FBI Agent: Connection Logs Show Suspect's MAC Address, So Look For Apple Hardware

from the this-is-where-he-keeps-his-creative-work...-note-the-'IP'-address dept

The Smoking Gun recently covered the arrest of a 19-year-old college student for allegedly sending threats to a 14-year-old ask.fm user. The arrestee apparently sent a string of horrific messages filled with sexually violent imagery back in October, prompting her parents to contact authorities.

A routine investigation soon commenced, culminating in the student's (Rishi Ragsdale) arrest.
Investigators tracked the threatening posts back to Ragsdale through an IP address provided by Ask.fm. An analysis of subpoenaed University of Wisconsin records indicated that the IP address was assigned to Ragsdale’s student account, and that the “rragsdale” account accessed the girl’s Ask.fm profile page on the evening the threats were sent...

The affidavit sworn by FBI Agent Malia Pereira alleges that Ragsdale sent the teen a series of violent and sexually graphic messages. The victim’s parents, Pereira added, were particularly concerned since the girl’s Ask.fm account was linked to her Facebook and Twitter profiles, leaving her identifiable.
Reading through the affidavit isn't much fun, especially once you get to the messages Ragsdale allegedly sent. But eagle-eyed Techdirt reader Justin Johnson spotted something on page 5 of the sworn document that would move even the most ardent FBI defender's palm towards their face… or their head towards their desk.
Prior to executing the search warrant, FBI SA Nicol told me that, during execution of the warrant, I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used.
This immediately follows a paragraph detailing the seizure of Ragsdale's Mac laptop (and cellphone). Case closed!

No one expects every agent in the FBI to be thoroughly versed in network terminology but a MAC address is one of the basics any agent seeking to extract personal info using nothing but IP addresses and subpoenas should know. If these basics aren't nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance. They won't know what they're looking for or how to get it. Their subpoena and warrant requests risk being laughed out of the judge's chambers. The worst case scenario is that someone dangerous eludes arrest because the pursuing agent(s) is tangled in terminology he or she doesn't understand. Actually, the real worst case scenario is someone innocent being tossed into the gears of the judicial system because an agent had no idea what he or she was looking at -- or looking for.

Kudos, I guess, to Agent Pereira for getting her man, despite the "help" offered by SA Nicol, whose name is all over this affidavit. But one wonders what would have happened if Ragsdale's computer happened to be a PC. My guess? Additional charges under the CFAA for "spoofing a 'Mac' address."
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: law enforcement, mac address


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Nicholas Weaver (profile), 20 Dec 2013 @ 1:01pm

    Actually, a MAC can indicate a Mac...

    The upper 24 bits of the MAC address indicate the manufacturer, and can be even finer:

    http://anonsvn.wireshark.org/wireshark/trunk/manuf

    is Wireshark's list.

    link to this | view in chronology ]

    • icon
      Gwiz (profile), 20 Dec 2013 @ 1:42pm

      Re: Actually, a MAC can indicate a Mac...

      My laptop is setup to spoof a random MAC address every time I boot, just on general privacy principles.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Dec 2013 @ 1:49pm

        Re: Re: Actually, a MAC can indicate a Mac...

        Would you mind sharing what you use to accomplish that? Linux user here.

        link to this | view in chronology ]

        • icon
          blaktron (profile), 20 Dec 2013 @ 1:55pm

          Re: Re: Re: Actually, a MAC can indicate a Mac...

          link to this | view in chronology ]

        • icon
          Gwiz (profile), 20 Dec 2013 @ 2:12pm

          Re: Re: Re: Actually, a MAC can indicate a Mac...

          Would you mind sharing what you use to accomplish that? Linux user here.

          I use macchanger in one of the init scripts (don't actually remember which one - I'm on a work computer right now).

          Something like this:

          sudo /etc/init.d/network-manager stop
          sudo ifconfig wlan0 down
          sudo macchanger -a wlan0
          sudo ifconfig wlan0 up
          sudo /etc/init.d/network-manager start

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Dec 2013 @ 6:41pm

          Re: Re: Re: Actually, a MAC can indicate a Mac...

          Open a terminal, copy the code from #!/bin/bash -x and paste into a file called mac.sh in /home/~

          Then type chmod +x mac.sh

          Then type ./mac.sh [it will ask for your password because of /bin/bash -x].

          #!/bin/bash -x

          MAC=00:`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 200 | md5sum | sed -r 's/^(.{10}).*$/\1/;
          s/([0-9a-f]{2})/\1:/g; s/:$//;'`;

          sudo ifconfig wlan0 down

          sudo ifconfig wlan0 hw ether $MAC

          sudo ifconfig wlan0 up

          sudo service network-manager restart

          link to this | view in chronology ]

        • icon
          McCrea (profile), 20 Dec 2013 @ 11:39pm

          Re: Re: Re: Actually, a MAC can indicate a Mac...

          Google

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Dec 2013 @ 11:53pm

      Re: Actually, a MAC can indicate a Mac...

      WRONG. The MAC address will only show the manufacturer of the NIC (network card) NOT the PC manufacturer.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Dec 2013 @ 1:02pm

    Well the first three octets of the MAC do identify the NIC hardware make and model.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Dec 2013 @ 11:43am

      Re:

      "Well the first three octets of the MAC do identify the NIC hardware make and model."

      MAC addresses can be changed. Mine indicates that I'm using a Cray Supercomputer.

      link to this | view in chronology ]

    • identicon
      Jon Snow, 21 Dec 2013 @ 10:47pm

      Re:

      You keep using that word, I do not think it means what you think it means...
      "Octet" in the case of an IP address directly refers to the use of 8 binary bits, or a base-2 numeric system. MAC addresses use hexadecimal, or a base-16 numeric system.
      Referring to the hex digits used in a MAC address as "octets" is improper and, until now, probably unheard of.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Dec 2013 @ 12:00am

        Re: Re:

        "You keep using that word, I do not think it means what you think it means..."

        Sigh.

        An octet is 8 bits. MAC-48 address are 48 binary bits long which is 6 octets. They are commonly printed for human reading using hexadecimal digits where each 2 digits represents 8 bits or one octet.

        link to this | view in chronology ]

  • icon
    blaktron (profile), 20 Dec 2013 @ 1:02pm

    So, a MAC address can indeed tell you that you're looking for an Apple computer, as the first octet is the Vendor information. I can personally identify lots of component manufacturers's based on the MAC address of the device.

    However, I'm not convinced this is what happened, although a simple spell check could screw up the affidavit and turn MAC into Mac.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Dec 2013 @ 1:35pm

      Re:

      Good point. I was thinking along similar lines as you, I don't think that's what happened here but based on the wording of the quotations it is possible that they used the MAC address to determine that a Mac was used though I do think that what probably happened is that they were simply confusing a MAC address to indicate a Mac computer. These are government employees, after all, and so the truth is I don't really expect that much out of them in terms of intelligence.

      link to this | view in chronology ]

  • icon
    allengarvin (profile), 20 Dec 2013 @ 1:07pm

    It's a good thing, I guess, that malware writers don't use maclisp as their coding platform.

    link to this | view in chronology ]

  • icon
    Nicholas Weaver (profile), 20 Dec 2013 @ 1:09pm

    Also...

    Any sysadmin worth his salt with an unknown MAC address is going to throw it at Wireshark or a similar database, so "Look for a Mac with this MAC" is quite expected.

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 20 Dec 2013 @ 1:13pm

    It'd be standard to look up computer brand, minion.

    So I think as 1st comment has it: the only shortcoming is yours, and so you also get the horse laugh.

    At least you should NOW nail that down and update.

    link to this | view in chronology ]

    • icon
      Rikuo (profile), 20 Dec 2013 @ 1:33pm

      Re: It'd be standard to look up computer brand, minion.

      Re-read the quote
      "I should look for a Mac computer, because the network connection logs provided by Jeffrey Savoy showed a Mac address, indicating some type of Mac/Apple computer or hardware was used."

      The agent didn't say that specific digits of the MAC address indicated an Apple computer was used. The agent said that a "Mac (not all upper case) address, indicating some type of Mac/Apple computer or hardware". This shows that the agent didn't have any understanding of what a MAC address is, or what it means. The agent didn't even nail down what kind of hardware: if s/he did, s/he would have put down the computer's NIC as being the source of the MAC address, and not the computer as a whole.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Dec 2013 @ 2:32pm

        Re: Re: It'd be standard to look up computer brand, minion.

        That's another good point. The MAC address would only tell you about the NIC controller (and sometimes it might be possible to spoof/change the MAC address depending on the hardware/software, as others have pointed out) and not necessarily the type of computer being used. It still might be possible to determine the type of computer used (or get an idea) if the NIC controller is an on-board controller with a MAC address that may help tie the type of NIC controller to the type of computer being used (or if the NIC controller is compatible only with certain types of computers/motherboards or if one manufacturer, like DELL, is known to use a certain type of NIC controller or has their own, it may help give an idea of what kind of computer might be in use).

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Dec 2013 @ 6:33pm

        Re: Re: It'd be standard to look up computer brand, minion.

        Or maybe the speaker said "MAC address indicating an Apple/Mac..." and the person who wrote the report didn't understand.

        link to this | view in chronology ]

    • icon
      JMT (profile), 21 Dec 2013 @ 5:42pm

      Re: It'd be standard to look up computer brand, minion.

      I get much schadenfreude from arrogant, insulting 'corrections' that are actually completely wrong and make the poster look incredibly stupid.

      link to this | view in chronology ]

  • icon
    Justin Johnson (JJJJust) (profile), 20 Dec 2013 @ 1:36pm

    Not Buying It...

    I've taken all your comments on board, and I'm not buying them because:

    A. The declarant stated with quite particularity (though it's probably FBI copy pasta) the nature and significance of an IP address. The use of "a Mac address" vs "the MAC address X" is not meaningless in a legal declaration.

    B. No statements were made that the MAC address of the device seized matched the MAC address in the logs. There is nothing in the affidavit that furthers a claim that they took Y device because it had X MAC address which showed the NIC was manufactured by Apple and thus probably belonged to an Apple computer.

    C. The declarant has a pretty decent command of English grammar and punctuation, but the comma placement in the paragraph isn't correct.

    link to this | view in chronology ]

    • icon
      RickRussellTX (profile), 21 Dec 2013 @ 1:46pm

      Re: Not Buying It...

      The affidavit doesn't need to repeat the contents of every single finding entered into evidence. Checking the MAC of the laptop itself against the MAC supplied by the university IT security officer would be a downstream forensic step performed after the arrest and seizure.

      In any case, I can absolutely guarantee that a university IT security officer would look up the vendor portion of the MAC as part of their analysis. I used to run a university help desk and we collected and supplied these documents to police a couple of times a year.

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 20 Dec 2013 @ 1:37pm

    I know TechDirt isn't a prestigious publication, but this lack of fact-checking and editing is getting out of hand.

    link to this | view in chronology ]

    • icon
      Rikuo (profile), 20 Dec 2013 @ 2:12pm

      Re:

      Such as...? If you're going to call someone out on making mistakes or errors, it'd be kinda handy to...ya know...tell them where exactly they went wrong?

      link to this | view in chronology ]

  • icon
    Crashoverride (profile), 20 Dec 2013 @ 1:58pm

    This begs the question how many terrorists were overlooked or let go because....They didn't have a Mac???

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Dec 2013 @ 2:12pm

    IIRC

    every internet connected device has a Mac address...

    but...the device (laptop) talks to the router. the router keeps the laptop MAC in its ARP table, and forwards the router MAC forward to the next router, until it reaches its destination.

    the ARP table is cleared every 5 minutes or so. the MAC address would have been the final router.

    This is bad information.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Dec 2013 @ 2:32pm

      Re:

      DHCP daemon logs. See generally RFC 2131. Implementations vary.

      link to this | view in chronology ]

    • icon
      RickRussellTX (profile), 21 Dec 2013 @ 1:41pm

      Re:

      Thoroughly incorrect.

      Most college dormitories provide hardwired ethernet connections to students -- usually 2 ports per pillow, ports in common spaces, as well as pervasive WiFi.

      Students are forbidden from setting up their own wireless or wired routers, both to prevent them from providing university Internet services to third parties, and to prevent them from screwing up the network for everybody else in the entire dorm by misconfiguring the router. The university where I used to work had pretty sophisticated detection capability and we did take student routers and PC network bridges offline .

      That's not to say that a sufficiently sophisticated student couldn't cheat -- I'm sure somebody was running a Linksys with hacked firmware or something to make it look like a regular computer. But only very sophisticated students would do that.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Dec 2013 @ 3:42pm

    I wonder what Intellectual Property Address was used at that time

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Dec 2013 @ 4:46pm

    The posters above are correct. If the defendant accessed ask.fm through a home/business/university router, and that router used IPV4 network address translation (NAT). Then the MAC address in ask.fm server logs will be the router's MAC address, not the MAC address of the computer the defendant used to access ask.fm's website.

    Also, as pointed out by posters above, a MAC address identifies the manufacturer of the network interface card (NIC) built into the computer, and not the manufacturer of the computer itself.

    Either way, I found the random MAC address generation script for GNU/Linux, very interesting. Thanks for sharing it with us, Gwiz!

    link to this | view in chronology ]

  • icon
    kenichi tanaka (profile), 20 Dec 2013 @ 6:11pm

    There are some first class morons at the FBI. A MAC address is what's used by your ISP to give you access to the internet, it has absolutely nothing to do with an Apple computer.

    link to this | view in chronology ]

  • identicon
    WoW!, 20 Dec 2013 @ 7:23pm

    It must be nice to know people in high places!

    Incredible...what makes THIS GIRL any different from all the others who have received anonymous email of: "decapitation:, "broomrape in your future", "shoot you dead in the head" threats?

    The fact the FBI actually traced this anonymous harasser down, must mean the recipient was related to a FBI agent, or a friend like Jill Kelley was. Other women have just been told by the FBI to DEAL WITH IT! Or was the reason the FBI DID NOT look into OTHER RECIPIENTS complaints was because the anonymous threats were coming from DOD IP addresses, that made "the REPEATED complaints" not worth the FBI's looking into them?

    Some poor women have had this kind of anonymous harassment on and off for years, with the FBI doing NOTHING. Outside forensics traced the activity back to DOD IP addresses. Rather interesting!

    Oh well.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Dec 2013 @ 4:18am

    Lost me, I thought we were talking about Mc Donalds.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Dec 2013 @ 11:48am

    stymied by their own ignorance

    "If these basics aren't nailed down, agents lacking this crucial knowledge will be stymied by their own ignorance."

    Just enough knowledge to be dangerous. MAC addresses can often be changed. Relying on them to identify equipment type is not a good idea.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jan 2014 @ 8:33am

    Wait, it gets better:

    "FBI SA Nicol requested the assistance of the FBI Legal Attache in Riga, Latvia..." (and assistant replied).

    WTF. What are these people doing there all week long? Beside collecting pay.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.