At the beginning of December, some bloggers revealed that a sensitive TSA document had been made public because someone at the TSA didn’t understand how to properly redact an electronic document.
Now, we are learning about a couple of other clumsy moves the TSA has made regarding technology.
On New Year’s Eve, the TSA dropped two subpoenas it had issued a few days earlier against a couple of Internet bloggers.
This article by Alison Grant from The Plain Dealer provides even more information about the initial subpoenas.
Now, there’s already plenty of flak flying back and forth in the blogosphere about whether the TSA’s actions were heavy handed, if Frischling and Elliott’s civil rights were violated, and if the TSA is targeting bloggers to get back at them for the aforementioned embarrassment. And, just in case they ARE targeting bloggers, I’ll be leaving those topics alone.
What I DO want to talk about are a few details from the story that jumped out at me as a computer forensics examiner.
The story says that the TSA agents tried to image Frischling’s hard drive during their initial visit but were unable to do so.
Why couldn’t they manage to image the drive on their first visit? Either they had a problem with the imaging equipment or a problem with the laptop drive. If you’re going to be imaging computers in the field, you should have a backup for every device, so that should eliminate problems with the imaging equipment. And a simple laptop drive certainly shouldn’t present any major difficulties for even a beginner examiner.
The agents returned the next day and took his laptop with them for imaging.
Wow, sneaky.
If there was anything incriminating on the drive when the agents left on Tuesday, it certainly wasn’t there on Wednesday when they came back!
When his laptop was returned it had developed some technical problems. The TSA’s Deputy Drennan apparently acknowledges these technical issues and has promised his administration will help resolve them.
What are these guys using to duplicate the drive, a hammer and chisel?!?
Frischling lists several problems with his computer after it was returned to him, and the TSA not only doesn’t have any counter to this claim, it acknowledges the problems. This seriously calls into question the procedures and tools the examiners used as well as the validity of any evidence they might have recovered. A proper computer examination uses tools (hardware and software) and procedures that never alter the original evidence. If the original evidence is altered during the examination, defending any findings from that examination becomes difficult if not impossible.
I’ve known many computer examiners who worked for government agencies and I can say this is absolutely NOT the norm. Most of the investigators I’ve known, both government and private sector, have been excellent, and these types of mistakes would be unthinkable for them or their agencies.
However, if these statements are true, they become just the most recent in a series of events that together paint a troubling picture of a TSA that is woefully out of touch with technology and simply not capable of taking on the crucial duties assigned to it.
Appointment of a permanent administrator for the TSA certainly seems like an important step towards addressing the situation, however this appointment has been held up in the Senate since September.