Originally Posted by theNEOone
After reading the post of the FB hack and how the company 'does not believe that user data was compromised' I thought to myself, 'How do they know that to be true?'
I'm sure this is not the right analogy (which is why I'm posting here) but if someone were to break into my house and take pictures of my belongings or my bank statements, how would I know? Likewise, if someone hacked FB data and simply took screenshots or some other kind of screen capture (or file copy), how would FB know?
Note that FB's statement "does not believe that user data was compromised" is meaningless.
Similar to the "There is no evidence that the compromised data has been used in a crime." which is another meaningless statement.
All forensics, digital and physical, is based on Locard's exchange principle.
The two major computer forensic vendors are Access Data and Encase. Access Data offers several certifications. You can find more information about them here
. (Full disclosure, I've earned their ACE cert.)
Some schools offer digital forensics training as do the vendors as do SANs and the EC Council. If you enjoy learning about systems, you might enjoy forensics.
What Facebook can discover about the intruders depends on several factors including what ID or IPS controls that they had in place at the time of the intrusion as well as what happened to the compromised systems between the time of the compromise and the discovery of the compromise.
If you want to read something now, you could download NIST's Computer Security Incident Handling Guide