Police took my Mac

[smithrh]

I'll note up front that if a forensic disk copy program or device was used, this won't work, but I'll throw out the 'stat' command for completeness.

MacBook:~ smithrh$ stat -x bookmarks.html
  File: "bookmarks.html"
  Size: 56834        FileType: Regular File
  Mode: (0600/-rw-------)         Uid: (  501/ smithrh)  Gid: (   20/   staff)
Device: 1,2   Inode: 842286    Links: 1
Access: Tue Oct  2 18:05:44 2012
Modify: Sun Dec  5 22:17:27 2010
Change: Tue Oct  2 18:05:44 2012

MacBook:~ smithrh$ cat bookmarks.html > /dev/null

MacBook:~ smithrh$ stat -x bookmarks.html
  File: "bookmarks.html"
  Size: 56834        FileType: Regular File
  Mode: (0600/-rw-------)         Uid: (  501/ smithrh)  Gid: (   20/   staff)
Device: 1,2   Inode: 842286    Links: 1
Access: Fri May 16 10:59:18 2014
Modify: Sun Dec  5 22:17:27 2010
Change: Tue Oct  2 18:05:44 2012

 

[Phil A.]

It's legal for them to try to decrypt it on their own. If they took a fully encrypted drive, that's what they would try to do.

It's against the law to compel you to decrypt it for them, since that would be self-incrimination and would violate the 4th Amendment. Case law right now does not apply this protection to biometric only encryption solutions, at the moment.

The OP is in the UK and over here it's against the law for an indivdual to fail to provide encryption keys if compelled by a court order (covered under the Regulation of Investigatory Powers Act 2000 (RIPA)) with up to 2 years in jail for failing to comply

 

[matthew2ts]

so i do i use stat command?

 

[smithrh]

Nothing stopping you!

You might check a few of your, uh, "sensitive" files.

Do you know how to use the Unix shell (Mac Terminal)?

Note: it's important to make sure you yourself don't cause the file to be accessed. Only the last access time is kept, AFAIK.

 

[chrfr]

so i do i use stat command?

You can also get the "last accessed" information by getting info on a given file.

 

[smithrh]

You can also get the "last accessed" information by getting info on a given file.

I'm not seeing that - created, when added, last modified, but I don't see "last accessed" at least with my Finder prefs.

How are you accessing that info?

 

[chrfr]

I don't see "last accessed" at least with my Finder prefs.

It's under "more info" when you get info on a file.

 

[smithrh]

Date last opened?

 

[chrfr]

Date last opened?

Yes.

 

[smithrh]

I just checked - "last opened" and "last accessed" are not the same.

I suspect "last opened" is a Mac OS piece of metadata that Finder keeps track of and "last accessed" is a filesystem record.

I just manipulated (cat > /dev/null) a file, stat -x showed when I did that, but the Finder did not.

 

[FreakinEurekan]

How can i prove what they have read.

i think i have the answer but a technical walkthrough was what i was searching for

I could easily copy the entire disk of your Mac with zero trace in any log files, since OS X would not be started on your computer at all in the process. A disk image from Target Disk Mode is one way, physically removing the disk & plugging it into a dock or duplicator is another. I would assume the police have more capability than I do.

Further, the methods I describe are easier than booting up your machine into OS X, so it's likely they did something along these lines for their own convenience - not that they're trying to prevent you from knowing what was done per se, it's just that the simplest methods happen to not leave any indication or record. So forget about proving it was done - you will never be able to prove that it was not done.

 

[Tumbleweed666]

Further, the methods I describe are easier than booting up your machine into OS X, so it's likely they did something along these lines for their own convenience - not that they're trying to prevent you from knowing what was done per se, it's just that the simplest methods happen to not leave any indication or record. So forget about proving it was done - you will never be able to prove that it was not done.

It's also SOP, as said up thread it's done to provide an evidential trace that any info recovered is as was on the original and was not tampered with or fabricated.

The OP is on a fools errand to try and find what was accessed by looking at his Mac, (unless the keystone Cops took it away and ignored the last 20 years of standard procedure and ruin their chances if using anything recovered as evidence.)

 

[smithrh]

It's also SOP, as said up thread it's done to provide an evidential trace that any info recovered is as was on the original and was not tampered with or fabricated.

The OP is on a fools errand to try and find what was accessed by looking at his Mac, (unless the keystone Cops took it away and ignored the last 20 years of standard procedure and ruin their chances if using anything recovered as evidence.)

Agreed - however, there have been reports that police agencies can be a bit befuddled when presented with a Mac.

I know for sure this was the case as recently as 4-6 years ago, but it may not be as true today with Mac marketshare increasing.

 

[ratsg]

I'm showing up late to this party, and let me just say up front that I fully concur with the previous comments, that the fuzz pulled the drive and imaged it, prior to replacing it. That (imaging) has been mentioned a couple dozen times already and there is nothing more of value that I can add.

Now, let me add one more possibility.

It is possible that they could have taken your hard drive and stuck it in or attached it to another Mac, mounted your file system, and added malicious software such a key logger, app that snaps a screen shot every 60 seconds, etc.

If this were my Mac, or my Mac at $WORK, the first thing I would do/would have done would be to pull off any data of value, pull out your Mac OS X DVD, then wipe all data from the HDD and reinstall Mac OS X.

YMMV

 

[pdjudd]

It is possible that they could have taken your hard drive and stuck it in or attached it to another Mac, mounted your file system, and added malicious software such a key logger, app that snaps a screen shot every 60 seconds, etc.

If someone wanted to do that, they wouldn’t have gotten a warrant and taken your computer just to install a key logger or something else. That would be about as likely as them announcing that they are seizing your phone just to put a bug on it. The police announce seizure to take evidence that you already have, not to give you a hint that they are looking at you. If they want to spy on you to gather evidence, they are not going to let you know about it ahead of time. If the police wanted to install a key logger, they would steal your laptop (they would have a warrant) and plant the logger covertly.

No competent law enforcement agency warns you overtly that they are interested in you or give you a clue that they may want to spy on you.

 

[ratsg]

If someone wanted to do that, they wouldn’t have gotten a warrant and taken your computer just to install a key logger or something else. That would be about as likely as them announcing that they are seizing your phone just to put a bug on it. The police announce seizure to take evidence that you already have, not to give you a hint that they are looking at you. If they want to spy on you to gather evidence, they are not going to let you know about it ahead of time. If the police wanted to install a key logger, they would steal your laptop (they would have a warrant) and plant the logger covertly.

No competent law enforcement agency warns you overtly that they are interested in you or give you a clue that they may want to spy on you.

I'm sorry, but I'm gonna have to call BS on your entire reply.

If you have spent any time watching the news recently, I'm sure you have seen any number of reasons that the average person might have reason to distrust govt officials when it comes to computer and networking/Internet security.

Can you, or anyone following this thread, if you had gone thru an experience like the OP did, honestly say that you believe that your Mac was confiscated, the disk drive imaged then returned unaltered?

I feel pretty certain that the OP would not have started this thread had they felt that their Mac was just taken, housed remotely for a while then returned.

I'm not stating that what I am suggesting did happen, but I would be leary enough that I would want local storage wiped clean and the OS reinstalled.

 

[2984839]

I don't think that they would have installed a keylogger or backdoor at this point in the investigation.

That said, if the police had my computer for any length of time and returned it to me, the first thing I would do is wipe the drive, throw it away, and get a new one.

 

[ratsg]

I don't think that they would have installed a keylogger or backdoor at this point in the investigation.

Agreed. Those are just examples. The point is, is that the OP has no idea exactly what he got back when his Mac was returned.

That said, if the police had my computer for any length of time and returned it to me, the first thing I would do is wipe the drive, throw it away, and get a new one.

 

[pdjudd]

I'm sorry, but I'm gonna have to call BS on your entire reply.

If you have spent any time watching the news recently, I'm sure you have seen any number of reasons that the average person might have reason to distrust govt officials when it comes to computer and networking/Internet security.

You totally misunderstood my point. At no point did I say that LEO would never install any sort of spyware. What I did argue is that they wouldn’t do it after presenting you with a warrant, seizing your hardware, and giving it back. That is the equivalent of tipping your hand, something people tend not to do when trying to spy on you.

If the police wants to spy on you, 99% of the time they are not going to tell you for one simple reason - the subject is going to be suspicious and is less likely to provide what the police is looking for unless they are a complete idiot - something that the police doesn’t bet on. If they wanted to spy on the OP, they wouldn’t have presented him with a warrant to seize the computer. They would have gotten a warrant and gotten access to his machine in another way. The OP would not have been aware of this. Doing so tips your hand and tends to alter the behavior of suspects - something the Police do not want to happen.

Agreed. Those are just examples. The point is, is that the OP has no idea exactly what he got back when his Mac was returned.

Why would the police essentially tip their hand and basically tell the OP that he is under investigation - The first thing a person that feared such activity would just reformat the drive. The police know that and they know that they wasted their time. When they take peoples computers after informing the owner, it’s probably because they want to gather what is on there now. Modifying the hard drive is extremely risky from an evidence gathering perspective since if they get caught it can go out the window entirely (the user wipes their computer or a court tosses out anything they find since they essentially tampered with evidence) or, at worse, the suspect they want to get evidence from modifies their behavior and is no longer a good source of information.

Honestly if the police want to preserve chain of custody they aren’t going to modify your computer after they officially seize it. They are looking for evidence *now* and modifying your computer can lead to claims of evidence tampering in court - something that can cost the DA their case.

Again, I am not saying that LEO would NEVER install spyware on a suspects computer, but if they did, you wouldn’t have gotten your computer seized to do that. Doing that otherwise is extremely risky from a LEO perspective when they likely have much more effective ways to spy on you otherwise. And again, they aren’t gong to risk tipping their hand to do it.

 

[pianoman88]

won't find a thing

A "write blocker" is used in computer forensics to keep anything from being written on the drive, keeping all data intact.

Aa exact copy is made of the drive, and all investigative work is done on the copy. (The court can direct the forensic analyst to "ignore" certain data.)

And yes, there are programs out there can crack SOME passwords.

 

[IGregory]

its against the law to decrypt it even if they have your computer.

Please explain!

What law are you referencing? The police, conducting a lawful investigation, can't decrypt data on a hard drive? Assuming this incident occurred in the US, where have you been. Of course the police can, if they have the technical expertise and, depending on jurisdiction, a subpoena or a search warrant, decrypt data on a hard drive.