FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware
from the this-is-where-he-keeps-his-creative-work...-note-the-'IP'-address dept
The Smoking Gun recently covered the arrest of a 19-year-old college student for allegedly sending threats to a 14-year-old ask.fm user. The arrestee apparently sent a string of horrific messages filled with sexually violent imagery back in October, prompting her parents to contact authorities.
A routine investigation soon commenced, culminating in the student’s (Rishi Ragsdale) arrest.
Investigators tracked the threatening posts back to Ragsdale through an IP address provided by Ask.fm. An analysis of subpoenaed University of Wisconsin records indicated that the IP address was assigned to Ragsdale’s student account, and that the “rragsdale” account accessed the girl’s Ask.fm profile page on the evening the threats were sent…
The affidavit sworn by FBI Agent Malia Pereira alleges that Ragsdale sent the teen a series of violent and sexually graphic messages. The victim’s parents, Pereira added, were particularly concerned since the girl’s Ask.fm account was linked to her Facebook and Twitter profiles, leaving her identifiable.
Reading through the affidavit isn’t much fun, especially once you get to the messages Ragsdale allegedly sent. But eagle-eyed Techdirt reader Justin Johnson spotted something on page 5 of the sworn document that would move even the most ardent FBI defender’s palm towards their face… or their head towards their desk.
Prior to executing the search warrant, FBI SA Nicol told me that, during execution of the warrant, I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.
This immediately follows a paragraph detailing the seizure of Ragsdale’s Mac laptop (and cellphone). Case closed!
No one expects every agent in the FBI to be thoroughly versed in network terminology but a MAC address is one of the basics any agent seeking to extract personal info using nothing but IP addresses and subpoenas should know. If these basics aren’t nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance. They won’t know what they’re looking for or how to get it. Their subpoena and warrant requests risk being laughed out of the judge’s chambers. The worst case scenario is that someone dangerous eludes arrest because the pursuing agent(s) is tangled in terminology he or she doesn’t understand. Actually, the real worst case scenario is someone innocent being tossed into the gears of the judicial system because an agent had no idea what he or she was looking at — or looking for.
Kudos, I guess, to Agent Pereira for getting her man, despite the “help” offered by SA Nicol, whose name is all over this affidavit. But one wonders what would have happened if Ragsdale’s computer happened to be a PC. My guess? Additional charges under the CFAA for “spoofing a ‘Mac’ address.”
Filed Under: law enforcement, mac address
Comments on “FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware”
Actually, a MAC can indicate a Mac...
The upper 24 bits of the MAC address indicate the manufacturer, and can be even finer:
http://anonsvn.wireshark.org/wireshark/trunk/manuf
is Wireshark’s list.
Re: Actually, a MAC can indicate a Mac...
My laptop is setup to spoof a random MAC address every time I boot, just on general privacy principles.
Re: Re: Actually, a MAC can indicate a Mac...
Would you mind sharing what you use to accomplish that? Linux user here.
Re: Re: Re: Actually, a MAC can indicate a Mac...
http://lmgtfy.com/?q=linux+mac+spoofing
Here ya go!
Re: Re: Re: Actually, a MAC can indicate a Mac...
Would you mind sharing what you use to accomplish that? Linux user here.
I use macchanger in one of the init scripts (don’t actually remember which one – I’m on a work computer right now).
Something like this:
sudo /etc/init.d/network-manager stop
sudo ifconfig wlan0 down
sudo macchanger -a wlan0
sudo ifconfig wlan0 up
sudo /etc/init.d/network-manager start
Re: Re: Re: Actually, a MAC can indicate a Mac...
Open a terminal, copy the code from #!/bin/bash -x and paste into a file called mac.sh in /home/~
Then type chmod +x mac.sh
Then type ./mac.sh [it will ask for your password because of /bin/bash -x].
#!/bin/bash -x
MAC=00:
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 200 | md5sum | sed -r 's/^(.{10}).*$/1/;<br />s/([0-9a-f]{2})/1:/g; s/:$//;';sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether $MAC
sudo ifconfig wlan0 up
sudo service network-manager restart
Re: Re: Re: Actually, a MAC can indicate a Mac...
Google
Re: Actually, a MAC can indicate a Mac...
WRONG. The MAC address will only show the manufacturer of the NIC (network card) NOT the PC manufacturer.
Re: Re: Actually, a MAC can indicate a Mac...
Apple “make” their own hardware and have a couple of registered MAC pools.
So the FBIs comments actually make sense.
Re: Re: Actually, a MAC can indicate a Mac...
Look here (a couple was a slight underestimate):
http://macaddress.webwat.ch/search/Apple
Well the first three octets of the MAC do identify the NIC hardware make and model.
Re: Re:
“Well the first three octets of the MAC do identify the NIC hardware make and model.”
MAC addresses can be changed. Mine indicates that I’m using a Cray Supercomputer.
Re: Re:
You keep using that word, I do not think it means what you think it means…
“Octet” in the case of an IP address directly refers to the use of 8 binary bits, or a base-2 numeric system. MAC addresses use hexadecimal, or a base-16 numeric system.
Referring to the hex digits used in a MAC address as “octets” is improper and, until now, probably unheard of.
Re: Re: Re:
“You keep using that word, I do not think it means what you think it means…”
Sigh.
An octet is 8 bits. MAC-48 address are 48 binary bits long which is 6 octets. They are commonly printed for human reading using hexadecimal digits where each 2 digits represents 8 bits or one octet.
So, a MAC address can indeed tell you that you’re looking for an Apple computer, as the first octet is the Vendor information. I can personally identify lots of component manufacturers’s based on the MAC address of the device.
However, I’m not convinced this is what happened, although a simple spell check could screw up the affidavit and turn MAC into Mac.
Re: Re:
Good point. I was thinking along similar lines as you, I don’t think that’s what happened here but based on the wording of the quotations it is possible that they used the MAC address to determine that a Mac was used though I do think that what probably happened is that they were simply confusing a MAC address to indicate a Mac computer. These are government employees, after all, and so the truth is I don’t really expect that much out of them in terms of intelligence.
It’s a good thing, I guess, that malware writers don’t use maclisp as their coding platform.
Also...
Any sysadmin worth his salt with an unknown MAC address is going to throw it at Wireshark or a similar database, so “Look for a Mac with this MAC” is quite expected.
It'd be standard to look up computer brand, minion.
So I think as 1st comment has it: the only shortcoming is yours, and so you also get the horse laugh.
At least you should NOW nail that down and update.
Re: It'd be standard to look up computer brand, minion.
Re-read the quote
“I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.”
The agent didn’t say that specific digits of the MAC address indicated an Apple computer was used. The agent said that a “Mac (not all upper case) address, indicating some type of Mac/Apple computer or hardware”. This shows that the agent didn’t have any understanding of what a MAC address is, or what it means. The agent didn’t even nail down what kind of hardware: if s/he did, s/he would have put down the computer’s NIC as being the source of the MAC address, and not the computer as a whole.
Re: Re: It'd be standard to look up computer brand, minion.
That’s another good point. The MAC address would only tell you about the NIC controller (and sometimes it might be possible to spoof/change the MAC address depending on the hardware/software, as others have pointed out) and not necessarily the type of computer being used. It still might be possible to determine the type of computer used (or get an idea) if the NIC controller is an on-board controller with a MAC address that may help tie the type of NIC controller to the type of computer being used (or if the NIC controller is compatible only with certain types of computers/motherboards or if one manufacturer, like DELL, is known to use a certain type of NIC controller or has their own, it may help give an idea of what kind of computer might be in use).
Re: Re: It'd be standard to look up computer brand, minion.
Or maybe the speaker said “MAC address indicating an Apple/Mac…” and the person who wrote the report didn’t understand.
Re: It'd be standard to look up computer brand, minion.
I get much schadenfreude from arrogant, insulting ‘corrections’ that are actually completely wrong and make the poster look incredibly stupid.
Not Buying It...
I’ve taken all your comments on board, and I’m not buying them because:
A. The declarant stated with quite particularity (though it’s probably FBI copy pasta) the nature and significance of an IP address. The use of “a Mac address” vs “the MAC address X” is not meaningless in a legal declaration.
B. No statements were made that the MAC address of the device seized matched the MAC address in the logs. There is nothing in the affidavit that furthers a claim that they took Y device because it had X MAC address which showed the NIC was manufactured by Apple and thus probably belonged to an Apple computer.
C. The declarant has a pretty decent command of English grammar and punctuation, but the comma placement in the paragraph isn’t correct.
Re: Not Buying It...
The affidavit doesn’t need to repeat the contents of every single finding entered into evidence. Checking the MAC of the laptop itself against the MAC supplied by the university IT security officer would be a downstream forensic step performed after the arrest and seizure.
In any case, I can absolutely guarantee that a university IT security officer would look up the vendor portion of the MAC as part of their analysis. I used to run a university help desk and we collected and supplied these documents to police a couple of times a year.
I know TechDirt isn’t a prestigious publication, but this lack of fact-checking and editing is getting out of hand.
Re: Re:
Such as…? If you’re going to call someone out on making mistakes or errors, it’d be kinda handy to…ya know…tell them where exactly they went wrong?
This begs the question how many terrorists were overlooked or let go because….They didn’t have a Mac???
IIRC
every internet connected device has a Mac address…
but…the device (laptop) talks to the router. the router keeps the laptop MAC in its ARP table, and forwards the router MAC forward to the next router, until it reaches its destination.
the ARP table is cleared every 5 minutes or so. the MAC address would have been the final router.
This is bad information.
Re: Re:
DHCP daemon logs. See generally RFC 2131. Implementations vary.
Re: Re:
Thoroughly incorrect.
Most college dormitories provide hardwired ethernet connections to students — usually 2 ports per pillow, ports in common spaces, as well as pervasive WiFi.
Students are forbidden from setting up their own wireless or wired routers, both to prevent them from providing university Internet services to third parties, and to prevent them from screwing up the network for everybody else in the entire dorm by misconfiguring the router. The university where I used to work had pretty sophisticated detection capability and we did take student routers and PC network bridges offline .
That’s not to say that a sufficiently sophisticated student couldn’t cheat — I’m sure somebody was running a Linksys with hacked firmware or something to make it look like a regular computer. But only very sophisticated students would do that.
I wonder what Intellectual Property Address was used at that time
The posters above are correct. If the defendant accessed ask.fm through a home/business/university router, and that router used IPV4 network address translation (NAT). Then the MAC address in ask.fm server logs will be the router’s MAC address, not the MAC address of the computer the defendant used to access ask.fm’s website.
Also, as pointed out by posters above, a MAC address identifies the manufacturer of the network interface card (NIC) built into the computer, and not the manufacturer of the computer itself.
Either way, I found the random MAC address generation script for GNU/Linux, very interesting. Thanks for sharing it with us, Gwiz!
There are some first class morons at the FBI. A MAC address is what’s used by your ISP to give you access to the internet, it has absolutely nothing to do with an Apple computer.
Re: Re:
No. Just… No. Please learn about networking before you comment on it.
It must be nice to know people in high places!
Incredible…what makes THIS GIRL any different from all the others who have received anonymous email of: “decapitation:, “broomrape in your future”, “shoot you dead in the head” threats?
The fact the FBI actually traced this anonymous harasser down, must mean the recipient was related to a FBI agent, or a friend like Jill Kelley was. Other women have just been told by the FBI to DEAL WITH IT! Or was the reason the FBI DID NOT look into OTHER RECIPIENTS complaints was because the anonymous threats were coming from DOD IP addresses, that made “the REPEATED complaints” not worth the FBI’s looking into them?
Some poor women have had this kind of anonymous harassment on and off for years, with the FBI doing NOTHING. Outside forensics traced the activity back to DOD IP addresses. Rather interesting!
Oh well.
Lost me, I thought we were talking about Mc Donalds.
stymied by their own ignorance
“If these basics aren’t nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance.”
Just enough knowledge to be dangerous. MAC addresses can often be changed. Relying on them to identify equipment type is not a good idea.
Wait, it gets better:
“FBI SA Nicol requested the assistance of the FBI Legal Attache in Riga, Latvia…” (and assistant replied).
WTF. What are these people doing there all week long? Beside collecting pay.