Catching a snoop ?

Unless you have made custom modifications to system logging, I would have thought very unlikely that a correctly functioning syslog would still contain log messages from 9 months ago. Normally the logs should rotate daily with up to 7 days of messages archived.

In other words correctly functioning system log messages should never be older than 7 days. The fact that you have such messages probably indicates that system logging probably broke sometime last April. Would this have been when you installed Tiger?

Unless you have custom logging, or other evidence I would tend to assume the technician is innocent.

I assume that s/he is innocent, but:

other logs suggest that my IBook was worked on past midnight, which suggests that it was taken out of the store.

1. Suppose somebody did grab a disk image - in what places is this logged?
2. If it is asleep with the cover closed, will there still be system logging?

which suggests that it was taken out of the store.

How so??


1. Suppose somebody did grab a disk image - in what places is this logged?

It isn't.

2. If it is asleep with the cover closed, will there still be system logging?

No.

[QUOTE=CoastThinker]I assume that s/he is innocent, but:

1. Suppose somebody did grab a disk image - in what places is this logged?


It would be in the system logger when the person copied the disk image to an external device I believe.

I believe the Console would also show the Disk Utility app being opened. I just tried it and the console prints out one of these:

**********
Disk Utility started.


However, It does only log a certain amount of activity before it overwrites the list so you may be out of luck.

There's no logging of data written to a disk image or external drive.

The only thing you'll find is an entry denoting that diskarbitration has mounted an external in system.log and if there was a disk image CREATED, you'll find evidence in the console.log of whomever was logged in at the time. There also may be an entry in secure.log denoting that system.burn was authorized.

But the OP stated that the logs appear to have entries missing..

Again, that's not proof of anything.

Even if he did image your drive how can you prove it was for malicious reasons? Maybe it's his policy to mirror all drives in case something goes awry during the repair.

If he wanted a disk image all he'd have to do is boot your computer into target disk mode and grab it from another machine, in which case there would be no record of it at all, and no reason to 'hide his tracks.' Just about any competent Mac person would know about this.

Having someone else do work on your computer is pretty similar to letting someone else work on your car; either you learn how to do it yourself or deal with the possibility that an immoral or dishonest person might work on your machine. Really though, if he's a busy repairman the incentive to waste 30 minutes of his time cloning your drive just for pictures of your kids and some E-Mails is pretty low; it's just another guy's boring iBook/PowerBook/iMac.

Now if you do dumb stuff like auto save your credit card numbers and bank info into Safari forms, or have them in text/Word files on our HD, you might have some concern. Those are bad things to leave laying around in plaintext no matter what -- especially if your machine was stolen, and that's always a possibility.

There's nothing wrong with making a complete backup, the wiping the drive and installing a clean system before you hand over your personal machine for a repair.

Once you confide your machine to someone, there's no way of telling whether or not an image has been made after the fact.

Keeping your confidential data in an encrypted disk-image (and the key in your head or on a USB stick) is yet another good solution.

We also have to think that the tech may actually have done a disk image for safe keep to make sure he did not loose the information... At least thats what I do when the user states he has no backups... But I do tell them I'm doing that ahead of time. The rest is confidence in the tech's integrity, which is something that veries sadly too much from tech to tech.

:D more than a few of us in here are techs

What exactly are you worried that s/he stole? Pictures? Personal information? Your personal finance information should be password protected.

You should look into FileVault. It's built-in, and will provide some good security.

I also create an account for the tech's who service my hardware. If they boot into FireWire mode, so be it...at least I didn't hand them my keys and ID right off the bat.

HTH

I regularly clone the entire hard disk, so if I need to send a machine in, it's no big deal to:

1. Update my bootable clone
2. Reformat the Mac
3. Install OS X with a generic username and password, let it install while I go do something else
4. Send Mac to shop
5. Get Mac back
6. Clone my backup back on the Mac, I got everything back.

This has many advantages.
A. There's no personal data on it to steal while it's in the shop
B. They'll never need to know what your username/password is, and you won't have to change it
C. You can access and update the data on the backup drive at any time while the Mac is in the shop
D. Heck, you can even start up another Mac from the bootable clone and it looks just like the Mac that's away
E. Secure in the knowledge that no files were accidentally altered in the shop

You should look into FileVault. It's built-in, and will provide some good security.

I don't recommend using FileVault - there have been too many sad stories on these forums of users losing everything when the disk image gets corrupted.
It is better to instead just use an encrypted disk image for the specific things that are confidential. FileVault puts the whole home folder into the encrypted disk image and that is overkill and increases the risk of data corruption.

Note also that if there is a problem with your user account, the tech support person will need access to your home folder, so FileVault protection is moot.

Hi.

I dropped off my 14 inch IBook (10.4) for a software problem I didn't have time to fix

If they are trying to fix a Software problem, Then I would have thought,

I1. Update my bootable clone
2. Reformat the Mac
3. Install OS X with a generic username and password, let it install while I go do something else
4. Send Mac to shop
5. Get Mac back
6. Clone my backup back on the Mac, I got everything back.


would not help in solving the software problem.
All you would be doing is fixing the software issue your self and then giving it to the tech.
** edit** forgot to add,**
Then if you put the clone or backup back on. most likely get the software issue back.
**
I would have thought his would be more for fixing a Hardware issues.

If you do not trust the tech, then do as others have said, either encrypt the Personal stuff.
or back it up to disk e.t. and wipe it off the Mac before you hand it over.

Hi and thanks for the replies.

I'm a bit wary because I live and work in a small town where, if you listen hard enough, you can hear the sound of people minding other people's business, such as: who I've dated, emails from real estate agents, and so on. Basically it boils my blood to imagine somebody violating my privacy.

I also had a bad experience with FileVault, which I think is a cute idea but has not proved itself yet.

I think in the future I'll image the home folder to my eMac and if I have a serious problem with the IBook then I'll go nuclear and wipe everything, reinstalling Tiger.

would not help in solving the software problem.

Ooops, you're right. I only send the Mac in for hardware problems. (Software problems I can deal with myself.)