Stolen laptop returned. Safe to use?

My majaro laptop got stolen about a month ago. Now I’ve got it back. How can I find out if it is safe to use?
I’m thinking if there has been installed a keylogger, or something sending out files.

All my data was stored in an ecrypted parition. System partition was not encrypted. I’m thinking that if the thief has a mirror of my disk (which is likely as there are indications that I was targeted because of my political activities, and what else would be the reason for the laptop to suddenly be returned?), and I log in, and mount the decrypted partition. Then, if there is a keylogger running, the thief will be able to get the code used for decryption which he can use to gain access to the disk he probably has mirrored.
The other risk is that once I decrypt, there is a process that starts sending files from the encrypted partition.

Is there a way to compare services/processes set to start automatically to what is set to autostart by manjaro default installation? (I guess I’ve made 2-3 changes to this.)

Is there a way to run a checksum of every file/directory in the system, and compare to what pacman has installed? (compare with pacman offline cache first. In second phase compare pacman cache to the online packages - the versions available at the time the laptop was stolen)

Is there a way to list all config files that is not in original state?

Is there a way to list all (explicitly) installed packages that was not part of the original manjaro default installation process?

Assume it is not.

Not unless you have a backup.

There is tools - but in this case they are likely worthless - unless you have a backup

There are sophisticated ways of altering the firmware to hide access to the device - so you should consider the device unsafe - and possibly the data lost.

The only way you may access your encrypted data is to extract the disk - place it in a usb case.

Then use a second air-gapped system - considered safe - to access the content of the encrypted container.


if your really such a target i would recommend not to use this laptop anymore and safe your personal datas to another storage. it’s really dubious that they returned the laptop back to you. as you already mentioned there is a high possibility that they want you to use this laptop to gather more informations. there are some tricks like manipulating the uefi-bios that cannot be detected with ordinary scans. updating the bios should be the minimum but in your case ? i would send this thing to trash after safing your personal datas from the laptop.
i travelled a lot to china and after the it recognized a similar uefi virus at my companies laptop the it decided to fit us with specific, cheap laptops for travelling to china. after each travel these laptops went to trash without connecting or using them in the companies-network. better safe than sorry.


A huge part of my goal here is to find evidence that such thing has happened, if it has happened.

there is not enough details from your side and i would recommend that this is nothing that a forum like this can provide. i know that the it of my former company for which i was travelling a lot to china was in contact with specialized companies and the bsi (here in germany) that investigated the intrusion of my companies-laptop that time. afterwards they decided using cheap “travelling” laptops for china, equipped with the minimum of needed apps for my job and throw the laptops to waste after returning from china.
if you’re such concerned i would suggest that you get in contact in specialized companies or ngo’s. here in germany the bsi and the chaos-computer-club (if you don’t wanna contact official govt) would be good addresses.


I think the first indication would be, if he installed something… so i would check pacman.log


Also properties if the log was modified after the last time you used your Laptop. What about a Bios Password? Maybe its worth to check your EFI Boot also.

You need a forensic approach - first thing is to create a disk image of the entire #! using dd or better one of the dd variants for data forensic - e.g. dc3dd - then you can wipe your system - flash the firmware - reinstall - and hope for the best.

1 Like

The first thing I did was to list all files, sorted by timestamp. There were no files changed after the day before the laptop was stolen.

System has not been booted since the day before it was stolen.

If something is installed, it is done either by using a bootable usb stick, or by connecting the harddrive to another pc. For sure it is not logged.

Most probably it is done either by overwriting some files with a modified version of itself, keeping the original timestamp, or adding new files. I.e. firefox executable can be altered with a version that scans for partitions mounted, and sends out the content of that newly mounted volume little by little to not look suspicious.

Or a similar thing could be done with terminal/shell executable, sending out all keys pressed - to reveal passwords used to mount

Or a new file could be added to the system, autostarted at boot or login, that sends out any keys pressed.

All the above thing should be possible to reveal by comparing files to pacman database/cache and package checksums. I’d be surprised if such functionality is not present in any existing tools.

Bios checksum fits the checksum of the bios version installed.

If your intent is to provide intelligble proof that your system is tampered - do not boot the system - any validity to your claim of tampering is null and void if you boot the system.

Create a forensic copy - dc3dd - is a favored tool using some kind of live system - Kali Linux provides such tools OOB.

As I said - it is possible - yet not possible to say exactly what you need thus the rather vague answer.

Using a search engine archlinux check filesystem integrity for installed packages


Looks like
pacman -Dkk
pacman -Qkk
should tell if any installed files are changed after installation. (timestamp/size/missing)

That is one small step on the way…

If you don’t already have it, install the package pacman-contrib.

It adds a variety of tools related to package management.

Type pac and press Tab for completion.

Sample run

 $ sudo paccheck --sha256sum | grep mismatch
cups: '/usr/share/applications/cups.desktop' sha256sum mismatch (expected 7d4fa804ec2c9e5e029776b91d1aaed9dd9c6501bb4a882aeb0bdd326470b5b9)
ghc-libs: '/usr/lib/ghc-9.2.8/lib/package.conf.d/package.cache' sha256sum mismatch (expected dcc1d9e7b71e236a7fc4fd580e15bc86c7141dccd97340d36cf0cffd3e9bd52a)
warning: joplin: '/usr/lib/node_modules/joplin/tests/support/photo-åäö.jpg' read error (No such file or directory)
linux66: '/usr/lib/modules/6.6.35-1-MANJARO/modules.dep' sha256sum mismatch (expected b9764e48e9bba89cfce70b800eec81a08256c410efcb6101e6a924cbe28b705a)
linux66: '/usr/lib/modules/6.6.35-1-MANJARO/modules.dep.bin' sha256sum mismatch (expected d7fad126f6506edf6bcef36c8f52daa8e01f3a16bfa0da152feb292c09d2320e)
linux66: '/usr/lib/modules/6.6.35-1-MANJARO/modules.symbols' sha256sum mismatch (expected 439e319766c19dcfdc207521cb4d26646d82ffd81dbeb71adcd76c012bf4f66a)
linux66: '/usr/lib/modules/6.6.35-1-MANJARO/modules.symbols.bin' sha256sum mismatch (expected 8108c48bf5422907b65e61f90c118f21735702bce5ead1af6554c359cbbe8192)
networkmanager: '/usr/lib/NetworkManager/conf.d/20-connectivity.conf' sha256sum mismatch (expected 983b35fc1846785932135c4fcda467a5d790b86bc50599ebafa8fe064ba53489)
nordvpn-bin: '/var/lib/nordvpn/data/countries.dat' sha256sum mismatch (expected 875c798e7174eb4a157ace47b4dbd800f2c7ee66160fc0d7b68c9e24db24da1a)
nordvpn-bin: '/var/lib/nordvpn/data/insights.dat' sha256sum mismatch (expected 58be3a4baf313e9b9e1c95164715846a99e2395b966fa1e8335a6ccfcfa957ac)
nordvpn-bin: '/var/lib/nordvpn/data/servers.dat' sha256sum mismatch (expected 63c443950de9dfbfb91356d1199d947530b2ffcdc05db8674b50e7dbcc200f34)
pacman-mirrors: '/usr/share/pacman-mirrors/mirrors.json' sha256sum mismatch (expected fe7c87231c49aeaa9e0f787168adab370808b7681a9a846377b32f4a0e1804d9)
system-config-printer: '/usr/share/applications/system-config-printer.desktop' sha256sum mismatch (expected c040be329f932555d3bfc7aa307706df5d1031fb4039695a7eaf58151506cd79)
vlc: '/usr/lib/vlc/plugins/plugins.dat' sha256sum mismatch (expected c58325225453d4f3164f2275562bec56e777fab4ae67bf5d463d728f02557079)

There will be files which listed which are expected to have changed - it shoud be obvious which are false positives.

1 Like

If the laptop has been really stolen because of your political activities, don’t expect an amateur work and don’t expect an easy cleaning.

Remember rootkits load before the system and then hide themselves, so it’s hard to find any trace. And they can even stay in your UEFI, as @kobold says:


That revealed quite a few interesting things…
Lots of Firefox files with checksum mismatch
grub permission mismatch
lib32-xz checksum mismatch
networkmanager checksum mismatch
shadow permission mismatch

Looks like mismatches is targeting boot, network and user login…
The interesting thing here is that i.e. the kernel66 mismatches listed - there are mismatch with timestamp and checksum. While i.e. firefox - most mismatched files are checksum mismatch only. (Some has size mismatch as well.) That looks way more suspicious.

Wipe the Laptop.


At this point, you should decide between the value of your integrity/privacy and the value of your laptop.
Only you can accurately assess your environment and your situation.

I’m not expecting cleaning at all. I’m hoping to figure out what they do. That would be important information to people like me.
I arranged a meeting. The governments problem is that we were gone before they realized there was a meeting, and they wants to know who was there. So they arrested my wife who happened to be in another country, unaware of my actions and they arrested another guy and his son who happened to live just an hour away (I knew about him, he didn’t know about me until the moment he got arrested.) A week later I got arrested.

If they manage to decrypt the disk, they will be welcomed by a picture of the head of the police department, naked, with a vegetable up the rear and a 6yr next by. I’m so excited to find out what they’ll do when/if they find that picture of their boss. Could you think of a better proof to why there are no investigations of the child trafficing network involving lot of government officials in western Europe? Even when the Australian police sends lists of names from a network they have infiltrated to the European governments, nothing happens.

The result of the meeting: We managed to save two children from this network and bring them back to their parents.

1 Like

As others have already said, that is not a subject for amateur detective work. If there is government involvement then assume your laptop is compromised at the UEFI firmware level and act accordingly.

If you’re a journalist then there are various support links at Resource Center - Committee to Protect Journalists

1 Like

I don’t think there are any other places than public user forums that can help. Organizations like CPJ are partially fed, partially threatened by the same network.

chaos-computer-club !

Another thing:

  1. UEFI Bios could be changed
  2. Firmware of SSD could be changed
1 Like