FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware
from the this-is-where-he-keeps-his-creative-work...-note-the-'IP'-address dept
The Smoking Gun recently covered the arrest of a 19-year-old college student for allegedly sending threats to a 14-year-old ask.fm user. The arrestee apparently sent a string of horrific messages filled with sexually violent imagery back in October, prompting her parents to contact authorities.A routine investigation soon commenced, culminating in the student's (Rishi Ragsdale) arrest.
Investigators tracked the threatening posts back to Ragsdale through an IP address provided by Ask.fm. An analysis of subpoenaed University of Wisconsin records indicated that the IP address was assigned to Ragsdale’s student account, and that the “rragsdale” account accessed the girl’s Ask.fm profile page on the evening the threats were sent...Reading through the affidavit isn't much fun, especially once you get to the messages Ragsdale allegedly sent. But eagle-eyed Techdirt reader Justin Johnson spotted something on page 5 of the sworn document that would move even the most ardent FBI defender's palm towards their face… or their head towards their desk.
The affidavit sworn by FBI Agent Malia Pereira alleges that Ragsdale sent the teen a series of violent and sexually graphic messages. The victim’s parents, Pereira added, were particularly concerned since the girl’s Ask.fm account was linked to her Facebook and Twitter profiles, leaving her identifiable.
Prior to executing the search warrant, FBI SA Nicol told me that, during execution of the warrant, I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.This immediately follows a paragraph detailing the seizure of Ragsdale's Mac laptop (and cellphone). Case closed!
No one expects every agent in the FBI to be thoroughly versed in network terminology but a MAC address is one of the basics any agent seeking to extract personal info using nothing but IP addresses and subpoenas should know. If these basics aren't nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance. They won't know what they're looking for or how to get it. Their subpoena and warrant requests risk being laughed out of the judge's chambers. The worst case scenario is that someone dangerous eludes arrest because the pursuing agent(s) is tangled in terminology he or she doesn't understand. Actually, the real worst case scenario is someone innocent being tossed into the gears of the judicial system because an agent had no idea what he or she was looking at -- or looking for.
Kudos, I guess, to Agent Pereira for getting her man, despite the "help" offered by SA Nicol, whose name is all over this affidavit. But one wonders what would have happened if Ragsdale's computer happened to be a PC. My guess? Additional charges under the CFAA for "spoofing a 'Mac' address."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: law enforcement, mac address
Reader Comments
Subscribe: RSS
View by: Time | Thread
Actually, a MAC can indicate a Mac...
http://anonsvn.wireshark.org/wireshark/trunk/manuf
is Wireshark's list.
[ link to this | view in chronology ]
Re: Actually, a MAC can indicate a Mac...
[ link to this | view in chronology ]
Re: Re: Actually, a MAC can indicate a Mac...
[ link to this | view in chronology ]
Re: Re: Re: Actually, a MAC can indicate a Mac...
Here ya go!
[ link to this | view in chronology ]
Re: Re: Re: Actually, a MAC can indicate a Mac...
I use macchanger in one of the init scripts (don't actually remember which one - I'm on a work computer right now).
Something like this:
sudo /etc/init.d/network-manager stop
sudo ifconfig wlan0 down
sudo macchanger -a wlan0
sudo ifconfig wlan0 up
sudo /etc/init.d/network-manager start
[ link to this | view in chronology ]
Re: Re: Re: Actually, a MAC can indicate a Mac...
Then type chmod +x mac.sh
Then type ./mac.sh [it will ask for your password because of /bin/bash -x].
#!/bin/bash -x
MAC=00:`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 200 | md5sum | sed -r 's/^(.{10}).*$/\1/;
s/([0-9a-f]{2})/\1:/g; s/:$//;'`;
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether $MAC
sudo ifconfig wlan0 up
sudo service network-manager restart
[ link to this | view in chronology ]
Re: Re: Re: Actually, a MAC can indicate a Mac...
[ link to this | view in chronology ]
Re: Actually, a MAC can indicate a Mac...
[ link to this | view in chronology ]
Re: Re: Actually, a MAC can indicate a Mac...
So the FBIs comments actually make sense.
[ link to this | view in chronology ]
Re: Re: Actually, a MAC can indicate a Mac...
http://macaddress.webwat.ch/search/Apple
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
MAC addresses can be changed. Mine indicates that I'm using a Cray Supercomputer.
[ link to this | view in chronology ]
Re:
"Octet" in the case of an IP address directly refers to the use of 8 binary bits, or a base-2 numeric system. MAC addresses use hexadecimal, or a base-16 numeric system.
Referring to the hex digits used in a MAC address as "octets" is improper and, until now, probably unheard of.
[ link to this | view in chronology ]
Re: Re:
Sigh.
An octet is 8 bits. MAC-48 address are 48 binary bits long which is 6 octets. They are commonly printed for human reading using hexadecimal digits where each 2 digits represents 8 bits or one octet.
[ link to this | view in chronology ]
However, I'm not convinced this is what happened, although a simple spell check could screw up the affidavit and turn MAC into Mac.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Also...
[ link to this | view in chronology ]
It'd be standard to look up computer brand, minion.
At least you should NOW nail that down and update.
[ link to this | view in chronology ]
Re: It'd be standard to look up computer brand, minion.
"I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used."
The agent didn't say that specific digits of the MAC address indicated an Apple computer was used. The agent said that a "Mac (not all upper case) address, indicating some type of Mac/Apple computer or hardware". This shows that the agent didn't have any understanding of what a MAC address is, or what it means. The agent didn't even nail down what kind of hardware: if s/he did, s/he would have put down the computer's NIC as being the source of the MAC address, and not the computer as a whole.
[ link to this | view in chronology ]
Re: Re: It'd be standard to look up computer brand, minion.
[ link to this | view in chronology ]
Re: Re: It'd be standard to look up computer brand, minion.
[ link to this | view in chronology ]
Re: It'd be standard to look up computer brand, minion.
[ link to this | view in chronology ]
Not Buying It...
A. The declarant stated with quite particularity (though it's probably FBI copy pasta) the nature and significance of an IP address. The use of "a Mac address" vs "the MAC address X" is not meaningless in a legal declaration.
B. No statements were made that the MAC address of the device seized matched the MAC address in the logs. There is nothing in the affidavit that furthers a claim that they took Y device because it had X MAC address which showed the NIC was manufactured by Apple and thus probably belonged to an Apple computer.
C. The declarant has a pretty decent command of English grammar and punctuation, but the comma placement in the paragraph isn't correct.
[ link to this | view in chronology ]
Re: Not Buying It...
In any case, I can absolutely guarantee that a university IT security officer would look up the vendor portion of the MAC as part of their analysis. I used to run a university help desk and we collected and supplied these documents to police a couple of times a year.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
every internet connected device has a Mac address...
but...the device (laptop) talks to the router. the router keeps the laptop MAC in its ARP table, and forwards the router MAC forward to the next router, until it reaches its destination.
the ARP table is cleared every 5 minutes or so. the MAC address would have been the final router.
This is bad information.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Most college dormitories provide hardwired ethernet connections to students -- usually 2 ports per pillow, ports in common spaces, as well as pervasive WiFi.
Students are forbidden from setting up their own wireless or wired routers, both to prevent them from providing university Internet services to third parties, and to prevent them from screwing up the network for everybody else in the entire dorm by misconfiguring the router. The university where I used to work had pretty sophisticated detection capability and we did take student routers and PC network bridges offline .
That's not to say that a sufficiently sophisticated student couldn't cheat -- I'm sure somebody was running a Linksys with hacked firmware or something to make it look like a regular computer. But only very sophisticated students would do that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Also, as pointed out by posters above, a MAC address identifies the manufacturer of the network interface card (NIC) built into the computer, and not the manufacturer of the computer itself.
Either way, I found the random MAC address generation script for GNU/Linux, very interesting. Thanks for sharing it with us, Gwiz!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It must be nice to know people in high places!
The fact the FBI actually traced this anonymous harasser down, must mean the recipient was related to a FBI agent, or a friend like Jill Kelley was. Other women have just been told by the FBI to DEAL WITH IT! Or was the reason the FBI DID NOT look into OTHER RECIPIENTS complaints was because the anonymous threats were coming from DOD IP addresses, that made "the REPEATED complaints" not worth the FBI's looking into them?
Some poor women have had this kind of anonymous harassment on and off for years, with the FBI doing NOTHING. Outside forensics traced the activity back to DOD IP addresses. Rather interesting!
Oh well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
stymied by their own ignorance
Just enough knowledge to be dangerous. MAC addresses can often be changed. Relying on them to identify equipment type is not a good idea.
[ link to this | view in chronology ]
"FBI SA Nicol requested the assistance of the FBI Legal Attache in Riga, Latvia..." (and assistant replied).
WTF. What are these people doing there all week long? Beside collecting pay.
[ link to this | view in chronology ]