Samsung laptops clean: No keylogger or spyware of any kind found

The long view of security strategies for your network.

Network World columnist Mich Kabay requested that the Norwich University center for Advanced Computing and Digital Forensics perform a complete, unbiased investigation of the events leading up to the publication of the allegation that some Samsung computers contained a keylogger called StarLogger. I agreed to do that under the condition that Dr. Kabay and Samsung not be part of the investigation. In my view it is necessary to separate the facts of the issue so that they may be analyzed critically using appropriate technology. Both agreed with minor exceptions that I will note in this report.

Before I start, it is important that readers understand why the Center in general and I in particular am qualified to conduct this investigation. The Center has, as its mandate, the responsibility for research and support for several advanced computing technologies including digital forensics and investigations. Our tools are best of breed commercial tools, our environment is controlled strictly and our security is maintained to avoid contamination. We conduct digital investigations routinely for Norwich University and such entities as the state of Vermont. My own background of nearly 50 years includes a PhD in digital investigation the designations CISSP, CISM and FICAF as well as decades of experience.

Samsung purchased two laptops from a retail location in New Jersey and flew them to Norwich University.  They then conveyed the laptops personally where Dr. Kabay received them and standard chain of custody procedures were followed. He confirmed that the manufacturer's security seal was still in place, added our own security seal over the factory seals without opening the sealed packages, logged the two computers by serial number into our system (which involves getting a chain of custody form signed) and locked the computers in our evidence locker. We retained the store's sales slip that showed the two purchased computers by serial number.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Network World columnist Mich Kabay requested that the Norwich University center for Advanced Computing and Digital Forensics perform a complete, unbiased investigation of the events leading up to the publication of the allegation that some Samsung computers contained a keylogger called StarLogger. I agreed to do that under the condition that Dr. Kabay and Samsung not be part of the investigation. In my view it is necessary to separate the facts of the issue so that they may be analyzed critically using appropriate technology. Both agreed with minor exceptions that I will note in this report.

Before I start, it is important that readers understand why the Center in general and I in particular am qualified to conduct this investigation. The Center has, as its mandate, the responsibility for research and support for several advanced computing technologies including digital forensics and investigations. Our tools are best of breed commercial tools, our environment is controlled strictly and our security is maintained to avoid contamination. We conduct digital investigations routinely for Norwich University and such entities as the state of Vermont. My own background of nearly 50 years includes a PhD in digital investigation the designations CISSP, CISM and FICAF as well as decades of experience.

Samsung purchased two laptops from a retail location in New Jersey and flew them to Norwich University.  They then conveyed the laptops personally where Dr. Kabay received them and standard chain of custody procedures were followed. He confirmed that the manufacturer's security seal was still in place, added our own security seal over the factory seals without opening the sealed packages, logged the two computers by serial number into our system (which involves getting a chain of custody form signed) and locked the computers in our evidence locker. We retained the store's sales slip that showed the two purchased computers by serial number.

When I returned to campus that evening after off-campus travel I confirmed that the security seals were still intact (we use a special tape that is nearly impossible to remove without visibly damaging the tape) and opened the first box. I recorded on a digital voice recorder the entire process of opening the box, removing the hard drive and taking forensic images using FTK Imager, current version, and appropriate write blocking. I locked the door to my forensic lab and left the program to complete. When it finished I performed the same task with the other computer. I then processed both images using FTK 3.2. The images are raw (dd) images, uncompressed. In neither case was the Samsung computer ever powered on.

Upon completing the case processing I checked both disk images – now processed into a single case file – for the presence of the files that make up the StarLogger distribution (the forensic tool can see inside cab and other archive files) as well as the presence of the default installation directory. None were present.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.