Definitely going to sell it, along with all other hardware returned. Any suggestions on how to get the data off the machines/drives before selling them?
Current plan:
better ideas welcomed/encouraged.
Not using any Lennart Poettering technology on my systems.
If they hold onto your shit for a year and a half I get the impression that they have everything they want now.
Mega would be your best bet, but putting any data on a remote host still means that your storing your files on another computer you don't own, which I get the impression you don't want to do.
Why not encrypt the USB, vaccum seal it in a bag and then bury it somewhere safe?
I need to get data from the drives to my safe network.
Also, there's a lot of drama regarding how long it took for them to return the equipment after a court order, so I'm suspecting they needed to send it to Langley for more work.
Can't believe they can just hold onto your hardware for that long, but you're almost certainly correct. There's no way your local police department is getting into something like that.
I know mega encrypts files, but you should still never trust someone to save your ass. Encrypt them as much as possible before uploading, and use the longest password you can remember.
I don't have a lot of useful input on this unfortunately, but depending on the file types you need to transfer it may also be possible to inject code into them, similar to, for example, PDF, and word documents (obviously not a concern since you're not using micro$oft office). I'm sure there are tons of exploits to do this that I'm not aware of, and even more that we don't know of.
So as a word of caution, be sparing with the files you transfer.
If you do go through uploading it, do so from a public cafe or lan on someone else's equipment and using prepaid cards so as to not be traced to you.
Even in that situation if they zero dayed the kernel along with a zero day involving the USB port drivers/udev/systemd(unless they are shut off on boot up or he used a static /dev) then they definitely got in even without systemd on the rest of the system. Notice how udev is part of systemd now you faggot.
Me_cleaner won't catch other types of firmware. If you have a non libreboot bios it is now backdoored. If you have a SSD it is now backdoored. Regular HDD's will have noticable tampering if they backdoored them. Check the hardware for keyloggers. Check the sdcard reader for tampering. Check the GPU's bios for tampering. You can't ever trust that hardware again if anything beyond local police/fbianon level tried getting into it.
Check every file in a hex editor, open it in a archive program, exiftool it, and make sure to check for weirdness with timestamps. Even then you can't trust you are not bringing a trojan over now.
The logs mean nothing.
They would have booted it via usb. Their tools would have disabled write-access before bringing the drive online. Then imaged the drive to work on the contents elsewhere.
The dead battery? They could have imaged it the day they took possession and then it sat in the evidence locker until today..
If OP was taking his security seriously he would have had a UEFI enabled system that signed everything for the boot proccess so that you can't boot anything without OP's UEFI secure boot key signing the EFI loaded code. The problem then goes back to if he disabled USB on boot. That would have meant (((they))) would have had to open the case and backdoor/get in that way.
Correct.
Local PD's wouldn't have super hax0rs on site. They would have a pre-baked generic tool that boots off a usb stick and then automatically just dumps the systems contents to an external HD raw.
They then fedex that external HD off to the feds or their forensics contractor.
Since OP's computer never left the possession of that local PD's evidence officer there is no records made of any of this happening.
Buy a clean computer. Don't buy it online, don't have it shipped. Keep it isolated from the internet and wifi. Download a live linux iso from somewhere other than your own internet. Put it on a clean usbstick. Boot the clean computer with it. Remove the drives from the old computers. Do not boot from them. Image them to clean external hard drives on the clean computer. Don't use SSDs. Wipe the old drives and put them back in the old machines.
Now all you have to worry about is the data, and you know all of your hardware and your os are clean. Decrypt it and reencyrpt it onto clean external storage with a new, strong passphrase. Don't involve your new internal drives in this in any way. Disconnect and secure the external storage. Don't let them near the internet or wifi, don't transfer the contents anywhere. Your clean computer is still clean. The only thing you have to worry about are the external drives with your data on them.