Police took my Mac

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
As part of a Trading standards investigation my mac osx version 10.7.5 desk computer was seized. they had it for several months. i'm assuming they have all the info off it. i know the date they seized it and the date i got it back. i have opened console but how can i see what files have been copied?
at present can't see any activity on the dates it was missing.

btw it had the normal mac password i'm assuming this can be easily bypassed.

any thoughts?
 

Crichton333

macrumors 6502
May 4, 2014
342
32
As part of a Trading standards investigation my mac osx version 10.7.5 desk computer was seized.
Please explain ?

They came into your company and seized hardware. Guess you were innocent when they gave it back. Also always encrypt your data, its against the law to decrypt it even if they have your computer.
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
They likely imaged the entire drive and now have their own copy of it.

Full disk encryption is your friend.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
apologies if this is posted in the wrong section. i was thinking this was the operating system of my mac. Forgive my clouded thinking i'm not claiming to know anything at all!

is there a Police stole my mac section! Any help on correct section appreciated

i'm not looking to close the stable door just to find out what happened to my mac.


ok so they have the whole hard drive i can guess that.

but how can you prove it?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
apologies if this is posted in the wrong section. i was thinking this was the operating system of my mac. Forgive my clouded thinking i'm not claiming to know anything at all!

is there a Police stole my mac section! Any help on correct section appreciated

i'm not looking to close the stable door just to find out what happened to my mac.


ok so they have the whole hard drive i can guess that.

but how can you prove it?
I'm not sure what you're asking. Prove that they imaged your drive? It's impossible to prove what they did, but seizing a drive to use as evidence requires delicate handling to avoid disrupting timestamps on files, or making any other data changes. Just booting an OS changes many system files. A savvy lawyer could point out the differences in files as a way of dismantling their use as evidence.

Forensic tools can make an image that is frozen in time. This lets them search for what they want without altering anything by mistake. That is very likely what they did.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
interesting.

ok we are all agreed that the contents of the computer have been copied.

i have legal files which should be subject to legal privilege which means they have to be treated in a different way etc.

So how can i tell what files have been copied?

we can assume they have been copied yes but is there a log that will show ALL files copied or just x yz files copied?
 

VI™

macrumors 6502a
Aug 27, 2010
636
1
Shepherdsturd, WV
Please explain ?

They came into your company and seized hardware. Guess you were innocent when they gave it back. Also always encrypt your data, its against the law to decrypt it even if they have your computer.
Are you sure about this? What if they have a search warrant?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
interesting.

ok we are all agreed that the contents of the computer have been copied.

i have legal files which should be subject to legal privilege which means they have to be treated in a different way etc.

So how can i tell what files have been copied?

we can assume they have been copied yes but is there a log that will show ALL files copied or just x yz files copied?
All of them. If they made a forensic image of the disk, it means they have everything. It's as if your computer is now sitting in front of them, frozen in time on the date that they took it.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
so if they imaged ( copied?) its impossible to prove?

really? wow . so the contents of a mac can be copied and no trace is left of what happened?

Can i at least find out if it was turned on when it was in their hands?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
Are you sure about this? What if they have a search warrant?
It's legal for them to try to decrypt it on their own. If they took a fully encrypted drive, that's what they would try to do.

It's against the law to compel you to decrypt it for them, since that would be self-incrimination and would violate the 4th Amendment. Case law right now does not apply this protection to biometric only encryption solutions, at the moment.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
btw yes they had a search warrant.

the password nothing special just the one that came with mac login
no problems getting passed that? i'm not interested in finding out how one can bypass that password just want to prove that they can and did
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
so if they imaged ( copied?) its impossible to prove?

really? wow . so the contents of a mac can be copied and no trace is left of what happened?

Can i at least find out if it was turned on when it was in their hands?
You could review system logs to see if it was powered on while in their possession. They would have imaged it before booting OS X though.
 

GoCubsGo

macrumors Nehalem
Feb 19, 2005
35,743
141
Please explain ?

They came into your company and seized hardware. Guess you were innocent when they gave it back. Also always encrypt your data, its against the law to decrypt it even if they have your computer.
Citation? Because you're pretty wrong.

interesting.

ok we are all agreed that the contents of the computer have been copied.

i have legal files which should be subject to legal privilege which means they have to be treated in a different way etc.

So how can i tell what files have been copied?

we can assume they have been copied yes but is there a log that will show ALL files copied or just x yz files copied?
Okay, you work for a company who was raided and you're worried about WHAT was imaged? They have a copy of your drive, no doubt about it. Was it local law enforcement? What were the charges or what was the reason for the warrant? You do not ever need to call this "the police stole my computer" because to me it sounds like a) it is not YOUR computer but it is company property b) they did not steal it, they gave it back but seized it and likely had a warrant and c) you say you have "legal" files which are "legal privilege" so are you saying that they seized a computer with data on it that was privileged and confidential under attorney/client privilege?
This sounds bogus. I think you have 100% of the story but you just dished out about 5%, haphazardly at that.

Are you sure about this? What if they have a search warrant?
There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.

----------

so if they imaged ( copied?) its impossible to prove?

really? wow . so the contents of a mac can be copied and no trace is left of what happened?

Can i at least find out if it was turned on when it was in their hands?
I don't get why you need to prove it. You will know what they have when they present their case.
It's legal for them to try to decrypt it on their own. If they took a fully encrypted drive, that's what they would try to do.

It's against the law to compel you to decrypt it for them, since that would be self-incrimination and would violate the 4th Amendment. Case law right now does not apply this protection to biometric only encryption solutions, at the moment.
5th Amendment, I think.

btw yes they had a search warrant.

the password nothing special just the one that came with mac login
no problems getting passed that? i'm not interested in finding out how one can bypass that password just want to prove that they can and did
Why are you interested in proving that they did anything? They seized your machine, you should know they have an entire copy of the drive and they didn't need your password to get it. But yes, the forensic analysts who sat in front of your machine imaging your drive can get past your simple password.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
Okay, you work for a company who was raided and you're worried about WHAT was imaged? They have a copy of your drive, no doubt about it. Was it local law enforcement? What were the charges or what was the reason for the warrant? You do not ever need to call this "the police stole my computer" because to me it sounds like a) it is not YOUR computer but it is company property b) they did not steal it, they gave it back but seized it and likely had a warrant and c) you say you have "legal" files which are "legal privilege" so are you saying that they seized a computer with data on it that was privileged and confidential under attorney/client privilege?
This sounds bogus. I think you have 100% of the story but you just dished out about 5%, haphazardly at that.

Quote:
Originally Posted by VI™ View Post
Are you sure about this? What if they have a search warrant?
There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.
__________________

yes worried about what was copied.
Police had warrant seized took whatever term you like!
my computer my home.
Apologies for not going into detail but this is a mac blog not a legal blog!
yes i'm saying my emails with my lawyer were on my computer. they are not entitled to read these. nothing bogus about that

btw i'm uk based so barrister and solicitor are the terms i would use for the legal types i was speaking to!
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.



Must beg to differ with this statement as there are many warrants which have been quashed as the Police had no cause!
 

GoCubsGo

macrumors Nehalem
Feb 19, 2005
35,743
141
Okay, you work for a company who was raided and you're worried about WHAT was imaged? They have a copy of your drive, no doubt about it. Was it local law enforcement? What were the charges or what was the reason for the warrant? You do not ever need to call this "the police stole my computer" because to me it sounds like a) it is not YOUR computer but it is company property b) they did not steal it, they gave it back but seized it and likely had a warrant and c) you say you have "legal" files which are "legal privilege" so are you saying that they seized a computer with data on it that was privileged and confidential under attorney/client privilege?
This sounds bogus. I think you have 100% of the story but you just dished out about 5%, haphazardly at that.

Quote:
Originally Posted by VI™ View Post
Are you sure about this? What if they have a search warrant?
There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.
__________________

yes worried about what was copied.
Police had warrant seized took whatever term you like!
my computer my home.
Apologies for not going into detail but this is a mac blog not a legal blog!
yes i'm saying my emails with my lawyer were on my computer. they are not entitled to read these. nothing bogus about that

btw i'm uk based so barrister and solicitor are the terms i would use for the legal types i was speaking to!
Okay, well I don't know UK law at all but they took your computer from your home? Was it used for a home-based business?

PS, not a legal blog, I get it but you did pretty much open yourself up to the inquisition of the week with such a title and then the vague detail.
While not entitled to "read" the e-mails between you and your lawyer, in the US they will image your drive and then there are definite laws surrounding the e-mails between you and your lawyer. Not all emails between you and your lawyer would be inadmissible or even privileged, in the US.

So the barristers came to your home, which is also your office, and took your Mac with a warrant or whatever they call it in the UK? What did you do man?

----------

There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.



Must beg to differ with this statement as there are many warrants which have been quashed as the Police had no cause!
Hence why I used the word assume. Which I assume means the same here and there. ;) It only assumed cause but as it stands, there was a legal warrant and they took your stuff. I also want to show you how to use the multi-quote button.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
i'm pissed off with the Police make no mistake!

There was nothing i can do when ten Police men get u out of bed!

i'm challenging the legitimacy of the warrant.

sounds like the legal point is the same. if cops take stuff they can't read communication with you r lawyers.

so if they dd'd? hard drive no record of that?
 

snberk103

macrumors 603
Oct 22, 2007
5,484
87
An Island in the Salish Sea
You need a lawyer, not techy nerds. If you are the suspect in a crime, you need a defence lawyer. If the police are investigating someone else, and your computer has evidence they need… well, you still need a lawyer to protect your interests.

All the 'proof' of what the police did will be in the police reports. A lawyer may be able to pry them out of the police hands.

From a technical point of view. If the forensics lab removed your hard-drive and attached it to a drive imager I would doubt that there is anything on the hard-drive itself to indicate what they did as OS X (which is what would write any log files you are looking for) would not be used in this case.
 

matthew2ts

macrumors newbie
Original poster
May 15, 2014
18
0
not a home based business but i did use computer for work.

but for example i want to know of they copied all the photos of my kids family etc
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,142
8,810
California
yes worried about what was copied.
Police had warrant seized took whatever term you like!
my computer my home.
Apologies for not going into detail but this is a mac blog not a legal blog!
yes i'm saying my emails with my lawyer were on my computer. they are not entitled to read these. nothing bogus about that

btw i'm uk based so barrister and solicitor are the terms i would use for the legal types i was speaking to!
I don't know what the police use in the UK, but in the US the most popular computer forensics suite is Encase and the first thing the police would do is use that software to make a complete image of your Mac on another drive (actually multiple drives). Then they would use the same software to search for what they want.

All you might be able to see on your computer now is a console log entry from when the computer was booted up... but that's it.

If you are concerned the police have captured privileged attorney client communications, you should contact your attorney for guidance. In the US it is possible for the court to appoint a "special master" to conduct the search so no privileged information is given to the police.
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,604
903
i'm pissed off with the Police make no mistake!

There was nothing i can do when ten Police men get u out of bed!

i'm challenging the legitimacy of the warrant.

sounds like the legal point is the same. if cops take stuff they can't read communication with you r lawyers.

so if they dd'd? hard drive no record of that?
If they made a forensic copy of your hard drive, there will be no evidence of it on the hard drive. That's the point of forensic imaging; it's designed to leave absolutely no trace on the target drive. Forensic imaging tools will compare MD5 hashes of the image and the drive to ensure that they are exactly the same.

I would suggest that you stop talking about it online and find a lawyer, but then again, I'm no lawyer.