Ytukyg

The main information we are lacking is your threat model.

Is it likely that the military targets you specifically, and would be willing to expend some resources on you? We don't need to know the details, but the answer changes depending on whether what happened is more or less standard procedure for your country, or you are being singled out.

And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.

If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.

The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.

If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.

For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.

The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.

However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.

Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.

Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.

All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.

Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.

In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.

To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.

Any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.

Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and expensive. If you are not a likely suspect and of some significant importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that you provided/or any active browser cookies, and any files on the system should now be considered compromised.

Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.

1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.




2. Do the same for every single component of your home network.




3. Do the same for every device that was connected to said network during the time after the laptop was "returned".




4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.




5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".




6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.




7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.

If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.

I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).

It may not be possible to wipe it even under safe conditions due to compromised firmware.

If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.

You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.

There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.

I need to make sure if they have added something to monitor my activities or steal my data or not

Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.

As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.

And if they have done that, what should I do to prevent them.

I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.

Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.

Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.

You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?

You may want to escape from that country as soon as possible, for what concerns me.

A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.

That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.

A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.

Install an AP in your cellar, or alternatively, put the laptop in a metal box. The goal is to make it impossible to communicate with radio signals, except the AP which is provided by you.

Inside that metal box, put your own AP. So, the laptop should see a total radio silence, his only way to communicate to the external world should be your AP.

The uplink of your AP should be one of your external machines. Start a network packet listener and analyzer on it.

You might try to trigger their eavesdropping by doing some tricky things. For example, you could search for the political enemies of your state, or you should try seeming trying to contact them.

Beware, such people are highly paranoid and they are not affected by arguments like "I did not try to contact country X, I only tried to look it so" or "If I had really tried to communicate with country X, I hadn't done it with your bugged laptop". They are strong arguments for you, but nothing for them. You will be sued for contacting country X and nobody will be interested your arguments. Your only way to avoid punishment if you don't do it. Now consider the case that you can play with them.

The laptop should be continously online, you should continuously do things on it (of course nothing illegal).

Then check the traffic of your AP, your own AP, what it communicated and where.

Unfortunately it can have only positive answer: if the laptop didn't communicate, you have no way to know that it is because it was not bugged, or that it was bugged, but not active. If it communicates, you will know how many traffic did it made and where.

If you played enough, zero out the hard drive and sell the laptop on the internet.

If you will later talk to them, you don't know anything, you just sold your laptop because you wanted a stronger hardware, and you didn't even think on that it might be bugged.

The main issue is to have a good threat model. Perhaps the military are just doing routine things. Perhaps they have been ordered to spend a lot of specific efforts to spy you.

If you suppose that the military is doing routine (unsophisticated) things (then they probably installed some malware, probably one that most software tools won't detect, and have copied all the contents of your laptop on their servers), you could consider clearing all the disk (that is, reformatting it completely) and installing (for example) some Linux distribution on your computer (however, doing that might make you suspicious, but that is a different issue). Copying all the contents and adding a malware is, from the military point of view, very easy (it could take 5 minutes of human work, and 1 hour to wait for the copy to complete).

How to clear all the disk is a different matter. On Linux I would dd if=/dev/zero of=/dev/sda bs=4k for example which fills the sda disk with zero bytes. Of course, all the data is lost (on SSDs, something could remain) and you need to reformat (technically to repartition) the disk. And you could just replace the disk (it costs a few dozens of euros and can easily be changed).

As commented, you should perhaps reinstall the firmwarev(e.g. BIOS) of your laptop.

If you suppose that the military deploy specific efforts against you they could have physically embedded some microphone, some GPS, some other hardware inside the laptop to spy you (and then no software solution exists; and, unless you are a hardware expert, you won't be able to notice). Changing the hardware is less easy (could take hours or days). In that case you'll better destroy the laptop.