FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware

from the this-is-where-he-keeps-his-creative-work...-note-the-'IP'-address dept

The Smoking Gun recently covered the arrest of a 19-year-old college student for allegedly sending threats to a 14-year-old ask.fm user. The arrestee apparently sent a string of horrific messages filled with sexually violent imagery back in October, prompting her parents to contact authorities.

A routine investigation soon commenced, culminating in the student's (Rishi Ragsdale) arrest.
Investigators tracked the threatening posts back to Ragsdale through an IP address provided by Ask.fm. An analysis of subpoenaed University of Wisconsin records indicated that the IP address was assigned to Ragsdale’s student account, and that the “rragsdale” account accessed the girl’s Ask.fm profile page on the evening the threats were sent...

The affidavit sworn by FBI Agent Malia Pereira alleges that Ragsdale sent the teen a series of violent and sexually graphic messages. The victim’s parents, Pereira added, were particularly concerned since the girl’s Ask.fm account was linked to her Facebook and Twitter profiles, leaving her identifiable.
Reading through the affidavit isn't much fun, especially once you get to the messages Ragsdale allegedly sent. But eagle-eyed Techdirt reader Justin Johnson spotted something on page 5 of the sworn document that would move even the most ardent FBI defender's palm towards their face… or their head towards their desk.
Prior to executing the search warrant, FBI SA Nicol told me that, during execution of the warrant, I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.
This immediately follows a paragraph detailing the seizure of Ragsdale's Mac laptop (and cellphone). Case closed!

No one expects every agent in the FBI to be thoroughly versed in network terminology but a MAC address is one of the basics any agent seeking to extract personal info using nothing but IP addresses and subpoenas should know. If these basics aren't nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance. They won't know what they're looking for or how to get it. Their subpoena and warrant requests risk being laughed out of the judge's chambers. The worst case scenario is that someone dangerous eludes arrest because the pursuing agent(s) is tangled in terminology he or she doesn't understand. Actually, the real worst case scenario is someone innocent being tossed into the gears of the judicial system because an agent had no idea what he or she was looking at -- or looking for.

Kudos, I guess, to Agent Pereira for getting her man, despite the "help" offered by SA Nicol, whose name is all over this affidavit. But one wonders what would have happened if Ragsdale's computer happened to be a PC. My guess? Additional charges under the CFAA for "spoofing a 'Mac' address."


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Nicholas Weaver (profile), Dec 20th, 2013 @ 1:01pm

    Actually, a MAC can indicate a Mac...

    The upper 24 bits of the MAC address indicate the manufacturer, and can be even finer:

    http://anonsvn.wireshark.org/wireshark/trunk/manuf

    is Wireshark's list.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 1:02pm

    Well the first three octets of the MAC do identify the NIC hardware make and model.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    blaktron (profile), Dec 20th, 2013 @ 1:02pm

    So, a MAC address can indeed tell you that you're looking for an Apple computer, as the first octet is the Vendor information. I can personally identify lots of component manufacturers's based on the MAC address of the device.

    However, I'm not convinced this is what happened, although a simple spell check could screw up the affidavit and turn MAC into Mac.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    allengarvin (profile), Dec 20th, 2013 @ 1:07pm

    It's a good thing, I guess, that malware writers don't use maclisp as their coding platform.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Nicholas Weaver (profile), Dec 20th, 2013 @ 1:09pm

    Also...

    Any sysadmin worth his salt with an unknown MAC address is going to throw it at Wireshark or a similar database, so "Look for a Mac with this MAC" is quite expected.

     

    reply to this | link to this | view in thread ]

  6. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Dec 20th, 2013 @ 1:13pm

    It'd be standard to look up computer brand, minion.

    So I think as 1st comment has it: the only shortcoming is yours, and so you also get the horse laugh.

    At least you should NOW nail that down and update.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Rikuo (profile), Dec 20th, 2013 @ 1:33pm

    Re: It'd be standard to look up computer brand, minion.

    Re-read the quote
    "I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used."

    The agent didn't say that specific digits of the MAC address indicated an Apple computer was used. The agent said that a "Mac (not all upper case) address, indicating some type of Mac/Apple computer or hardware". This shows that the agent didn't have any understanding of what a MAC address is, or what it means. The agent didn't even nail down what kind of hardware: if s/he did, s/he would have put down the computer's NIC as being the source of the MAC address, and not the computer as a whole.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 1:35pm

    Re:

    Good point. I was thinking along similar lines as you, I don't think that's what happened here but based on the wording of the quotations it is possible that they used the MAC address to determine that a Mac was used though I do think that what probably happened is that they were simply confusing a MAC address to indicate a Mac computer. These are government employees, after all, and so the truth is I don't really expect that much out of them in terms of intelligence.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Justin Johnson (JJJJust) (profile), Dec 20th, 2013 @ 1:36pm

    Not Buying It...

    I've taken all your comments on board, and I'm not buying them because:

    A. The declarant stated with quite particularity (though it's probably FBI copy pasta) the nature and significance of an IP address. The use of "a Mac address" vs "the MAC address X" is not meaningless in a legal declaration.

    B. No statements were made that the MAC address of the device seized matched the MAC address in the logs. There is nothing in the affidavit that furthers a claim that they took Y device because it had X MAC address which showed the NIC was manufactured by Apple and thus probably belonged to an Apple computer.

    C. The declarant has a pretty decent command of English grammar and punctuation, but the comma placement in the paragraph isn't correct.

     

    reply to this | link to this | view in thread ]

  10. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 1:37pm

    I know TechDirt isn't a prestigious publication, but this lack of fact-checking and editing is getting out of hand.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Gwiz (profile), Dec 20th, 2013 @ 1:42pm

    Re: Actually, a MAC can indicate a Mac...

    My laptop is setup to spoof a random MAC address every time I boot, just on general privacy principles.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 1:49pm

    Re: Re: Actually, a MAC can indicate a Mac...

    Would you mind sharing what you use to accomplish that? Linux user here.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    blaktron (profile), Dec 20th, 2013 @ 1:55pm

    Re: Re: Re: Actually, a MAC can indicate a Mac...

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Crashoverride (profile), Dec 20th, 2013 @ 1:58pm

    This begs the question how many terrorists were overlooked or let go because....They didn't have a Mac???

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Rikuo (profile), Dec 20th, 2013 @ 2:12pm

    Re:

    Such as...? If you're going to call someone out on making mistakes or errors, it'd be kinda handy to...ya know...tell them where exactly they went wrong?

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Gwiz (profile), Dec 20th, 2013 @ 2:12pm

    Re: Re: Re: Actually, a MAC can indicate a Mac...

    Would you mind sharing what you use to accomplish that? Linux user here.

    I use macchanger in one of the init scripts (don't actually remember which one - I'm on a work computer right now).

    Something like this:

    sudo /etc/init.d/network-manager stop
    sudo ifconfig wlan0 down
    sudo macchanger -a wlan0
    sudo ifconfig wlan0 up
    sudo /etc/init.d/network-manager start

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 2:12pm

    IIRC

    every internet connected device has a Mac address...

    but...the device (laptop) talks to the router. the router keeps the laptop MAC in its ARP table, and forwards the router MAC forward to the next router, until it reaches its destination.

    the ARP table is cleared every 5 minutes or so. the MAC address would have been the final router.

    This is bad information.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 2:32pm

    Re: Re: It'd be standard to look up computer brand, minion.

    That's another good point. The MAC address would only tell you about the NIC controller (and sometimes it might be possible to spoof/change the MAC address depending on the hardware/software, as others have pointed out) and not necessarily the type of computer being used. It still might be possible to determine the type of computer used (or get an idea) if the NIC controller is an on-board controller with a MAC address that may help tie the type of NIC controller to the type of computer being used (or if the NIC controller is compatible only with certain types of computers/motherboards or if one manufacturer, like DELL, is known to use a certain type of NIC controller or has their own, it may help give an idea of what kind of computer might be in use).

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 2:32pm

    Re:

    DHCP daemon logs. See generally RFC 2131. Implementations vary.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 3:42pm

    I wonder what Intellectual Property Address was used at that time

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 4:46pm

    The posters above are correct. If the defendant accessed ask.fm through a home/business/university router, and that router used IPV4 network address translation (NAT). Then the MAC address in ask.fm server logs will be the router's MAC address, not the MAC address of the computer the defendant used to access ask.fm's website.

    Also, as pointed out by posters above, a MAC address identifies the manufacturer of the network interface card (NIC) built into the computer, and not the manufacturer of the computer itself.

    Either way, I found the random MAC address generation script for GNU/Linux, very interesting. Thanks for sharing it with us, Gwiz!

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    kenichi tanaka (profile), Dec 20th, 2013 @ 6:11pm

    There are some first class morons at the FBI. A MAC address is what's used by your ISP to give you access to the internet, it has absolutely nothing to do with an Apple computer.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 6:41pm

    Re: Re: Re: Actually, a MAC can indicate a Mac...

    Open a terminal, copy the code from #!/bin/bash -x and paste into a file called mac.sh in /home/~

    Then type chmod +x mac.sh

    Then type ./mac.sh [it will ask for your password because of /bin/bash -x].

    #!/bin/bash -x

    MAC=00:`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 200 | md5sum | sed -r 's/^(.{10}).*$/\1/;
    s/([0-9a-f]{2})/\1:/g; s/:$//;'`;

    sudo ifconfig wlan0 down

    sudo ifconfig wlan0 hw ether $MAC

    sudo ifconfig wlan0 up

    sudo service network-manager restart

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    WoW!, Dec 20th, 2013 @ 7:23pm

    It must be nice to know people in high places!

    Incredible...what makes THIS GIRL any different from all the others who have received anonymous email of: "decapitation:, "broomrape in your future", "shoot you dead in the head" threats?

    The fact the FBI actually traced this anonymous harasser down, must mean the recipient was related to a FBI agent, or a friend like Jill Kelley was. Other women have just been told by the FBI to DEAL WITH IT! Or was the reason the FBI DID NOT look into OTHER RECIPIENTS complaints was because the anonymous threats were coming from DOD IP addresses, that made "the REPEATED complaints" not worth the FBI's looking into them?

    Some poor women have had this kind of anonymous harassment on and off for years, with the FBI doing NOTHING. Outside forensics traced the activity back to DOD IP addresses. Rather interesting!

    Oh well.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    McCrea (profile), Dec 20th, 2013 @ 11:39pm

    Re: Re: Re: Actually, a MAC can indicate a Mac...

    Google

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 11:53pm

    Re: Actually, a MAC can indicate a Mac...

    WRONG. The MAC address will only show the manufacturer of the NIC (network card) NOT the PC manufacturer.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:21am

    Re: Re: Actually, a MAC can indicate a Mac...

    Apple "make" their own hardware and have a couple of registered MAC pools.

    So the FBIs comments actually make sense.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:24am

    Re: Re: Actually, a MAC can indicate a Mac...

    Look here (a couple was a slight underestimate):

    http://macaddress.webwat.ch/search/Apple

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 4:18am

    Lost me, I thought we were talking about Mc Donalds.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 11:43am

    Re:

    "Well the first three octets of the MAC do identify the NIC hardware make and model."

    MAC addresses can be changed. Mine indicates that I'm using a Cray Supercomputer.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 11:48am

    stymied by their own ignorance

    "If these basics aren't nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance."

    Just enough knowledge to be dangerous. MAC addresses can often be changed. Relying on them to identify equipment type is not a good idea.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    RickRussellTX (profile), Dec 21st, 2013 @ 1:41pm

    Re:

    Thoroughly incorrect.

    Most college dormitories provide hardwired ethernet connections to students -- usually 2 ports per pillow, ports in common spaces, as well as pervasive WiFi.

    Students are forbidden from setting up their own wireless or wired routers, both to prevent them from providing university Internet services to third parties, and to prevent them from screwing up the network for everybody else in the entire dorm by misconfiguring the router. The university where I used to work had pretty sophisticated detection capability and we did take student routers and PC network bridges offline .

    That's not to say that a sufficiently sophisticated student couldn't cheat -- I'm sure somebody was running a Linksys with hacked firmware or something to make it look like a regular computer. But only very sophisticated students would do that.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    RickRussellTX (profile), Dec 21st, 2013 @ 1:42pm

    Re:

    No. Just... No. Please learn about networking before you comment on it.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    RickRussellTX (profile), Dec 21st, 2013 @ 1:46pm

    Re: Not Buying It...

    The affidavit doesn't need to repeat the contents of every single finding entered into evidence. Checking the MAC of the laptop itself against the MAC supplied by the university IT security officer would be a downstream forensic step performed after the arrest and seizure.

    In any case, I can absolutely guarantee that a university IT security officer would look up the vendor portion of the MAC as part of their analysis. I used to run a university help desk and we collected and supplied these documents to police a couple of times a year.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    JMT (profile), Dec 21st, 2013 @ 5:42pm

    Re: It'd be standard to look up computer brand, minion.

    I get much schadenfreude from arrogant, insulting 'corrections' that are actually completely wrong and make the poster look incredibly stupid.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Jon Snow, Dec 21st, 2013 @ 10:47pm

    Re:

    You keep using that word, I do not think it means what you think it means...
    "Octet" in the case of an IP address directly refers to the use of 8 binary bits, or a base-2 numeric system. MAC addresses use hexadecimal, or a base-16 numeric system.
    Referring to the hex digits used in a MAC address as "octets" is improper and, until now, probably unheard of.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Dec 22nd, 2013 @ 12:00am

    Re: Re:

    "You keep using that word, I do not think it means what you think it means..."

    Sigh.

    An octet is 8 bits. MAC-48 address are 48 binary bits long which is 6 octets. They are commonly printed for human reading using hexadecimal digits where each 2 digits represents 8 bits or one octet.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Dec 22nd, 2013 @ 6:33pm

    Re: Re: It'd be standard to look up computer brand, minion.

    Or maybe the speaker said "MAC address indicating an Apple/Mac..." and the person who wrote the report didn't understand.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Jan 6th, 2014 @ 8:33am

    Wait, it gets better:

    "FBI SA Nicol requested the assistance of the FBI Legal Attache in Riga, Latvia..." (and assistant replied).

    WTF. What are these people doing there all week long? Beside collecting pay.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This