I'm not sure how many times people in this thread can say the same thing. Assume the authorities have copied every single file on your computer.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Police took my Mac
- Thread starter matthew2ts
- Start date
- Sort by reaction score
I'm not sure how many times people in this thread can say the same thing. Assume the authorities have copied every single file on your computer.
thanks for that.
i had not considered the possibility that the back was unscrewed!
yes i have lawyers but computers have just been returned.
----------
I'm not sure how many times people in this thread can say the same thing. Assume the authorities have copied every single file on your computer.
I'm in agreement that they have copied everything we are all on the same page.
but i'm trying to get a consensus that if they did that would it leave a trail?
this may well have been answered.
BUT when i look in console and i'm not sure which files to look in can't even see it was turned on between the missing dates.
i had not considered the possibility that the back was unscrewed!
yes i have lawyers but computers have just been returned.
----------
I'm not sure how many times people in this thread can say the same thing. Assume the authorities have copied every single file on your computer.
I'm in agreement that they have copied everything we are all on the same page.
but i'm trying to get a consensus that if they did that would it leave a trail?
this may well have been answered.
BUT when i look in console and i'm not sure which files to look in can't even see it was turned on between the missing dates.
You will be much better off if you just concede the fact that they have everything. Have seen everything and have read everything.
thanks weasel boy
so how do i check if the computer was booted up?
----------
i concede that no problem.
so how do i check if the computer was booted up?
----------
i concede that no problem.
This site has some advice about log files: http://pondini.org/OSX/Logs.html
Logs will not tell you if the drive was imaged though. It will just tell you if OS X was booted.
Again, a forensic image is designed not to alter any data on your hard drive in order to ensure that your data is admissible as evidence.
thanks the logs show no activity in between missing dates
yes take your point that the smoking gun i'm looking for may not be there!
yes take your point that the smoking gun i'm looking for may not be there!
This!
They likely have everything. Including, but not limited to, pictures of your kids, cats, dogs, sunsets, wife, dinner you ate, etc. They have everything.
They're not interested in some stuff but if you are concerned you need to be talking to your lawyer. Right now you sound like there is something to hide and by now, I'd be keeping my mouth super shut.
Good advice. I'd have my lawyer look at this thread, and when he has calmed down, ask the mods to nuke it from orbit and never talk about ongoing investigations on the public internet again.
The smoking gun? Are you trying to prove they did wrong? They had a warrant which at that time it was assumed they have cause. As far as anyone knows, the smoking gun is on your hard drive and it is against you not the police.
Your biggest issue is not trying to nail them but you need to get ahold of your lawyer.
----------
Technically this thread can be deleted but it will be on a server, no doubt. I am not sure what MacRumors is required to do in terms of data retention. They're a company and I almost wonder if these act as records that they have to retain. I do not know that for sure. This guy was less than smart to go about his question this way. If my **** is seized and I want to know if I can find out what they saw, assuming I didn't already know they imaged it all, I would simply ask if I could tell who copied something from my computer. I'd be vague as hell.
Agreed, there's little hope of it being truly deleted. If the authorities were to issue a subpoena, I'd assume Macrumors would comply with whatever backup copies they have. The OP's only chance would be that they don't know he posted it, which is unlikely since they'd probably subpoena his ISP too (if they haven't already) and see this thread in his browsing history.
Thanks for the presumption of innocent until proven guilty!
Firstly i do regard myself as having done no wrong
secondly, what are u guys jumping up and down for i'm asking a legitimate question:
How can i prove what they have read.
i think i have the answer but a technical walkthrough was what i was searching for
----------
it would be nice if i could prove they had done wrong!
i was just curious if it was an easy process to see what had happened to a computer
Firstly i do regard myself as having done no wrong
secondly, what are u guys jumping up and down for i'm asking a legitimate question:
How can i prove what they have read.
i think i have the answer but a technical walkthrough was what i was searching for
----------
it would be nice if i could prove they had done wrong!
i was just curious if it was an easy process to see what had happened to a computer
We're using a discussion forum to discuss things. We have no idea what this is about beyond what you have posted and thus are left to speculate.
By all means, post whatever you want.
Your questions were answered. I'll run it down again.
When a forensic lab gets a hold of your computer they will image the drive without even turning on the computer. The reason for this is to preserve all logs and ensure that turning it on doesn't do anything to the drive. The chain of custody and evidence MUST be preserved. They likely took your Mac, walked it into the office, sat it down, opened it up, grabbed the drive or left it in place if possible, and began the imaging process.
Your computer then sat there, likely off and never even turned on for many months until they felt they were done with it and had everything they wanted. If they turned it on, it could be in the OS X log files. You can prove it was turned on but that does not prove anything was copied. You will never prove that until they present evidence that you know was on your computer to you in court.
There is no smoking gun. There is no reason for you or anyone else to believe the police did anything wrong. They had a warrant, they seized your property, they did whatever they were going to do and they returned it. As far as anyone can tell thus far, they did everything by the book. If it is decided that they did wrong, they did not have justifiable cause for a warrant, and your copied files should not have been copied then you MAY get an apology, the "evidence" will not be allowed in court (I believe this to be true for the UK), and you will go on your way.
Guilty? You think we're saying you're guilty? **** no. I'm saying, personally, that I would shut my damn mouth if I were you. Guilty or not, the police had some sort of reason to obtain a warrant, the warrant was given, the warrant was issued, and they did what they did. I'm only saying I'd keep my mouth shut because even if I knew what they were looking for, I don't want to screw myself if they're building a case against me. Trust me, they didn't just get a warrant because they thought it would be fun to see what's on your computer.
You cannot prove what they read, what they saw, or what they listened to. Whatever they present as evidence is likely less than what they read and saw. What is presented is what they wanted not junk they don't care about.
Call your lawyer. I bet he or she will tell you there is no way to find out what they read/saw/listened to when they had your computer.
If you want straight up technical walkthrough on how they accessed your drive without even turning the computer on then I think there is some googling in your future. There are systems/software that will do this and I think one was noted above.
I'll throw my $.02 in.
You can assume the police will have copied your drive, but you cannot prove they did. There's no physical evidence of that.
Secondly with a search warrant, they have a judges signature allowing them to take the computer for evidence/investigation. You may not like it, but that's the legal system we live in.
Thirdly, I'd look to get a lawyer to protect your rights and know whats your next step with regard to your computer and the investigation.
You may be angry at the policy but of they are investigating a crime and have probable cause then they're working within the confines of the law.
You can assume the police will have copied your drive, but you cannot prove they did. There's no physical evidence of that.
Secondly with a search warrant, they have a judges signature allowing them to take the computer for evidence/investigation. You may not like it, but that's the legal system we live in.
Thirdly, I'd look to get a lawyer to protect your rights and know whats your next step with regard to your computer and the investigation.
You may be angry at the policy but of they are investigating a crime and have probable cause then they're working within the confines of the law.
If you havent really used it since you got it back, Console will show you last 4000 actions. If it goes back far enough, you would see when it saw booted.
With that said, just because the police have read the emails doesn't necessarily mean they can now use them against the OP in court.
They would have made a one-to-one copy of your hard drive, so _all_ files would have been copied. There would be no evidence on your hard drive. If they modified your hard drive in any way, and later claimed that they found evidence against you on your hard drive, modifying the hard drive would mean the evidence couldn't be trusted. So they will _always_ make an identical copy of everything.
----------
Actually, you are wrong. First, in the UK they _can_ force you to give them a password and put you into jail if you refuse. Second, in the US cases where it was relevant, revealing the contents of the hard drive is _not_ self incrimination. Revealing the fact that you know the password _is_ self incrimination. So you can refuse if they cannot prove it is actually your hard drive, because entering the password proves it. If they know it's your drive (like they took it out of his working Mac), they can force you to reveal the password.
btw the police are not working within the confines of the law.
In the UK there is the infamous case only this year of Police lying, phoning the press to discredit a British politician who swore at them because they did not open a gate to exit Parliament building . Google "pleb gate". Several Policeman went to jail over that incident.
Good ol Nixon now any scandal has suffix "gate" on it!
in my case , and chaps don't panic i'm not revealing any details here they don't know. the Police have already provided me with written different versions of their actions to try cover one as one set was illegal!
its always the way cock up bad but cover up worse...
In the UK there is the infamous case only this year of Police lying, phoning the press to discredit a British politician who swore at them because they did not open a gate to exit Parliament building . Google "pleb gate". Several Policeman went to jail over that incident.
Good ol Nixon now any scandal has suffix "gate" on it!
in my case , and chaps don't panic i'm not revealing any details here they don't know. the Police have already provided me with written different versions of their actions to try cover one as one set was illegal!
its always the way cock up bad but cover up worse...
I do forensics:
Two things could have happened:
1) They brought it to the police station, asked their local geek to look at it. If it had a password protection on it, he could have easily bypassed it, but this would leave a trace. Your password would no longer be there when you booted up your machine.
2) They have an actual forensics person look at it. American law: That person has to look for a specific thing listed in the warrant. If I'm looking for emails or trade transaction information in a pages or word type document and happen to see child p*rn, I could get in a lot of trouble for breaking the warrant. Why am I looking at photos? When the warrant clearly states documents. ( probably a bad example ) Now, I could go to jail.
The warrant could be broad, but I have never seen one, they all list a specific item that is being looked for. We usually do a quick peek, leaving no trail, without copying the entire drive ( copying the entire drive could get us into trouble ). IF we find anything with the pinpoint search, THEN we copy everything and can use THAT copy for the investigation.
Two things could have happened:
1) They brought it to the police station, asked their local geek to look at it. If it had a password protection on it, he could have easily bypassed it, but this would leave a trace. Your password would no longer be there when you booted up your machine.
2) They have an actual forensics person look at it. American law: That person has to look for a specific thing listed in the warrant. If I'm looking for emails or trade transaction information in a pages or word type document and happen to see child p*rn, I could get in a lot of trouble for breaking the warrant. Why am I looking at photos? When the warrant clearly states documents. ( probably a bad example ) Now, I could go to jail.
The warrant could be broad, but I have never seen one, they all list a specific item that is being looked for. We usually do a quick peek, leaving no trail, without copying the entire drive ( copying the entire drive could get us into trouble ). IF we find anything with the pinpoint search, THEN we copy everything and can use THAT copy for the investigation.
interesting stuff.
Password still on.
in uk the lower tier of lawyers are called solicitors they seek advice on specialists called barristers.
i have engaged both and there is no doubt coppers have tied themselves in knots.
The warrant law sounds the same here too in that it can't be broad or its a "fishing" exercise
Password still on.
in uk the lower tier of lawyers are called solicitors they seek advice on specialists called barristers.
i have engaged both and there is no doubt coppers have tied themselves in knots.
The warrant law sounds the same here too in that it can't be broad or its a "fishing" exercise