FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware

from the this-is-where-he-keeps-his-creative-work...-note-the-'IP'-address dept

The Smoking Gun recently covered the arrest of a 19-year-old college student for allegedly sending threats to a 14-year-old ask.fm user. The arrestee apparently sent a string of horrific messages filled with sexually violent imagery back in October, prompting her parents to contact authorities.

A routine investigation soon commenced, culminating in the student’s (Rishi Ragsdale) arrest.

Investigators tracked the threatening posts back to Ragsdale through an IP address provided by Ask.fm. An analysis of subpoenaed University of Wisconsin records indicated that the IP address was assigned to Ragsdale’s student account, and that the “rragsdale” account accessed the girl’s Ask.fm profile page on the evening the threats were sent…

The affidavit sworn by FBI Agent Malia Pereira alleges that Ragsdale sent the teen a series of violent and sexually graphic messages. The victim’s parents, Pereira added, were particularly concerned since the girl’s Ask.fm account was linked to her Facebook and Twitter profiles, leaving her identifiable.

Reading through the affidavit isn’t much fun, especially once you get to the messages Ragsdale allegedly sent. But eagle-eyed Techdirt reader Justin Johnson spotted something on page 5 of the sworn document that would move even the most ardent FBI defender’s palm towards their face… or their head towards their desk.

Prior to executing the search warrant, FBI SA Nicol told me that, during execution of the warrant, I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.

This immediately follows a paragraph detailing the seizure of Ragsdale’s Mac laptop (and cellphone). Case closed!

No one expects every agent in the FBI to be thoroughly versed in network terminology but a MAC address is one of the basics any agent seeking to extract personal info using nothing but IP addresses and subpoenas should know. If these basics aren’t nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance. They won’t know what they’re looking for or how to get it. Their subpoena and warrant requests risk being laughed out of the judge’s chambers. The worst case scenario is that someone dangerous eludes arrest because the pursuing agent(s) is tangled in terminology he or she doesn’t understand. Actually, the real worst case scenario is someone innocent being tossed into the gears of the judicial system because an agent had no idea what he or she was looking at — or looking for.

Kudos, I guess, to Agent Pereira for getting her man, despite the “help” offered by SA Nicol, whose name is all over this affidavit. But one wonders what would have happened if Ragsdale’s computer happened to be a PC. My guess? Additional charges under the CFAA for “spoofing a ‘Mac’ address.”

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware”

Subscribe: RSS Leave a comment
Gwiz (profile) says:

Re: Re: Re: Actually, a MAC can indicate a Mac...

Would you mind sharing what you use to accomplish that? Linux user here.

I use macchanger in one of the init scripts (don’t actually remember which one – I’m on a work computer right now).

Something like this:

sudo /etc/init.d/network-manager stop
sudo ifconfig wlan0 down
sudo macchanger -a wlan0
sudo ifconfig wlan0 up
sudo /etc/init.d/network-manager start

Anonymous Coward says:

Re: Re: Re: Actually, a MAC can indicate a Mac...

Open a terminal, copy the code from #!/bin/bash -x and paste into a file called mac.sh in /home/~

Then type chmod +x mac.sh

Then type ./mac.sh [it will ask for your password because of /bin/bash -x].

#!/bin/bash -x

MAC=00:cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 200 | md5sum | sed -r 's/^(.{10}).*$/1/;<br />s/([0-9a-f]{2})/1:/g; s/:$//;';

sudo ifconfig wlan0 down

sudo ifconfig wlan0 hw ether $MAC

sudo ifconfig wlan0 up

sudo service network-manager restart

Jon Snow says:

Re: Re:

You keep using that word, I do not think it means what you think it means…
“Octet” in the case of an IP address directly refers to the use of 8 binary bits, or a base-2 numeric system. MAC addresses use hexadecimal, or a base-16 numeric system.
Referring to the hex digits used in a MAC address as “octets” is improper and, until now, probably unheard of.

blaktron (profile) says:

So, a MAC address can indeed tell you that you’re looking for an Apple computer, as the first octet is the Vendor information. I can personally identify lots of component manufacturers’s based on the MAC address of the device.

However, I’m not convinced this is what happened, although a simple spell check could screw up the affidavit and turn MAC into Mac.

Anonymous Coward says:

Re: Re:

Good point. I was thinking along similar lines as you, I don’t think that’s what happened here but based on the wording of the quotations it is possible that they used the MAC address to determine that a Mac was used though I do think that what probably happened is that they were simply confusing a MAC address to indicate a Mac computer. These are government employees, after all, and so the truth is I don’t really expect that much out of them in terms of intelligence.

Rikuo (profile) says:

Re: It'd be standard to look up computer brand, minion.

Re-read the quote
“I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.”

The agent didn’t say that specific digits of the MAC address indicated an Apple computer was used. The agent said that a “Mac (not all upper case) address, indicating some type of Mac/Apple computer or hardware”. This shows that the agent didn’t have any understanding of what a MAC address is, or what it means. The agent didn’t even nail down what kind of hardware: if s/he did, s/he would have put down the computer’s NIC as being the source of the MAC address, and not the computer as a whole.

Anonymous Coward says:

Re: Re: It'd be standard to look up computer brand, minion.

That’s another good point. The MAC address would only tell you about the NIC controller (and sometimes it might be possible to spoof/change the MAC address depending on the hardware/software, as others have pointed out) and not necessarily the type of computer being used. It still might be possible to determine the type of computer used (or get an idea) if the NIC controller is an on-board controller with a MAC address that may help tie the type of NIC controller to the type of computer being used (or if the NIC controller is compatible only with certain types of computers/motherboards or if one manufacturer, like DELL, is known to use a certain type of NIC controller or has their own, it may help give an idea of what kind of computer might be in use).

Justin Johnson (JJJJust) (profile) says:

Not Buying It...

I’ve taken all your comments on board, and I’m not buying them because:

A. The declarant stated with quite particularity (though it’s probably FBI copy pasta) the nature and significance of an IP address. The use of “a Mac address” vs “the MAC address X” is not meaningless in a legal declaration.

B. No statements were made that the MAC address of the device seized matched the MAC address in the logs. There is nothing in the affidavit that furthers a claim that they took Y device because it had X MAC address which showed the NIC was manufactured by Apple and thus probably belonged to an Apple computer.

C. The declarant has a pretty decent command of English grammar and punctuation, but the comma placement in the paragraph isn’t correct.

RickRussellTX (profile) says:

Re: Not Buying It...

The affidavit doesn’t need to repeat the contents of every single finding entered into evidence. Checking the MAC of the laptop itself against the MAC supplied by the university IT security officer would be a downstream forensic step performed after the arrest and seizure.

In any case, I can absolutely guarantee that a university IT security officer would look up the vendor portion of the MAC as part of their analysis. I used to run a university help desk and we collected and supplied these documents to police a couple of times a year.

Anonymous Coward says:


every internet connected device has a Mac address…

but…the device (laptop) talks to the router. the router keeps the laptop MAC in its ARP table, and forwards the router MAC forward to the next router, until it reaches its destination.

the ARP table is cleared every 5 minutes or so. the MAC address would have been the final router.

This is bad information.

RickRussellTX (profile) says:

Re: Re:

Thoroughly incorrect.

Most college dormitories provide hardwired ethernet connections to students — usually 2 ports per pillow, ports in common spaces, as well as pervasive WiFi.

Students are forbidden from setting up their own wireless or wired routers, both to prevent them from providing university Internet services to third parties, and to prevent them from screwing up the network for everybody else in the entire dorm by misconfiguring the router. The university where I used to work had pretty sophisticated detection capability and we did take student routers and PC network bridges offline .

That’s not to say that a sufficiently sophisticated student couldn’t cheat — I’m sure somebody was running a Linksys with hacked firmware or something to make it look like a regular computer. But only very sophisticated students would do that.

Anonymous Coward says:

The posters above are correct. If the defendant accessed ask.fm through a home/business/university router, and that router used IPV4 network address translation (NAT). Then the MAC address in ask.fm server logs will be the router’s MAC address, not the MAC address of the computer the defendant used to access ask.fm’s website.

Also, as pointed out by posters above, a MAC address identifies the manufacturer of the network interface card (NIC) built into the computer, and not the manufacturer of the computer itself.

Either way, I found the random MAC address generation script for GNU/Linux, very interesting. Thanks for sharing it with us, Gwiz!

WoW! says:

It must be nice to know people in high places!

Incredible…what makes THIS GIRL any different from all the others who have received anonymous email of: “decapitation:, “broomrape in your future”, “shoot you dead in the head” threats?

The fact the FBI actually traced this anonymous harasser down, must mean the recipient was related to a FBI agent, or a friend like Jill Kelley was. Other women have just been told by the FBI to DEAL WITH IT! Or was the reason the FBI DID NOT look into OTHER RECIPIENTS complaints was because the anonymous threats were coming from DOD IP addresses, that made “the REPEATED complaints” not worth the FBI’s looking into them?

Some poor women have had this kind of anonymous harassment on and off for years, with the FBI doing NOTHING. Outside forensics traced the activity back to DOD IP addresses. Rather interesting!

Oh well.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...