Police Returned Property

So, I got a bunch of computers back from the police today after a year and a half in their posession.


Am I missing something I should be checking for signs of compromise? or is date enough of a smoking gun? I'm planning on wiping the drive/running me_cleaner, but worried about what else could be running on this chromebook. halp?

Other urls found in this thread:

youtube.com/watch?v=vCItBX8288Y&nohtml5=False
youtube.com/watch?v=R22BvvzRydo
bleepingcomputer.com/news/legal/man-who-refused-to-decrypt-hard-drives-still-in-prison-after-two-years/
arstechnica.com/wp-content/uploads/2017/03/rawlsopinion.pdf
catb.org/jargon/html/H/ha-ha-only-serious.html
twitter.com/NSFWRedditVideo

...

who said anything about drugs?

They definitely wiped the logs. The date is a massive flashing billboard of a huge red flag.
If they installed or flashed something on the firmware then it could still install software without your knowledge.

The date is wrong because of the battery. You block writes when auditing, if you don't you've fucked up and made the evidence useless.
So, where is the body?

This, looks like they took out your cmos battery, probably have Intel ME on it now and relying it to FBI HQ.

right, so should I just go get a new coreboot image for the chromebook, then run me_cleaner, than wipe.


anything that me_cleaner won't catch?

Imo wipe it clean and sell it.

That's all you can do, but if they installed software over the firmware of something like the hard drive then you would have no way to stop in from installing and would most likely have no way of detecting.
Just curious, were you using systemd? Because if you have coreboot, Intel ME disabled, and an encrypted drive I can't see a point of entry short of a brute force attack.

The first rule of forensics is to not alter the original drive in any way. Instead, image it and do all of your work on that. The more troublesome problem is modified hardware. Sell it.

Definitely going to sell it, along with all other hardware returned. Any suggestions on how to get the data off the machines/drives before selling them?

Current plan:

better ideas welcomed/encouraged.


Not using any Lennart Poettering technology on my systems.

If they hold onto your shit for a year and a half I get the impression that they have everything they want now.


Mega would be your best bet, but putting any data on a remote host still means that your storing your files on another computer you don't own, which I get the impression you don't want to do.
Why not encrypt the USB, vaccum seal it in a bag and then bury it somewhere safe?

I need to get data from the drives to my safe network.

Also, there's a lot of drama regarding how long it took for them to return the equipment after a court order, so I'm suspecting they needed to send it to Langley for more work.

Can't believe they can just hold onto your hardware for that long, but you're almost certainly correct. There's no way your local police department is getting into something like that.
I know mega encrypts files, but you should still never trust someone to save your ass. Encrypt them as much as possible before uploading, and use the longest password you can remember.
I don't have a lot of useful input on this unfortunately, but depending on the file types you need to transfer it may also be possible to inject code into them, similar to, for example, PDF, and word documents (obviously not a concern since you're not using micro$oft office). I'm sure there are tons of exploits to do this that I'm not aware of, and even more that we don't know of.
So as a word of caution, be sparing with the files you transfer.

If you do go through uploading it, do so from a public cafe or lan on someone else's equipment and using prepaid cards so as to not be traced to you.

Even in that situation if they zero dayed the kernel along with a zero day involving the USB port drivers/udev/systemd(unless they are shut off on boot up or he used a static /dev) then they definitely got in even without systemd on the rest of the system. Notice how udev is part of systemd now you faggot.

Me_cleaner won't catch other types of firmware. If you have a non libreboot bios it is now backdoored. If you have a SSD it is now backdoored. Regular HDD's will have noticable tampering if they backdoored them. Check the hardware for keyloggers. Check the sdcard reader for tampering. Check the GPU's bios for tampering. You can't ever trust that hardware again if anything beyond local police/fbianon level tried getting into it.


Check every file in a hex editor, open it in a archive program, exiftool it, and make sure to check for weirdness with timestamps. Even then you can't trust you are not bringing a trojan over now.

The logs mean nothing.

They would have booted it via usb. Their tools would have disabled write-access before bringing the drive online. Then imaged the drive to work on the contents elsewhere.

The dead battery? They could have imaged it the day they took possession and then it sat in the evidence locker until today..

If OP was taking his security seriously he would have had a UEFI enabled system that signed everything for the boot proccess so that you can't boot anything without OP's UEFI secure boot key signing the EFI loaded code. The problem then goes back to if he disabled USB on boot. That would have meant (((they))) would have had to open the case and backdoor/get in that way.

Correct.

Local PD's wouldn't have super hax0rs on site. They would have a pre-baked generic tool that boots off a usb stick and then automatically just dumps the systems contents to an external HD raw.
They then fedex that external HD off to the feds or their forensics contractor.

Since OP's computer never left the possession of that local PD's evidence officer there is no records made of any of this happening.

Buy a clean computer. Don't buy it online, don't have it shipped. Keep it isolated from the internet and wifi. Download a live linux iso from somewhere other than your own internet. Put it on a clean usbstick. Boot the clean computer with it. Remove the drives from the old computers. Do not boot from them. Image them to clean external hard drives on the clean computer. Don't use SSDs. Wipe the old drives and put them back in the old machines.

Now all you have to worry about is the data, and you know all of your hardware and your os are clean. Decrypt it and reencyrpt it onto clean external storage with a new, strong passphrase. Don't involve your new internal drives in this in any way. Disconnect and secure the external storage. Don't let them near the internet or wifi, don't transfer the contents anywhere. Your clean computer is still clean. The only thing you have to worry about are the external drives with your data on them.

Where have you been the past year? CIA tool leaks have demonstrated that UEFI is every bit the insecure piece of shit everyone always feared it could be.

We are not talking about real security here. Just enough to piss off the low level/fbianon tier of hacker.

I know that there is still ways in. I am just talking about upping the difficulty to the point (((they))) don't bother trying to get in. A truly dedicated attacker will ALWAYS get into a computer if they have physical access to it. With no exceptions. There is no such thing as secure hardware(yet).

Why did you get your property seized in the first place?

cp

what did you copy

>>>/4chan/
Get out you faggot. You are never safe if you are into that stuff. Gas yourself.

I don't know much about security, but if the disk is encrypted, isn't it very hard if not impossible to access it?
And if you really want to know, you could put your laptop behind a very strict firewall that logs everything and wait for it to phone home. Then sandbox an image of your hard drive and wait for the same behavior, if it doesn't then it means that your hardware is compromised. Wouldn't this be a good way to know?


Why?

If the cmos battery was pulled, this is outside the skillset of the local police department. I have definite reason to believe they were shipped to Langley during the year and a half they were in police possession.


This is fantastic advice. Thank you.


I'm not looking at pissing them off, this is more identifying compromises, and mitigating data loss as much as possible. These were corporate machines, so I need to pull off pdf's and odt's of legal documents, svgs of product designs, and jpegs. I need to find a way to mitigate the risk of putting these potentially-infected files onto my machine.

Can't say, for fear of releasing too much info, but it was not CP or Drugs.


thank you for the laugh.

Nice reddit memes friendo. Epic thread, epic for the win!

The battery ran out, that happens if you leave it unplugged. But feel free to sell it and buy a new one, peace of mind can be worth the $100 or so you lose from it.

...

why the fuck is _Mega_ the best bet? why not one of the other 10,000 one click hosters or one of the 20,000 other places where files can be hosted? do you even have a way to use Mega without JS.
real life serious business institutions such as the police have massively slow processing times. it could have taken them a year to run some scanning program on the HDD that takes 3 seconds

burn. burn them all.

...

Nigger, what the fuck were you accused of that got Langley involved?

...

1. why would the date change like that?
2. id be worried about a hardware compromise. they could install a hardware mitm somewhere.

Stuxnet spread via autorun which isn't enabled nowadays. If they don't have the key the integrity of the data is guaranteed anyway if it decrypts successfully, so the only thing he has to worry about is some zero day exploit in the motherboard firmware that can be triggered from the SATA port. That is just paranoia at this point.

Good luck with that extra chromosome.


Battery has died numerous times on my chromebook, but never has it reset the date.


I'm going to consider this a total loss, as I cannot use the computers, and I cannot in good faith sell them to someone else knowing they may be compromised.

Wish I could tell you.


This seems like bad advice. Any computer I plan to plug these drives into will be considered a loss as well.


there were 13 computers seized in total, as well as multiple hard drives (not connected) that were unencrypted. Data integrity is only really guaranteed on the computers that were encrypted (all of them), and that's still dependent on someone not compromising various firmwares on them.

Mega encrypts files, most do not.

That's my point. They held onto it until they were done.

You have a separate clock battery, that lasts for a few months/weeks.
No, that's not true. They can't execute arbitrary code on the computers you connect them to.
Image the disk first, then decrypt the image. They can only corrupt the data, not alter it. You could get a raspberry pi and a dvd burner, then just burn the images in 4.7gb pieces to DVDs without decrypting them. Then read the DVDs with a separate computer.

Use PGP to encrypt the files instead, Mega's encryption is very poor.

firmware is incredibly hard to audit
hdds are much easier, since their firmware is just a cache and arm cores that spit onto the disk for moar shpeed
ssds use wear leveling and TRIM and all kinds of MLC and TLC wizardry, that's why controllers are so integral, and you can't just buy bare NAND and expect to have a fast drive

at least we know you don't work for the refurb department of Seagate

???

Get rid of your old drives and update to SSDs for plausibility denying.

In other words tax evasion or some similar IRS-related incident.
You're fucked, OP.

Is this the role playing thread?

Pretty much. But still, QQ the fuck out of that shit. The us government would use you as a leverage with personal blackmail to kimdotcom anyway, so, its harder for the US government to get the data if it is in china, than if it is anywhere in the world.

But, I would say you are under surveilance and they want you to decrypt the data in front of the cameras or the keyloggers on the other computers just to send you to jail one way or another.

Not saying that they would actually believe that there's something in there, just that they would use that tactic if they actually hated you. Or wanted a promotion, or a medal, w/e.

Holy shit, is the IRS that fucked up? They seize your private property because "muh tax evasion"?

There's some sort of breach that is just waiting for you to decrypt that data. If they can't find it when they want, they'll just wait untill you rest your guard.

Pay attention, you fool.

are you retarded?

So you're saying that an infected firmware on a hard drive can *not* lead to a compromised system? why compromise the firmware, then?


Yeah, yeah. it's a contradiction in terms, like "military intelligence". the traditional definition of technology applies.


how would SSD's guarantee plausible deniability?


Getting warmer, but still no. I'm only worried about retaliation coming from government actors in the security establishment.

I wish I was roleplaying this.
I'm (likely|definitely) under surveillance.
Consider this thread to be me paying attention.


if you have a more secure option than MEGA/New Zealand (FIVE EYES) for transferring data, I am open to suggestions.

youtube.com/watch?v=vCItBX8288Y&nohtml5=False

Good plan, but I have a suggestion that doesn't require you to buy a mega account.

Because they can replace one binary with another, log what chunks are read the most, etc. If it's encrypted they can get metadata, but dumping the drive wholesale is safe.
gpg encrypt then share over lan

Was anything you possessed a "threat" to national security?

The lulz if OP downloaded Holla Forums for a day and is now considered a national security risk.

Corporate Espionage? He said he's trying to get product designs and the like

In the same position as you op. If they were going to bootkit you, they would load off an external ssd drive and fuck with the firmware. Keep in mind though, the gov doesn't have any good bootkits atm. They have an ok rootkit that gets overused, but its just a copy past from krabs.

Personally I would be more concerned about physical monitoring. On that note, would you happen to be the user who started finding audio bugs in his house and posted about it on Holla Forums?

Glad I could help.

To be specific, this user.

youtube.com/watch?v=R22BvvzRydo

I don't know much about this but I raed somewhere, your safer hosting it inside if you can do it securely, they have more legal bull shit to cross to try and read it

yes you can, "Police seized Computers For Sale, may be compromised, discounting $99.99"

This. Someone is going to take the deal and flip it for some cash.

Why even discount. No one who cares about that shit is going to buy a second hand computer anyways. Sell it to normalfag faceberg drones.

Just a note that if you're under surveillance, it's highly likely that your modem/router is compromised. That means that sending anything from computer to computer over your lan in plain text is equivalent to sending a copy to the spooks. Some other tricks used are the ever popular keylogger and it's newer cousin, the audio tap in your room that listens to keystroke sounds and deciphers them into what was typed. Onscreen mouse-clickable keyboards for password entry, and some constant background sound, help with these.

thank you for the advice.

no.


I could sell it, but that would endanger the public, and would be irresponsible. I'll have to just consider the lot a total loss, because I cannot guarantee there isn't a compromised firmware on any (or all) of the devices seized.


You're correct, which is why I have an old pentium III acting as a hardware firewall. They don't have hardware backdoors for it. Your advice on passwords and sound were appreciated.

Kernel was subverted long ago. You don't need backdoors when bugs are abundant and you have discovered a new way of exploiting them. The fact the kernel doesn't commit suicide in a debug-able way when it encounters undefined behavior IS THE SECURITY BACKDOOR!

Such a moralcuck.

They probably put a rootkit in the firmware of your HDD.

I'd abandon everything; or at least go to a secure location inside a faraday cage to transfer to another media.

Is that image satirical, or fact?

The hard drive is probably the biggest hole in your system the equation group is known to have backdoored many seagate and other drives, what is it?

Morals are a spook.

Looks like they held onto it and waited for an exploit as said by

Also, I'm sure most countries force you to surrender passwords, including the US. How the fuck did you evade that?

this, build your own router with pfsense or opnsense

THEY CAN'T FORCE YOU TO TURN OVER PASSWORDS IN THE US, 1ST AMMENDMENT AN SHIT. BUT THEY DO CLAIM THE RIGHT TO TAKE YOUR FINGERPRINTS.

THAT'S YET ANOTHER REASON WHY YOU NEVER EVER USE FINGERPRINT OR FACE UNLOCK ON YOUR PHONE.

it requires javascript


what if I close my fists hard and won't open them?
what if I remove my fingerprints?

The same thing happened to me in the past too. I was living in Poland at the time, and I was very surprised when the US spooks came after me. They don't give a shit about borders or jurisdiction areas. I was held under arrest for a few weeks, I have no idea where. Probably somewhere in Europe, still. I got my hardware back two years later, seals broken but very carefully replaced. I mounted the drives in ro on a clean machine, and copied the important things onto a clean usb drive. Then I dithed everything but the drive and some cash, and moved to another country. At the time I also considered getting a new irl identity, but right now it feels like it woulda been an overkil. It wasn't anything too serious, I'm pretty sure that no one's after me anymore, but I still surveil my house and other things 24 hours a day. Paranoia is a bitch.

Wrong.
bleepingcomputer.com/news/legal/man-who-refused-to-decrypt-hard-drives-still-in-prison-after-two-years/
arstechnica.com/wp-content/uploads/2017/03/rawlsopinion.pdf

According to the All Writs Act, if the existence of illegal content on an encrypted volume is a "foregone conclusion", a suspect can be detained indefinitely until they cough up an encryption key.

doesn't need to be constant, it just needs to always be louder than a certain level at the frequencies which are most useful for detecting key presses. any music which does not contain silence and has broad spectrum would work good, for example some heavy metal. and it won't raise any questions too.

If it is a foregone conclusion why don't they just sentence him already?

Because it upgrades his charge of receipt to possession, and because they want a precedent to override the fifth amendment with.

So the guy should wait another couple of years until he actually DOES forget his password?

While I may be in the minority, I try to apply morals while operating a corporation. That applies when discarding equipment.

that's an interesting idea, but I don't know if I could get a faraday budget approved.

catb.org/jargon/html/H/ha-ha-only-serious.html

the spinning disk drives are Seagate. the drives in all the computers are all SSD's of various cheap newegg sale brands.

I am intrigued by your words and wish to subscribe to your newsletter.

To say would be to brag. I've had enough hubris to last a lifetime, so I'll decline to comment.

OpenBSD-only. stock router in bridge/dummy mode.

in Zersetzung, 95% of the mindfuck is what you do to yourself.

No power in the universe can make you divulge a password you don't know yourself. Create a private key on a usbstick along with a script that manages it as your encryption password. Destroy the usbstick and the encrypted data is lost forever, period.

You may think you are applying the interests of other people when your making decisions for them, but I assure you, you're not.

Maybe they confiscated your laptop just so they can get moar cryptocurrency ¯\_(ツ)_/¯

Can't you just sell it without the harddrive?

...