Police took my Mac

Discussion in 'Mac Basics and Help' started by matthew2ts, May 15, 2014.

  1. matthew2ts macrumors newbie

    Joined:
    May 15, 2014
    #1
    As part of a Trading standards investigation my mac osx version 10.7.5 desk computer was seized. they had it for several months. i'm assuming they have all the info off it. i know the date they seized it and the date i got it back. i have opened console but how can i see what files have been copied?
    at present can't see any activity on the dates it was missing.

    btw it had the normal mac password i'm assuming this can be easily bypassed.

    any thoughts?
     
  2. Crichton333 macrumors 6502

    Crichton333

    Joined:
    May 4, 2014
    #2
    Please explain ?

    They came into your company and seized hardware. Guess you were innocent when they gave it back. Also always encrypt your data, its against the law to decrypt it even if they have your computer.
     
  3. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #3
    They likely imaged the entire drive and now have their own copy of it.

    Full disk encryption is your friend.
     
  4. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #4
    apologies if this is posted in the wrong section. i was thinking this was the operating system of my mac. Forgive my clouded thinking i'm not claiming to know anything at all!

    is there a Police stole my mac section! Any help on correct section appreciated

    i'm not looking to close the stable door just to find out what happened to my mac.


    ok so they have the whole hard drive i can guess that.

    but how can you prove it?
     
  5. TsunamiTheClown macrumors 6502a

    TsunamiTheClown

    Joined:
    Apr 28, 2011
    Location:
    Fiery+Cross+Reef
    #5
    They took your mac right? If that is correct then you can guarantee they dd'd your disks. I would just assume that they have a full copy like 556fmjoe said.
     
  6. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #6
    I'm not sure what you're asking. Prove that they imaged your drive? It's impossible to prove what they did, but seizing a drive to use as evidence requires delicate handling to avoid disrupting timestamps on files, or making any other data changes. Just booting an OS changes many system files. A savvy lawyer could point out the differences in files as a way of dismantling their use as evidence.

    Forensic tools can make an image that is frozen in time. This lets them search for what they want without altering anything by mistake. That is very likely what they did.
     
  7. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #7
    interesting.

    ok we are all agreed that the contents of the computer have been copied.

    i have legal files which should be subject to legal privilege which means they have to be treated in a different way etc.

    So how can i tell what files have been copied?

    we can assume they have been copied yes but is there a log that will show ALL files copied or just x yz files copied?
     
  8. VI™ macrumors 6502a

    Joined:
    Aug 27, 2010
    Location:
    Shepherdsturd, WV
    #8
    Are you sure about this? What if they have a search warrant?
     
  9. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #9
    All of them. If they made a forensic image of the disk, it means they have everything. It's as if your computer is now sitting in front of them, frozen in time on the date that they took it.
     
  10. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #10
    so if they imaged ( copied?) its impossible to prove?

    really? wow . so the contents of a mac can be copied and no trace is left of what happened?

    Can i at least find out if it was turned on when it was in their hands?
     
  11. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #11
    It's legal for them to try to decrypt it on their own. If they took a fully encrypted drive, that's what they would try to do.

    It's against the law to compel you to decrypt it for them, since that would be self-incrimination and would violate the 4th Amendment. Case law right now does not apply this protection to biometric only encryption solutions, at the moment.
     
  12. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #12
    btw yes they had a search warrant.

    the password nothing special just the one that came with mac login
    no problems getting passed that? i'm not interested in finding out how one can bypass that password just want to prove that they can and did
     
  13. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #13
    You could review system logs to see if it was powered on while in their possession. They would have imaged it before booting OS X though.
     
  14. GoCubsGo macrumors Nehalem

    GoCubsGo

    Joined:
    Feb 19, 2005
    #14
    Citation? Because you're pretty wrong.

    Okay, you work for a company who was raided and you're worried about WHAT was imaged? They have a copy of your drive, no doubt about it. Was it local law enforcement? What were the charges or what was the reason for the warrant? You do not ever need to call this "the police stole my computer" because to me it sounds like a) it is not YOUR computer but it is company property b) they did not steal it, they gave it back but seized it and likely had a warrant and c) you say you have "legal" files which are "legal privilege" so are you saying that they seized a computer with data on it that was privileged and confidential under attorney/client privilege?
    This sounds bogus. I think you have 100% of the story but you just dished out about 5%, haphazardly at that.

    There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.

    ----------

    I don't get why you need to prove it. You will know what they have when they present their case.
    5th Amendment, I think.

    Why are you interested in proving that they did anything? They seized your machine, you should know they have an entire copy of the drive and they didn't need your password to get it. But yes, the forensic analysts who sat in front of your machine imaging your drive can get past your simple password.
     
  15. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
  16. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #16
    Okay, you work for a company who was raided and you're worried about WHAT was imaged? They have a copy of your drive, no doubt about it. Was it local law enforcement? What were the charges or what was the reason for the warrant? You do not ever need to call this "the police stole my computer" because to me it sounds like a) it is not YOUR computer but it is company property b) they did not steal it, they gave it back but seized it and likely had a warrant and c) you say you have "legal" files which are "legal privilege" so are you saying that they seized a computer with data on it that was privileged and confidential under attorney/client privilege?
    This sounds bogus. I think you have 100% of the story but you just dished out about 5%, haphazardly at that.

    Quote:
    Originally Posted by VI™ View Post
    Are you sure about this? What if they have a search warrant?
    There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.
    __________________

    yes worried about what was copied.
    Police had warrant seized took whatever term you like!
    my computer my home.
    Apologies for not going into detail but this is a mac blog not a legal blog!
    yes i'm saying my emails with my lawyer were on my computer. they are not entitled to read these. nothing bogus about that

    btw i'm uk based so barrister and solicitor are the terms i would use for the legal types i was speaking to!
     
  17. GoCubsGo macrumors Nehalem

    GoCubsGo

    Joined:
    Feb 19, 2005
    #17
    Honestly, without looking it up I paused. Even still, there's a story here and I want it!
     
  18. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #18
    There is no way he can really be seriously sure. Yes, police can seize your property with a warrant which assumes cause.



    Must beg to differ with this statement as there are many warrants which have been quashed as the Police had no cause!
     
  19. GoCubsGo macrumors Nehalem

    GoCubsGo

    Joined:
    Feb 19, 2005
    #19
    Okay, well I don't know UK law at all but they took your computer from your home? Was it used for a home-based business?

    PS, not a legal blog, I get it but you did pretty much open yourself up to the inquisition of the week with such a title and then the vague detail.
    While not entitled to "read" the e-mails between you and your lawyer, in the US they will image your drive and then there are definite laws surrounding the e-mails between you and your lawyer. Not all emails between you and your lawyer would be inadmissible or even privileged, in the US.

    So the barristers came to your home, which is also your office, and took your Mac with a warrant or whatever they call it in the UK? What did you do man?

    ----------

    Hence why I used the word assume. Which I assume means the same here and there. ;) It only assumed cause but as it stands, there was a legal warrant and they took your stuff. I also want to show you how to use the multi-quote button.
     
  20. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #20
    i'm pissed off with the Police make no mistake!

    There was nothing i can do when ten Police men get u out of bed!

    i'm challenging the legitimacy of the warrant.

    sounds like the legal point is the same. if cops take stuff they can't read communication with you r lawyers.

    so if they dd'd? hard drive no record of that?
     
  21. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #21
    No record. OS X has no way to verify if files were copied from a disk. The copying may not even have been done from your computer or from OS X at all.
     
  22. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #22
    You need a lawyer, not techy nerds. If you are the suspect in a crime, you need a defence lawyer. If the police are investigating someone else, and your computer has evidence they need… well, you still need a lawyer to protect your interests.

    All the 'proof' of what the police did will be in the police reports. A lawyer may be able to pry them out of the police hands.

    From a technical point of view. If the forensics lab removed your hard-drive and attached it to a drive imager I would doubt that there is anything on the hard-drive itself to indicate what they did as OS X (which is what would write any log files you are looking for) would not be used in this case.
     
  23. matthew2ts thread starter macrumors newbie

    Joined:
    May 15, 2014
    #23
    not a home based business but i did use computer for work.

    but for example i want to know of they copied all the photos of my kids family etc
     
  24. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #24
    I don't know what the police use in the UK, but in the US the most popular computer forensics suite is Encase and the first thing the police would do is use that software to make a complete image of your Mac on another drive (actually multiple drives). Then they would use the same software to search for what they want.

    All you might be able to see on your computer now is a console log entry from when the computer was booted up... but that's it.

    If you are concerned the police have captured privileged attorney client communications, you should contact your attorney for guidance. In the US it is possible for the court to appoint a "special master" to conduct the search so no privileged information is given to the police.
     
  25. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #25
    If they made a forensic copy of your hard drive, there will be no evidence of it on the hard drive. That's the point of forensic imaging; it's designed to leave absolutely no trace on the target drive. Forensic imaging tools will compare MD5 hashes of the image and the drive to ensure that they are exactly the same.

    I would suggest that you stop talking about it online and find a lawyer, but then again, I'm no lawyer.
     

Share This Page