experts really be sure no one copied the data?
To answer that, I asked talked with Scott Larson, who spent 13 years as supervisor of the Computer Intrusion Squad at the FBI’s Washington, D.C field office. Now, he's a consultant with computer security analyst firm Stroz Friedberg.
The FBI has yet to release extensive details about its forensic work in this case, but the process is always the same. Larson said that with proper tests, the agency could be close to 100 percent certain the vets' data was safe. But he did leave the door open for a possible high-tech data heist that even the FBI couldn't detect.
Take an image
When the wayward hardware returned, Larson said, the agency would immediately take an "image" or a copy of the hard drives involved. That would allow agents to examine the data on the drive without actually touching the original. Agents would then start looking in secret places for digital footprints.
"In the system registry there is some information that is stored that normally users can't get access to," he said.
For example: Agents would discover the last time the laptop was "booted," or turned on. They'd also examine the metadata connected to the database containing the personal information. That would tell agents the created date, modified date, and last access date for the file. If all those dates predate the last time the computer was in the VA's possession, that's a good sign.
But it's not proof the information is safe. A clever criminal could alter the computer's clock to foil a simple time stamp check. So agents also would need to look for evidence of any attempts to change the computer's clock.
System logs also would indicate whether the data had been copied to an external USB drive, or written to a CD or DVD.
The experts also would look for signs that the file had been moved, or log files had been removed, by examining parts of the hard drive where deleted files are stored, which is known as "unallocated space."
But what if...?
If the laptop and the hard drive passed all those tests, it would be likely that the common house burglar suspected of taking the laptop hadn't accessed the files. But it's not possible to say that a very crafty criminal didn't; perhaps someone who might have purchased the stolen equipment. After all, for two months we've all been discussing how valuable the data on that laptop is.
"It would be a very sophisticated crime," Larson said of that possibility. "They could use the same tools that FBI used to copy the hard drive, and the FBI would never know."
When applying his "gumshoe" logic, however, Larson said he thought that was highly unlikely.
"The investigator in me says 'no.' Somebody would have to go to great lengths to return it, a lot of trouble," he said. He thought such a criminal would be much more likely to destroy the hardware then leave open the possibility it could get back into the FBI's hands.
A true conspiracy theorist might conjure up this scenario: A smart criminal would realize the data would be more valuable if the victims believed that data was safe, as they'd be less vigilant. So returning the laptop would buy identity thieves extra time to turn the stolen information into money.
But that is fairly far-fetched. After all, such criminals have already had two months to print up fake driving licenses and credit cards. What would another few weeks get them?
"I'm close to 100 percent confident," that the data hasn't been accessed, "given the FBI's clean bill of health," Larson said.
But that's not 100 percent, meaning vets who've received letters of warning from the Veterans Administration would be smart to continue their vigilance about the credit reports for some time.