Computer seized by police, how to check/clean for keyloggers or any other malware?

Discussion in 'Networking & Security' started by EnterTheWormhole, May 18, 2015.

  1. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    I'm not getting into details, but my computer was taken by the police recently.

    But they gave it back. I will never hook this computer back up to the Internet until I completely scrub it of any trackers/warez.

    If I could afford it I would just scrap this computer and build new, but damn this thing is/has been a beast in many ways for me over the years, so I'm have some nostalgia in trying to keep it. Plus the new comp I would build will cost me at least a G with the way I would build it and if I could just clean my original, it's got plenty of horses under the hood for an upcoming major project I really need it for.

    I'm getting a new SSD for OS (think I'm going back to Ubuntu from Win7)

    But I also want to run/clean the mobo/bios/anything else for keyloggers or any malware at all they may have installed.

    Is it 100% possible to rid myself of any software they may have put on my mobo by doing some type of reset/wipe/clean of bios? Would there be anything else to consider?

    What about the memory sticks, could they install/embed any malware of any kind in them? I'm not opposed to buying new memory if they could.

    No this post is not a joke and real help is greatly appreciated. I think I put this in the right place on the forum... If not mods please move.

    Thanks.
     
    Last edited: May 18, 2015
  2. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,147
    Joined:
    Aug 22, 2011
    Nope.
     
  3. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,194
    Joined:
    Aug 16, 2004
    What are the system specs?

    Is the BIOS chip removable?

    Nothing can be installed in RAM and persist after the power is turned off.
     
  4. DragonNOA1

    DragonNOA1 [H]ardness Supreme

    Messages:
    4,302
    Joined:
    Aug 15, 2004
    I would think installing the OS on a brand new drive should help.
     
  5. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
  6. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    I've read some keyloggers can be in bios. I don't know what else is possible to embed warez on beyond OS and bios?
     
  7. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,164
    Joined:
    Mar 18, 2008
    Buy a new SSD and reinstall.

    If you still don't trust that, build a new rig.
     
  8. renji1337

    renji1337 Limp Gawd

    Messages:
    271
    Joined:
    Mar 31, 2011
    Stuff like the SSD can be secure erased and the CPU is fine. Secure erase the SSD and you should be fine. and the bios battery as said.

    EDIT: My brother works with the local PD, he said that it's basically only hard drives they try to trace and stuff, secure erase the drive and your good
     
    Last edited: May 18, 2015
  9. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    10,459
    Joined:
    Apr 9, 2012
    if you have another computer install wireshark on it and watch the logs from your old pc.

    see if there is any traffic going somewhere where it shouldn't.
     
  10. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,194
    Joined:
    Aug 16, 2004
    The BIOS chip is removable. It is the socketed chip next to the black PCIe slot.

    I highly doubt that there is anything installed on it as unless you are a "high risk" person there would be no point in them spending the time and effort to install anything on the BIOS.

    If you are really paranoid, you should be able to order a replacement BIOS chip off of Ebay.

    If you want to go ahead and replace the board, you can get something for pretty cheap but I really don't think it is going to make a difference.
     
  11. fightingfi

    fightingfi Look at Me! I need the attention.

    Messages:
    2,783
    Joined:
    Oct 9, 2008
    Main article: Fourth Amendment to the United States Constitution

    The Fourth Amendment to the United States Constitution provides that:

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
     
  12. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    10,459
    Joined:
    Apr 9, 2012
    lol 4th amendment.

    good luck with that.

    when they call you a terrorist, you have no rights and they need no evidence.
     
  13. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    I'd say I'm paranoid enough to build a whole new computer if I have to.

    Beyond replacing the bios chip, there really isn't anything else that would be required to replace the whole board is there? I'd like to do this as cheap as possible with being as effective as possible, including replacing the whole board if really need be.

    Should I remove the battery too?

    I found a bios chip I think, eBay #260530996325 - does that look like the right one, says it's for P5K Premium? Or is it the P5k-E model - 380449609035

    The link to mobo is my EXACT one.

    Only problem is they say it needs to be soldered in? It's not just plugged in there? As easy as soldering probably is, I have never done it and wouldn't want to try it for this project.
     
  14. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    Actually I think this is the right bios chip right: eBay #380447979692

    Says specifically for P5K EPU and appears to be socket, not solder, which after looking at the mobo itself looks to be a socket bios chip. (I'm pretty sure I'm looking at the right thing)
     
  15. rellyrale

    rellyrale n00b

    Messages:
    46
    Joined:
    May 12, 2015
    dang this is too juicy not to know any details... I say scrap the hard drive and install a fresh new one and clean OS install
     
  16. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    So I just ordered that chip and will get a new SSD or thumb drive to run a live version of Ubuntu off of, is there any other possible thing that could be corrupted with any warez that would need replacing?
     
  17. renji1337

    renji1337 Limp Gawd

    Messages:
    271
    Joined:
    Mar 31, 2011
    If you secure erase the SSD then you wont have to worry anymore.

    also you can also always run a VPN online like PIA, its 3$/month for the added protection
     
  18. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    I had 2 HDD and 1 Samsung evo SSD and I know they imaged all of them. The one HDD had truecrypt on it but I believethey defeated the encryption and got into it, although it did give them a hard ttime. I will use bit locker from here on out as that is supposed to be most secure encryption program.

    Is secure erase a program to download or a function of an SSD? I just don't know if I'll truly trust it and would almost rather she'll out another $100 for a brand new Samsung evo drive like I have now.

    I want to have a dual boot system of Ubuntu and win7 just for the times when Ubuntu is giving me a hard learning curve, I'm rusty as hell. 120g SSD is plenty for Ubuntu and I had a 250g for win7,but man the price difference between the 2 is so small it's almost worth getting 250g for both, but that's just so much overkill for Ubuntu. I'd like to dual boot on same SSD, and 250g would probably be able to do both, but it's usually better to keep them separately don't you think?

    A VPN is also something I'd like to get setup but the lag is gonna piss me off.
     
  19. renji1337

    renji1337 Limp Gawd

    Messages:
    271
    Joined:
    Mar 31, 2011

    secure erase is a function of an SSD. It basically gets rid of everything on it and resets it to like new, MUCH MUCH more so than a format.
     
  20. Dew

    Dew 2[H]4U

    Messages:
    3,809
    Joined:
    Jun 23, 2003
    In that case, secure erase it and toss it on ebay. You'll cut your cost for a new drive to about $25.
     
  21. dandragonrage

    dandragonrage [H]ardForum Junkie

    Messages:
    8,298
    Joined:
    Jun 5, 2004
    That's all well and good and several of us are believers in the Constitution but don't make the mistake of thinking our government is. Look at what government did to innocent Japanese Americans decades ago. Look at the NDAA from a few years ago which states that the government can imprison anyone, citizen or not, for any reason without trial or evidence for any length of time. Look at how the Supreme Court has oppressed people by completely disregarding not just the Constitution but common sense. They don't even make an effort to LOOK like they care about rights and laws and justice and all that.

    To answer OP, wipe the drive and reflash BIOS/EFI. Make sure to completely wipe the drive and not just OS partition.

    Replacing any hardware in this case is, honestly, just ridiculous.
     
  22. Archaea

    Archaea [H]ardForum Junkie

    Messages:
    9,786
    Joined:
    Oct 19, 2004
    You know if they are really watching you - they already know your hardforum handle and your other handles and know more about you than you would imagine. Creating your new hardforum handle didn't help you escape their survellience --- depending of course on what you did to deserve their attention.

    In the corporate world, we have quite a few ways to monitor your activities as one of our staff. In the civil world - it's anyone's guess.

    If I wanted to be absolutely sure, I'd drop the comp on ebay, and buy a whole new machine. I'd start using a VPN service going forward, and switch my ISP regularly, swap out my router to the newest model (less likely to have any known exploits), and ensure to change all my router credentials, and PC, website passwords after you receive your new machine - possibly change them from a family members house or public facility (library/school). But that's just the perspective of an infosec guy, who does none of those things because I have nothing to hide.

    You should assume if they had your machine in their possesion, they know EVERY single last account and password you used. Forensic tools are amazing this days - especially if you had a spinning drive and not an SSD to begin with. They could see your print jobs, your web-email, your surf history, your chat messages - everything. Assume you have no confidentiality in what you did before.

    BUT --- that's worst case and with a proper forensics team.

    The reality is, probably, wiping your HD, and reformating would be sufficient to take care of your typical trojan fodder (unlikely anything is installed at all--- yet I don't know what you did or if the FBI was involved or any of the details --- if that's the case - the whole game changes - and you revert back to starting over from scatch like mentioned above).

    HOWEVER -- why are you 'out of trouble' and trying to move on -- yet trying to secure yourself so you can potentially proceed with nefarious activities without being monitored. Check yourself -- use this as an opportunity to straighten out your life. You shouldn't need to hide what you do.
     
  23. dandragonrage

    dandragonrage [H]ardForum Junkie

    Messages:
    8,298
    Joined:
    Jun 5, 2004
    I'm not OP, but take that advice and shove it. He never told you he did anything and everything we do should be hidden if we want it to be. Police seize lots of property without a valid reason.

    If this were a conversation in person, I'd honestly be hoping OP would punch you in the face for saying that.*

    *: I don't condone violence. :)
     
    Last edited: May 19, 2015
  24. TCM2

    TCM2 Gawd

    Messages:
    572
    Joined:
    Oct 17, 2013
    If you have reason to believe you could be under targeted surveillance, buy everything new. Don't buy it online. Walk into a store.

    While Trucerypt would have protected your data, once your hardware is out of your hands, even TC is futile. HDD firmware can work against you, UEFI can work against you. If you're a high-profile target for whatever reason, never re-use hardware you get back from law enforcement.
     
  25. wizdum

    wizdum [H]ard|Gawd

    Messages:
    1,943
    Joined:
    Sep 22, 2010
    Punching people in the face is the sort of thing that gets you arrested.
     
  26. TCM2

    TCM2 Gawd

    Messages:
    572
    Joined:
    Oct 17, 2013
    Too bad it's illegal even if you punch an idiot.
     
  27. redrage

    redrage Limp Gawd

    Messages:
    500
    Joined:
    Sep 23, 2012
    threatening violence is enough to get you arrested.

    The OP didn't go into details.. it could be something stupid like downloading too much adult material on torrents (and getting caught)

    Face it though, if it is really serious I doubt protecting him self from future seizures would be this important on the list of things to do.

    BTW: the 4th Amendment is still valid, the problem is they can get a warrant.. search your stuff while you are not around.. then tell you months down the line. .. thank you patriot act.
     
  28. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    I like how the fourth amendment was brought up, but wasn't even verified that the OP is from the states.

    Regardless, you have no idea if it was an unlawful seizure, and a political statement provides no technological help on this forum. Take your armchair legal advice elsewhere.

    With that said OP, replacing the RAM would be pointless. I would just install new OS on a brand new drive and factory reset your BIOS. I doubt they did anything extensive unless you were involved in some serious criminal activity and, if in the states, had the Feds involved.
     
  29. piker28

    piker28 Limp Gawd

    Messages:
    183
    Joined:
    Aug 2, 2007
    This is the local police not the FBI. I doubt they are going to this extent to monitor you unless you are really under their watch. At that point you would have cars following you and a tracking device installed on yours.

    As stated before, Wipe the drive, reset the bios firmware, and then watch from a different machine wireshark logs.
     
  30. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    If it's just the local cops, I wouldn't go to more extremes than secure erasing the SSD and reinstalling. Maybe flash the bios just for fun to an newer version (or the older revision if yours is already on the newest, then flash back to the newest).

    If they've gone to more extreme methods, then they are already watching everything you do with the new cameras in your house.
     
  31. dar124

    dar124 [H]ard|Gawd

    Messages:
    1,079
    Joined:
    Jan 21, 2012

    Nice!!! :eek::eek:
     
  32. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,764
    Joined:
    Feb 15, 2003
    Unless the NSA themselves seized your pc, all they have done is take a forensic image of your HDD. That is as far as the FBI would even go. Take the tin foil hat off. If they want your life, they can take it without ever seizing your stupid PC.

    Now that being said, as to why they did it, you better keep clean. You can bet they took a snapshot of your drive(s), and it will be run though a few systems to look for whatever they are looking for. Honestly, if you don't have a lawyer, you better start looking for one. That is serious advice from somebody that knows how this works.
     
  33. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,764
    Joined:
    Feb 15, 2003
    That has been the case far longer than the patriot act has been around.
     
  34. Archaea

    Archaea [H]ardForum Junkie

    Messages:
    9,786
    Joined:
    Oct 19, 2004
    Ironic that you quote protection from unjust search and seizure, while at the same time violating my freedom of speech by threatening violence.


    In the words of Roy D. Mercer - How big a boy are you?
     
  35. doug_7506

    doug_7506 2[H]4U

    Messages:
    3,223
    Joined:
    Oct 17, 2004
    Exactly, depending on what you did, and what they found on the computer, they can tap your line coming out of your house and collect EVERYTHING that comes in or out. Using a VPN, torrent, or different ISP won't help.

    Above is the worst case scenario in an going investigation. If shit is this serious, you need to get an attorney bro.

    Best case scenario, they just imaged the hdd as other have said. I severely doubt they put any key loggers / trojan on there as they can be easily removed. If they have probable cause to monitor your traffic they are going to go straight to the wire.

    Again, this all depends on the severity of what was done.
     
  36. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,764
    Joined:
    Feb 15, 2003
    If they took the pc, it is an ongoing investigation. They don't hold them anymore, just image the drive and hand it back.
     
  37. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    I appreciate everyone's help and advice. Let's keep it civil so we don't get this thread locked.

    A few things to help clarify:

    It was local PD, but a large enough city they have enough resources to have probably anything at their finger tips. But the feds are not involved.

    Computer was seized, but that was not what the issue/investigation is about. They took it because that's just standard procedure at this point during a search warrant it seems.

    They did image all my drives, I know this for sure as the detective told me.

    I didn't do anything illegal persay on the computer, but once they look through my history and interests they may raise an eye and want to take a closer look or keep an eye on me so I'm just making sure the computer is clean so I can reuse it.

    Using a VPN would be nice, but if they're gonna tap my main cable line then according to a few on there I guess there's nothing I can do about it other than put my Internet in someone else's name. And I'm not sure if I need to go to that extent since technically the case is not in regards to any computer crime. But like I said they may not like my browsing history. Nothing weird or bad like kiddie porn etc, so I'm not trying g to cover being a sick fuck. Just particular interests that are generally taboo.

    I have a really good attorney for the case, another reason I can't afford a new computer and want to clean up the old one.

    I bought a new bios chip and SSD. According to everyone I should be good from those two steps alone. And there's a good chance they didn't install anything, but I'm paranoid as hell and locking my shit down even better with bit locker this time. I had truecrypt on my media HDD, but didn't have my OS drives encrypted and was on win7 and surely there's backdoors for them to get past my initial password login. I'll be moving to Ubuntu and adding as much security and encryption as possible.

    I'm gonna secure erase old SSD and resell on eBay to counter balance cost of new drive.
     
    Last edited: May 19, 2015
  38. dave99

    dave99 2[H]4U

    Messages:
    2,129
    Joined:
    Jan 20, 2011
    Just a note, they CAN'T see what's going through your VPN, unless they had a warrant for the vpn provider and had monitoring setup there. Which they don't, that's fbi/nsa level stuff.

    That's the whole point of a vpn - it's not readable from a tap in the middle.
     
  39. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,764
    Joined:
    Feb 15, 2003
    Bullshit, an agency with a court order/warrant can request that. It may not be likely in this case, but it is not "FBI/NSA stuff".

    OP, you better stop looking to cover your tracks with VPN and go straight. It sounds like you were doing something grey, so they have your ass dead rights, and if you startup in a covert manner again, they will see it, then compel your ass right into a courtroom.

    Seriously, walk away from whatever got you into this. As bad ass of a hacker as you may think you are, they are the fucking masters of the universe* compared to you.

    * I will clarify why a local PD can be the masters of the universe when it comes to cybercrimes. They can tap into federal and state resources if they need to, and of there is a serious crime, or a good pile of money involved, they will tap into that resource.
     
  40. EnterTheWormhole

    EnterTheWormhole n00b

    Messages:
    31
    Joined:
    Apr 29, 2015
    No hacking or money. Just trying to keep my privacy.