US INTERESTING COMMENTS ABOUT ABILITY TO DETERMINE WHETHER OR NOT A STOLEN COMPUTER HAS BEEN ACCESSED BY THIEFhttp://www.rant-central.com/article.php?story=20060914170634681

Acute Clue Deficit Syndrome

Thursday, September 14 2006 @ 05:06 CDT
Contributed by: Roy

Back in May, the Department of Veterans Affairs lost track of some data on 26 million or so veterans. The VA sent me a (form) letter apologizing and cautioning me to watch my identity details and credit report for signs of nefarious behavior.

Today, I got a second letter. It says the laptop and hard drive were found (yeah, we know), and the FBI is confident that the personal data were never accessed. How can they know that with such certainty?

They can't.

Operating systems often leave traces when they access files, but that assumes that the operating system installed on the machine in question is used to "access the data". Yep, if the thief is good enough to get XP booted on that li'l bugger, any looking around he does will leave marks. So the good data thief makes an untraceable copy with nothing more than a live Linux CD, a spacious USB external hard disc and a single command.

dd if=/dev/hda of=/mnt/sda1/chump_dump.img bs=1M

OK, you have to format the USB drive as ext2 or some filesystem that handles really large files, but you get the drift here, right? No specialized black-magic tools or lab coats necessary. Just burn a copy of your favorite live-CD distro and away you go!

Whenever one of these Data Loss "victims" makes the claim that the data were retrieved "unaccessed", they're simply trying to cover their liabilities.