Detecting whether the Feds or any government adversary has placed spyware on your computer when "examining" it at a border checkpoint is not entirely trivial. It is, however, important for your privacy and peace of mind -- especially because computer and PDA searches will likely become more popular in time. Here are some basic suggestions: http://www.politechbot.com/2005/04/21/update-on-alabama/ A more advanced one would be to perform a checksum of all the files on the hard drive before-and-after through something like this: % for i in `find / -print`; do md5 $i >> /tmp/new; done ; diff /tmp/new /tmp/old The problem is that even your "diff" utility could be modified so you'd need to use a known-good copy from archival media. Can anyone recommend a checksum'ing utility for Windows and OS X? It would be nicer than a command-line interface. Note, by the way, that Rep. Bono's "anti-spyware" bill exempts police: http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00029: -Declan --- Declan, In response to the Alabama activist who was hassled at the border returning from Canada, here is some insight. However, I ask that you PLEASE WITHHOLD MY NAME; I know some people who do computer forensics for FBI and I would not want them to know it was me writing this.... Thanks. Feel free to use any of the below in the blog or in the listserv. + + + + + + + + + + + + + + + + + + + + + + + + Loretta's experience w/ US Customs is chilling. The fifteen minutes her notebook computer was out of view and in government custody is plenty of time for an agent to image the drive. Imaging, as you know, is the end-to-end bit-level copying of the drive. When properly done, imaging bypasses all OS controls, such as file permissions in Linux, BSD, and OS/X, and user ownership in Windows. A drive image affords an analyst plenty of time to examine the drive contents without the owner's awareness. The image can be mounted onto a device where other programs can reconstruct or reinterpret file systems structures of NTFS, ext, FAT, and so on. An analyst mounting an image as root or Administrator can see anything. Do not assume a BIOS password will protect you. The drive can be physically removed from a laptop in under a minute. If the file data is encrypted, a forensic analyst will need to use a password cracker to decode the data. This will slow them down, and in all but the most pressing cases, will prompt them to move on. However, a careless individual may leave their PGP (or similar) key on their drive in a text file or in slack or deleted space, giving the agent something to work with. Though encryption is a pain for the user to deal with, this is probably the best level of protection. Encryption raises your reasonable level of expectation of privacy. Legal issues raised by this incident potentially include illegal search and seizure. Even US Customs still needs a search warrant for your computer, and the warrant must state specifically what they are looking for. They cannot fish. If an image was taken of Loretta Nall's drive, there will be a chain of custody document for this supposed evidence. Her lawyer can advise as to how to file a motion for it. There might also be an incident report, which would describe the actions of the agents. None of the information stolen from Loretta's drive can be used directly in a court proceeding. Unfortunately, it probably could be used to confirm other intelligence. There is no device I know of that will allow you to determine if your drive has been scanned or imaged. Computer forensics is extremely careful not to taint evidence by writing to the drive. I'd like to see one of those warranty foil labels that fall apart when you tamper with them. There must be source for them. Place a label across the edges of the drive bay. That way, if the drive is removed, you can at least see that it was opened. The point about government installing bots is well-taken. You may be able to md5sum your drive before and after customs, but this capability is beyond 99%+ of users. If possible, do NOT carry a notebook across the border with you if you can avoid it. Junior G-Men maybe too tempted to prove their mettle with the boss when they see one. For data, pen drives and CD's can be comingled with other personal possessions, where they might attract less attention. Pen drives may be reformatted at will, removing the risk exposure that might come with a notebook's Internet cache, slack space, cookie list, website history, and so on. If you MUST take your computer, FLUSH ALL INTERNET CACHE, web site histories, search histories, cookies, temp files, recycyle bins, etc. Make your own disk image before you go. Always ask Customs what they are doing, and ask as politely as possible. Object if they remove something from your sight - again, as politely as possible. Do not get "legal" on them, but do say "I don't understand." At least that way they cannot claim you have tacitly waived your rights. -N. G. Zax _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Tue May 03 2005 - 23:03:06 PDT