a ?? for LEOs: Is that normal?

[granfire]

Not to go into too many details, since it's all very fresh and on a somewhat personal level:

Family loses small child to unexplained death. so far so bad, the official channels go through all the moves, making sure it was not foul play (thank you Nancy Grace)

Mother's personal computer is taken...

When she gets it back it's full of cooties, suspected keyloggers...

Is that what one has to expect when the law looks at your stuff/

 

[Archangel M]

Not to go into too many details, since it's all very fresh and on a somewhat personal level:

Family loses small child to unexplained death. so far so bad, the official channels go through all the moves, making sure it was not foul play (thank you Nancy Grace)

Mother's personal computer is taken...

When she gets it back it's full of cooties, suspected keyloggers...

Is that what one has to expect when the law looks at your stuff/

Im assuming that she ran a scan after getting it back to see if the POlice are snooping on her? And she finds "something". Im thinking someone is paranoid. How does she know that they were not there before?

In answer to your question..no. Not without a wiretap authorization and if they did have THAT I doubt she would have been able to find anything on her comp. Without a valid tap nothing gained could be used. Personally, I've never seen a "keylogger wiretap"...not that they don't exist, it's just outside my experience.

 

[Archangel M]

If a computer forensic was ran on it, I suppose it's possible that there is some trace of the software used to search it on the drive somewhere...maybe.....

 

[Carol]

Not a LEO, I have never heard of a keylogger used for CALEA purposes. It sounds more to me as if the system wasn't clean when the police investigated, and when it was returned the user either ran a complete system scan, or hit upon 'fake virus scanner' malware. All it takes is one click on the wrong link to hose up a system.

Can't see key loggers as being that interesting to LE. Key loggers do not store context, they just store keystrokes. Lets say the keylogger captures the word "murder". Why were they typing "murder"? Figure of speech? Movie review? Writing a book? Searching for a news story? Hard for data like that to be evidenciary.

On the other hand, a google search for "how to murder a small child" is likely more useful.

 

[Sensei Payne]

Being that I work on computers daily at my day job...if I were you I would just reformat my computer anyways. If anyone had my computer in a situation like that...I would also change the hard drive and the Ram as well.

 

[granfire]

Being that I work on computers daily at my day job...if I were you I would just reformat my computer anyways. If anyone had my computer in a situation like that...I would also change the hard drive and the Ram as well.

The RAM?
Never thought of that.
(thankfully it's not me. I just kill computers outright)

 

[CanuckMA]

The LEOs would not work on the computer anyway. They would take forensic copies of the hard drive and let the analysis tools work on the copies. Tey would never take the chance of anything happening with thte orifginal drive if it ever was needed as evidence.

The RAM?? seriously??? you are paranoid.

 

[granfire]

Not a LEO, I have never heard of a keylogger used for CALEA purposes. It sounds more to me as if the system wasn't clean when the police investigated, and when it was returned the user either ran a complete system scan, or hit upon 'fake virus scanner' malware. All it takes is one click on the wrong link to hose up a system.

Can't see key loggers as being that interesting to LE. Key loggers do not store context, they just store keystrokes. Lets say the keylogger captures the word "murder". Why were they typing "murder"? Figure of speech? Movie review? Writing a book? Searching for a news story? Hard for data like that to be evidenciary.

On the other hand, a google search for "how to murder a small child" is likely more useful.

well, there are some nasties out there that also take screen shots...really nasty crap!

(also, after the Rental Place being found out to be able to do that and take pictures with the build in webcams....nothing really surprises me anymore in terms of deviousness)

 

[Sensei Payne]

The LEOs would not work on the computer anyway. They would take forensic copies of the hard drive and let the analysis tools work on the copies. Tey would never take the chance of anything happening with thte orifginal drive if it ever was needed as evidence.

The RAM?? seriously??? you are paranoid.

just to be sure...you never know.

 

[jks9199]

Not a LEO, I have never heard of a keylogger used for CALEA purposes. It sounds more to me as if the system wasn't clean when the police investigated, and when it was returned the user either ran a complete system scan, or hit upon 'fake virus scanner' malware. All it takes is one click on the wrong link to hose up a system.

Can't see key loggers as being that interesting to LE. Key loggers do not store context, they just store keystrokes. Lets say the keylogger captures the word "murder". Why were they typing "murder"? Figure of speech? Movie review? Writing a book? Searching for a news story? Hard for data like that to be evidenciary.

On the other hand, a google search for "how to murder a small child" is likely more useful.

This would be my guess, as well. It's kind of like blaming the doctor for finding cancer at a check-up. The doc didn't make you sick; he simply discovered it.

If there's a concern, your friend can contact the police department, and should be able to get an explanation of what was done.

 

[Ping898]

The RAM?? seriously??? you are paranoid.

No, he's not. If there is any concern, that is an important change to make. Working with computers on a daily basis myself and having played the role of a black hat and white hat on multiple occasions as part of my job for several years, I firmly agree with Canuck's prescription, I likely would do the same.

That said, another, just as likely possibility, the LEO's connected that system to a network and the LEO's network itself is infected and this computer got infected by extension.

 

[granfire]

No, he's not. If there is any concern, that is an important change to make. Working with computers on a daily basis myself and having played the role of a black hat and white hat on multiple occasions as part of my job for several years, I firmly agree with Canuck's prescription, I likely would do the same.

That said, another, just as likely possibility, the LEO's connected that system to a network and the LEO's network itself is infected and this computer got infected by extension.

So you would change the RAM or not?
(I did get a wee bit confused, then again it does not take much...)

 

[CanuckMA]

Seeing as RAM is volatile memory that requires current for it to maintain information, I would not. In 30 years in IT, I've never seen data in RAM survive a power down.

 

[Empty Hands]

I hear it's not unusual to get computers back months or years later, disassembled into many small pieces. Be glad it's still functional.

 

[Ping898]

So you would change the RAM or not?
(I did get a wee bit confused, then again it does not take much...)

I was confusing my posters....I would replace the RAM. Though it is unlikely and rare, there are attacks that can be perpetrated against powered down computer RAM. It is so cheap these days...if you are concerned about what happened to your computer, why take the chance. Besides, this may very well have been a laptop or something that was really just put to sleep, not totally powered down.