My majaro laptop got stolen about a month ago. Now I’ve got it back. How can I find out if it is safe to use?
I’m thinking if there has been installed a keylogger, or something sending out files.
All my data was stored in an ecrypted parition. System partition was not encrypted. I’m thinking that if the thief has a mirror of my disk (which is likely as there are indications that I was targeted because of my political activities, and what else would be the reason for the laptop to suddenly be returned?), and I log in, and mount the decrypted partition. Then, if there is a keylogger running, the thief will be able to get the code used for decryption which he can use to gain access to the disk he probably has mirrored.
The other risk is that once I decrypt, there is a process that starts sending files from the encrypted partition.
Is there a way to compare services/processes set to start automatically to what is set to autostart by manjaro default installation? (I guess I’ve made 2-3 changes to this.)
Is there a way to run a checksum of every file/directory in the system, and compare to what pacman has installed? (compare with pacman offline cache first. In second phase compare pacman cache to the online packages - the versions available at the time the laptop was stolen)
Is there a way to list all config files that is not in original state?
Is there a way to list all (explicitly) installed packages that was not part of the original manjaro default installation process?
There is tools - but in this case they are likely worthless - unless you have a backup
There are sophisticated ways of altering the firmware to hide access to the device - so you should consider the device unsafe - and possibly the data lost.
The only way you may access your encrypted data is to extract the disk - place it in a usb case.
Then use a second air-gapped system - considered safe - to access the content of the encrypted container.
if your really such a target i would recommend not to use this laptop anymore and safe your personal datas to another storage. it’s really dubious that they returned the laptop back to you. as you already mentioned there is a high possibility that they want you to use this laptop to gather more informations. there are some tricks like manipulating the uefi-bios that cannot be detected with ordinary scans. updating the bios should be the minimum but in your case ? i would send this thing to trash after safing your personal datas from the laptop.
i travelled a lot to china and after the it recognized a similar uefi virus at my companies laptop the it decided to fit us with specific, cheap laptops for travelling to china. after each travel these laptops went to trash without connecting or using them in the companies-network. better safe than sorry.
there is not enough details from your side and i would recommend that this is nothing that a forum like this can provide. i know that the it of my former company for which i was travelling a lot to china was in contact with specialized companies and the bsi (here in germany) that investigated the intrusion of my companies-laptop that time. afterwards they decided using cheap “travelling” laptops for china, equipped with the minimum of needed apps for my job and throw the laptops to waste after returning from china.
if you’re such concerned i would suggest that you get in contact in specialized companies or ngo’s. here in germany the bsi and the chaos-computer-club (if you don’t wanna contact official govt) would be good addresses.
I think the first indication would be, if he installed something… so i would check pacman.log
/var/log/pacman.log/
Also properties if the log was modified after the last time you used your Laptop. What about a Bios Password? Maybe its worth to check your EFI Boot also.
You need a forensic approach - first thing is to create a disk image of the entire #! using dd or better one of the dd variants for data forensic - e.g. dc3dd - then you can wipe your system - flash the firmware - reinstall - and hope for the best.
The first thing I did was to list all files, sorted by timestamp. There were no files changed after the day before the laptop was stolen.
System has not been booted since the day before it was stolen.
If something is installed, it is done either by using a bootable usb stick, or by connecting the harddrive to another pc. For sure it is not logged.
Most probably it is done either by overwriting some files with a modified version of itself, keeping the original timestamp, or adding new files. I.e. firefox executable can be altered with a version that scans for partitions mounted, and sends out the content of that newly mounted volume little by little to not look suspicious.
Or a similar thing could be done with terminal/shell executable, sending out all keys pressed - to reveal passwords used to mount
Or a new file could be added to the system, autostarted at boot or login, that sends out any keys pressed.
All the above thing should be possible to reveal by comparing files to pacman database/cache and package checksums. I’d be surprised if such functionality is not present in any existing tools.
Bios checksum fits the checksum of the bios version installed.
If your intent is to provide intelligble proof that your system is tampered - do not boot the system - any validity to your claim of tampering is null and void if you boot the system.
Create a forensic copy - dc3dd - is a favored tool using some kind of live system - Kali Linux provides such tools OOB.
As I said - it is possible - yet not possible to say exactly what you need thus the rather vague answer.
If the laptop has been really stolen because of your political activities, don’t expect an amateur work and don’t expect an easy cleaning.
Remember rootkits load before the system and then hide themselves, so it’s hard to find any trace. And they can even stay in your UEFI, as @kobold says:
That revealed quite a few interesting things…
Lots of Firefox files with checksum mismatch
grub permission mismatch
lib32-xz checksum mismatch
networkmanager checksum mismatch
shadow permission mismatch
Looks like mismatches is targeting boot, network and user login…
The interesting thing here is that i.e. the kernel66 mismatches listed - there are mismatch with timestamp and checksum. While i.e. firefox - most mismatched files are checksum mismatch only. (Some has size mismatch as well.) That looks way more suspicious.
At this point, you should decide between the value of your integrity/privacy and the value of your laptop.
Only you can accurately assess your environment and your situation.
I’m not expecting cleaning at all. I’m hoping to figure out what they do. That would be important information to people like me.
I arranged a meeting. The governments problem is that we were gone before they realized there was a meeting, and they wants to know who was there. So they arrested my wife who happened to be in another country, unaware of my actions and they arrested another guy and his son who happened to live just an hour away (I knew about him, he didn’t know about me until the moment he got arrested.) A week later I got arrested.
If they manage to decrypt the disk, they will be welcomed by a picture of the head of the police department, naked, with a vegetable up the rear and a 6yr next by. I’m so excited to find out what they’ll do when/if they find that picture of their boss. Could you think of a better proof to why there are no investigations of the child trafficing network involving lot of government officials in western Europe? Even when the Australian police sends lists of names from a network they have infiltrated to the European governments, nothing happens.
The result of the meeting: We managed to save two children from this network and bring them back to their parents.
As others have already said, that is not a subject for amateur detective work. If there is government involvement then assume your laptop is compromised at the UEFI firmware level and act accordingly.
I don’t think there are any other places than public user forums that can help. Organizations like CPJ are partially fed, partially threatened by the same network.