detained,electronics seized..but not all..

hi,

assume someone got raided for unknown reason, besides police saying "signs pointing in ur direction", and they take basically everything of electronics, and demanded privacy while searching (not allowing anyone to get near).

after leaving, they left one computer.

what is the chance, if at all likely, that the computer they left behind for unknown reason, is actually bugged/backdoored? As in a tool that would evade common packet loggers, would not be visible from Win event logs etc... - no signs of compromise.

I know that "good" viruses are not detected by antivirs/firewalls, not before after a while anyway (and mainly non-targeted/mass-spreading ones, then).

What is the likelihood of government agents using such an undetected tool to gather intel? This is in Europe.

The case appears small (drugs arriving in neighbors mailboxes), but it apparently is taken very seriously and police being very aggressive and hostile. A dozen armed people parking in all nearby driveways and spending a good part of the day doing "their thing" (whatever it was - their search was very thorough)

Much chance that the privacy they demanded being left alone while searching and seizing was to.. for example subtly power on the comp, yank in a pre-configured usb-stick with some bios-firmware hardware keylogger, or something like that.. ?

What level of paranoia is warranted.

Also. Assume something like a Truecrypt container was mounted with various other nested encrypted containers,truecrypt disk mounted during initial LEO penetration..
but power got cut (and then remained off for several minutes at least). - Can any keys, data content as mounted, or other sensitive data, be easily or at all recovered from Windows' memory dump or such, following such a sudden power outage (pulling the plug), or is "cold boot attack" and acting fast as such, the only way? Any difference in recovery as such with SSD vs magnetic/normal-type hard drives?

How long back in time (in regards to internet traffic) to consider it likely they are digging, and how extensively?

It's been silent for months now. Every day I am just waiting for them to return... I am depressed and very much bothered by this situation, mostly the unknowns..

Note, there was no arrest, merely detained during the search/seizure. I fear what is to come, though .. but not knowing much it's hard to say.

I really want to know how likely it is that local cops, for such a relatively small (imo.) case, does a "james bond"-maneuver and installs some bugs, rootkits or such.. if at all, or that just paranoia?

Thanks for any input!


Comments


[6 Points] None:

hey i would be paranoid as shit if that happened to me too


[2 Points] dunnowhotopick:

If it's your computer and youre really this paranoid get it the fuck out of your home, destroy it. I can see this happening if you're part of a chain of ongoing criminal activity under investigation, but if you are just a personal buyer stop using tor from home first of all, stop using that comp, and ship some herb to your buddy's place smoke a joint and chill. I think you're being paranoid unless you absolutely have a reason to be paranoid


[2 Points] DancingWindAway:

So here is the deal. The only entity we know of that does install loggers on hardware is the TAO (http://en.wikipedia.org/wiki/Tailored_Access_Operations) a cyber-warfare subsection of the NSA.

TAO does not operate within the US but rather everywhere else. So if somebody would bug your PC it's them.

But unless you are a foreign spy or rogue agent you have nothing to fear. TAO doesn't give a fuck about drugs, they are more interessted in terror and spy cases.


[2 Points] ThisIsNotTheEndBreak:

They demand privacy and get it, I demand privacy and I'm compared to terrorists.

But to answer your question, I would be very paranoid and I'd destroy the computer and buy a new one.


[1 Points] lrpaterson:

I would say they bugged the system, especially if it seemed like they knew what they were doing.

From information I've seen here in the US, going back and looking at web search history can be done with a warrant and the scope would depend on how much information your ISP collects.

As far as the James Bond stuff, there are plenty of vendors/companies that sell easy to use software to law enforcement departments. Even if it was for a very small amount of drugs, department policy would dictate action.


[1 Points] hksupport:

If there's data you absolutely need on it, take out the hard drive and connect it to a separate computer and make sure that nothing runs, that you are just reading the file sytem. I would use a live system like Tails or the Ubuntu disc or something and move data from the hard drive to a USB drive or something. In Tails, you can hit Tab on the screen that says "Live" and "Live (failsafe)", and then type the space bar followed by "truecrypt" and hit enter, and Tails will boot with Truecrypt 7.1a installed, so you can mount the hard drive to move data. There's an option in TrueCrypt "System" menu called "Mount without pre-boot authenticaion" which is specifically for mounting hard drives with full disk encryption.

If however you can live without the data on the drive, this is the obvious first step. You should obviously consider that computer bugged/compromised. Even if it has full disk encryption, there might be a tiny mic/camera or there's also the EvilMaid attack for grabbing your disk encryption password. You should not use that computer ever again, for anything. Download and burn DBAN from another computer, and then run it on your computer, and then give it away. You can't even trust that the motherboard or other hardware hasn't been bugged. Come to think of it, you can't trust that other areas of your home aren't bugged....

As far as what they could get, it is theoretically possible they could have gotten a decryption key. Computer RAM generally takes a few minutes to fade completely, so if they were doing that, or ready to do it, before the power cut, they may have gotten it. That's if you had full disk encryption. If you had the drive unencrypted but had TrueCrypt file container volumes on it, then there's a reasonable chance they may have gotten them. The Windows registry keeps fucking everything man. If you had the volume as a favorite or auto-mount or anything else where it can mount without you typing the password, you should consider it 100% compromised. However, if you had to enter the password each time, it's possible they didn't get it. But of course, the empty space on the disk could still have been read. So who knows

You should always always always use full disk encryption from the start.


[1 Points] inhibit0r:

Yeah I'd get rid of that computer. If you MUST use it, like others have said, format the HD (do not use that one-touch recovery shit, software can be installed on that) and reset the bios. Look for hardware taps (like others said, suspicious cables and such.. more sophisticated ones can be impossible to detect but doubtful your local LE has such capabilities). But what that one guy said is right, there are PLENTY of companies that provide LE (or anyone with the money) with one-click trojan installation software


[1 Points] KevlarNChrome:

Pretty much everything the posters above me said, with the additional caveat that I'd get rid of my router and also switch ISPs, or if you've only got one service in the area, make sure my modem "breaks" and needs to be exchanged for a new one. May be an unlikely scenario, but if the guys with the guns have already showed up, I prefer to be too paranoid over prison.


[1 Points] gsaT529724:

Do a factory reset on your computer and then go from there. It's very difficult for a virus to survive a factory reset as far as I know. Anyone else agree or disagree? I don't have much knowledge as far as programming goes.


[1 Points] throwaway39552:

This is OP, just forgot PW for main acc.

Thank you all, very much, for your replies!:)

The computer they left is considered trash now - but still, I wish to keep it somehow, for some use.. hopefully without too much risk.

While I am likely yet far from seeing the end of this all, or even where it leads from here - if much of anywhere at all -, I have been learning alot about physical and virtual security for the future, and will keep reading up about this.

I am in the process of acquiring much new hardware (besides computers (not paid with anything affiliated with my name or such of course)), studying new and layered methods for encryption, methods of communications, layers of fake IDs and their aliases etc. and among other things also separating my network (all cabled ofc.) in different zones with custom (hopefully fairly) secure routers setup. I have finally started bothering (and consistently) doing the tiny things such as verifying the integrity/hash of files when downloading, and such...

I will likely keep the compromised computer, but have it separated (physically) from myself and other equipment, and use it for something very innocent (such as being part of the external/outside camera surveillance) setup I'm working on, after having reset as much as I can, wiped and overwritten data a ton of times and all..

Btw., the TC-container was mounted, but no auto-mount or anything was on, and no history was set to be logged, and auto-dismount was set for every trigger (screensaver, few minutes without anything read/written to it, poweroff etc..). PW was entered manually each time. I don't know for sure, but possibly sensitive details would be exposed if they were to gain access to it. From what I have read, TC-containers can be proven by analyzing the headers of the file.. I don't know how much they can push me to demand a valid login if they do find something to be a TC-container, but I am no matter what not going to cooperate, or even talk at all about this if asked...whatever the consequence.

Biggest task is, I will from here on heavily isolate and encrypt everything windows and try use it as little as possible (for now, and likely future and increasingly so, games (that requires it) only.), and push myself to learn much more about Linux, from networking and having control of and analyzing every little packet and setting it up as a router or whatever with iptables (I know kinda little about iptables and such networking features so far.. ), to monitoring and analyzing processes, handles and every little action they attempt during their execution.. maybe even trying to learn a little about disassembling/dissecting apps and data. Besides also isolating each system (or set of systems) in their own layered sub networks (behind their own (secured) routers - ) for various uses, in addition to various software, and make sure to nest it in numerous layers despite the hassle. Get used to and play around with the various "live-cd" distros, have creative tokens/hardware-keys in addition to passwords for unlocking certain things, etc... I have much work ahead in this regard, and probably shouldn't say specifics or much more, either.

I am still researching and pondering much of this, little is still implemented. I probably shouldn't mention most of it.. it's getting quite extensive eventually. As a basic for all is I will not be using wireless for anything, have FD-encryption with nested containers and whatnot for Every device, kill-switches or ways to securely send remote commands to execute an app which further completes a chain of commands, implement personal security policies forcing a "lock down" some hot-key, or when I have to move my hands off the keyboard more thana minute, and other security features in case I am off the computer for a minute and can't reach it, and such ..

My biggest lesson from this so far is, I think, thinking back to where I might have made some mistakes.. to NOT again be sloppy with security any more, not allow that one little time, or be bothered by lag, inconvenience and issues to accomplish security. From now on I will put much more extensive work into it all, and accept slow and troublesome working in some ways, and not deviate from this, such as 'accidentally' (from laziness) "pollute" any fake IDs with touching any part of it with a VPN used for another ID, trust commercial or any one single provider (such as for VPN. requiring some chained relays to be fairly secured (hacked) boxes in hostile (china?) sites .., among other things ) etc.. Will be sure to chain numerous VPNs etc. over TOR for various uses thru my own home-routing system, many thru hardware (custom configured routers/relays) and isolating each box well according to its need.

And ofcourse, playing with wireless security (aircrack-ng suite (on Kali (Linux)) for example), has become determined to avoid all Wireless. Will lock everything on my computer receiving signal or accepting (to me) unexpected input (such as wifi, bluetooth, USB or CD-ROM) being employed.. and of course, on the more critical ones, layer full-disk encryption along with other methods of encrypting and hiding, as well as learning friends and family of new methods of communication and using PGP and such in some way (still figuring it) that I can make it easy and convenient for them to learn and use (ppl who know little if anything about computer-stuff beyong the world of facebook, excel powerpoint and such.. )

I simply don't feel safe at all any more, as if someone is constantly watching me, and don't even dare doing much than browsing my local news sites, playing games and the like.. "the expected", normal boring stuff. Takes my creativity away, too.. My current situation just sucks alot. I need major improvements, besides in my life in general.. too many and too frequent warrants issued against me lately.. I need a year or few clean, I think.

I am quite sure I am currently under phone and internet surveillance, possibly also some kinda physical monitoring, including my all my mail .. I can't say for sure, however there are certain strange signs.

Any further suggestions or input very welcome. I keep all opportunities open and expect the worst. Al though, imo (and really.. ) this is not some giant case as it seems they perceive it..

Anyway, I don't know where this is going (legally) still, and likewise still as paranoid.

Thanks again for all input. Greatly appreciated! Sorry for all my talk.. (I have not given up drugs, nor really plan to fully any time soon ( :\? ) lol)

Wish me luck..... :) Thanks again.


[1 Points] throwaway39551:

I figured the PW that I had used This post is just to verify the previous post was made by me (OP).
I need to get into a system to keep pgp keys for various uses and have various layers of security for that, too, to simply pgp-sign messages to verify identity like this, I think. Anyway.

Thanks again.