[Politech] Customs-proofing your laptop: Staying safe at border searches [priv]

From: Declan McCullagh (declan@private)
Date: Tue May 03 2005 - 22:42:03 PDT


Detecting whether the Feds or any government adversary has placed 
spyware on your computer when "examining" it at a border checkpoint is 
not entirely trivial. It is, however, important for your privacy and 
peace of mind -- especially because computer and PDA searches will 
likely become more popular in time.

Here are some basic suggestions:
http://www.politechbot.com/2005/04/21/update-on-alabama/

A more advanced one would be to perform a checksum of all the files on 
the hard drive before-and-after through something like this:

% for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new 
/tmp/old

The problem is that even your "diff" utility could be modified so you'd 
need to use a known-good copy from archival media.

Can anyone recommend a checksum'ing utility for Windows and OS X? It 
would be nicer than a command-line interface.

Note, by the way, that Rep. Bono's "anti-spyware" bill exempts police:
http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00029:

-Declan

---

Declan,

In response to the Alabama activist who was hassled at the border returning
from Canada, here is some insight.  However, I ask that you PLEASE WITHHOLD
MY NAME; I know some people who do computer forensics for FBI and I would
not want them to know it was me writing this....  Thanks.

Feel free to use any of the below in the blog or in the listserv.


+ + + + + + + + + + + + + + + + + + + + + + + +

Loretta's experience w/ US Customs is chilling.  The fifteen minutes her
notebook computer was out of view and in government custody is plenty of
time for an agent to image the drive.  Imaging, as you know, is the
end-to-end bit-level copying of the drive.  When properly done, imaging
bypasses all OS controls, such as file permissions in Linux, BSD, and OS/X,
and user ownership in Windows.

A drive image affords an analyst plenty of time to examine the drive
contents without the owner's awareness.  The image can be mounted onto a
device where other programs can reconstruct or reinterpret file systems
structures of NTFS, ext, FAT, and so on.  An analyst mounting an image as
root or Administrator can see anything.

Do not assume a BIOS password will protect you.  The drive can be
physically removed from a laptop in under a minute.

If the file data is encrypted, a forensic analyst will need to use a
password cracker to decode the data.  This will slow them down, and in all
but the most pressing cases, will prompt them to move on.  However, a
careless individual may leave their PGP (or similar) key on their drive in
a text file or in slack or deleted space, giving the agent something to
work with.

Though encryption is a pain for the user to deal with, this is probably the
best level of protection.  Encryption raises your reasonable level of
expectation of privacy.

Legal issues raised by this incident potentially include illegal search and
seizure.  Even US Customs still needs a search warrant for your computer,
and the warrant must state specifically what they are looking for.  They
cannot fish.

If an image was taken of Loretta Nall's drive, there will be a chain of
custody document for this supposed evidence.  Her lawyer can advise as to
how to file a motion for it.  There might also be an incident report, which
would describe the actions of the agents.

None of the information stolen from Loretta's drive can be used directly in
a court proceeding.  Unfortunately, it probably could be used to confirm
other intelligence.

There is no device I know of that will allow you to determine if your drive
has been scanned or imaged.  Computer forensics is extremely careful not to
taint evidence by writing to the drive.

I'd like to see one of those warranty foil labels that fall apart when you
tamper with them.  There must be source for them.  Place a label across the
edges of the drive bay.  That way, if the drive is removed, you can at
least see that it was opened.

The point about government installing bots is well-taken.  You may be able
to md5sum your drive before and after customs, but this capability is
beyond 99%+ of users.

If possible, do NOT carry a notebook across the border with you if you can
avoid it.  Junior G-Men maybe too tempted to prove their mettle with the
boss when they see one.  For data, pen drives and CD's can be comingled
with other personal possessions, where they might attract less attention.

Pen drives may be reformatted at will, removing the risk exposure that
might come with a notebook's Internet cache, slack space, cookie list,
website history, and so on.

If you MUST take your computer, FLUSH ALL INTERNET CACHE, web site
histories, search histories, cookies, temp files, recycyle bins, etc.  Make
your own disk image before you go.

Always ask Customs what they are doing, and ask as politely as
possible.  Object if they remove something from your sight - again, as
politely as possible.  Do not get "legal" on them, but do say "I don't
understand."  At least that way they cannot claim you have tacitly waived
your rights.

-N. G. Zax



_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Tue May 03 2005 - 23:03:06 PDT