This is a post to help individuals on what to do if they think they have been hacked. This is not legal advice. If you think you have been a victim of a crime, for example, someone has hacked your computer for monetary purposes, blackmail, or whatever, you need to report this to the police. Even if the police tell you they can not do anything, you want to have a record of this event, and make law enforcement aware of your particular situation.
Next, this post is about what to do specifically for an Apple macOS machine, however the same principals are used for Windows or other operating systems and links to installation for Linux and Windows are provided. These instructions are provided if you do not have the funds to hire a private detective or computer forensic expert, i.e. if you are a student and you think someone hacked your laptop to look at your emails or steal private pictures of you, whatever.
Again, this post is not for those that have resources to hire an attorney, private investigator, or forensic expert but basically want to try to do this themselves. Some of these tasks are increasingly more technical, so if you are not technical proficient, you may want to befriend someone in computer science (or a professor of computer forensics) they may have some forensic clinic (like a legal clinic) but for stuff like this. Obviously, if you do have resources, you should hire a private investigator, forensic computer expert, and attorney, not in that order but in some progressive fashion.
If at all possible, having a friend or someone to be present in at least some of these activities is a good idea. If for some reason testimony in a legal action or case is needed, it’s handy to have someone be able to provide additional testimony of these first steps.
- Create a backup of your machine. No, Time Machine is not good enough, you need to make a forensic copy of your machine which includes the operating system, files (and their permissions, date of creation, modification) and any applications that may have been created (and any logs they may have generated). Making a forensic duplicate of your machine means you need to have at least one, but I generally like to make two, external hard drives of a copy of your machine. So purchase external hard drives (SSDs are faster and generally preferred) and follow this tutorial. When you finish creating the two backups, providing one of the backups to a 3rd party willing to testify that this was done, and attest to the snapshot of the machine at a given time.
- Decide how you will use this machine ongoing. This is the harder part. If your machine is critical to your operation – if you are a student and you need it for school, or you can’t live without it, it is best if you stop using this machine. If you were to hire a 3rd party, you would give them this machine and they would have it for several months. In general you want to analyze your backups on a separate machine. Whether the compromised machine is transmitting data, or continuously monitoring you, you need to make the decision on what continued risk you are wiling to take.
- Analyze the macOS image for log or other forensic information. These instructions are a bit more technical but this is what it takes to get the information you need. Now that you have an image of your machine you need to analyze it. There are a number of paid solutions out there and I will leave it to them to sell you on their benefit, ease of use, and bells and whistles. If you are not technical and only know how to click on stuff, I assure you it will be easier than where this is going. If you have some idea on how to navigate terminal or shell and you have some technical know-how, this should be pretty manageable. If you know how to clone a Github repository, it should be cake.
- Install mac_apt via the installation script. The software to process your macOS image into relevant files for you to analyze is written in a language called Python, Python has a package manage which libraries for which provide the aforementioned software to digest the data from the macOS hard drive image to a digestible and searchable form is the function of the mac_apt.py main file or program. Linux, Windows and macOS installation instructions are provided at the bottom of the page. The following macOS script is also available here, which I moved to better accommodate wget and curl.
curl https://transfersh.pleasemarkdarkly.com/hlCIE/mac_aptInstall-macOS-v21.sh -o mac_aptInstall-macOS-v21.sh chmod +x mac_aptInstall-macOS-v21.sh
The script will ask for the sudo or administrator account password and then an installation directory. When it completes navigate to that directory. When the script completes, to run the program you can use the following, with ~/Developer as the example directory and /Volume/macOS-backup for the backup path for the volume you previously made. Note that I include additional program arguments which I explain below. Text after the # are not processed by the shell and are provided for reference.
cd ~/Developer # change directory to ~/Developer source env/bin/activate # activate the Python environment python3 ./mac_apt.py --xlsx --output_path ~/Downloads/Analysis --password 12345 ALL # main program to process the macOS image
The above command to run mac_apt first requires you to navigate to the installation directory, then you must activate the Python3 environment, then you run the program providing the macOS image you created earlier as input. Additionally, we provide a number of program arguments to format the data, decrypt any files, output in a location convienent to us, and run all the plugins available.
The following shows all the capabilities of the tool, some of which we specify above, feel free to make any modifications to suit your specific needs.
usage: mac_apt.py [-h] [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL] [-p PASSWORD] [-pf PASSWORD_FILE] [-d] input_type input_path plugin [plugin ...] mac_apt is a framework to process macOS forensic artifacts You are running macOS Artifact Parsing Tool version 1.1 Note: The default output is now sqlite, no need to specify it now positional arguments: input_type Specify Input type as either DD, DMG, E01, VMDK, AFF4, SPARSE or MOUNTED input_path Path to macOS image/volume plugin Plugins to run (space separated). FAST will run most plugins optional arguments: -h, --help show this help message and exit -o OUTPUT_PATH, --output_path OUTPUT_PATH Path where output files will be created -x, --xlsx Save output in Excel spreadsheet -c, --csv Save output as CSV files -l LOG_LEVEL, --log_level LOG_LEVEL Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO) -p PASSWORD, --password PASSWORD Personal Recovery Key(PRK) or Password for any user (for decrypting encrypted volume). -pf PASSWORD_FILE, --password_file PASSWORD_FILE Text file containing Personal Recovery Key(PRK) or Password -d, --dont_decrypt Don't decrypt as image is already decrypted! The following 36 plugins are available: APPLIST Reads apps & printers installed and/or available for each user from appList.dat ARD Reads ARD (Apple Remote Desktop) cached databases about app usage AUTOSTART Retrieves persistent and auto-start programs, daemons, services BASICINFO Gets basic system and OS configuration like SN, timezone, device name, last logged in user, FS info, etc.. BLUETOOTH Parses System Bluetooth Artifacts CHROME Read Chrome History, Top Sites, Downloads, Tabs/Sessions and Extension info COOKIES Reads .binarycookies, .cookies files and HSTS.plist for each user DOCKITEMS Reads the Dock plist for every user DOCUMENTREVISIONS Reads DocumentRevisions database DOMAINS Get information about ActiveDirectory Domain(s) that this mac is connected to FSEVENTS Reads file system event logs (from .fseventsd) IDEVICEBACKUPS Reads and exports iPhone/iPad backup databases IDEVICEINFO Reads and exports connected iDevice details IMESSAGE Parses iMessage conversations, exports messages and attachments INETACCOUNTS Reads configured internet account (iCloud, Google, Linkedin, facebook..) settings used by Mail, Contacts, Calendar and other apps INSTALLHISTORY Parses the InstallHistory.plist to get software installation history MSOFFICE Reads Word, Excel, Powerpoint and other office MRU/accessed file paths NETUSAGE Reads the NetUsage (network usage) database to get program and other network usage data NETWORKING Gets network related information - Interfaces, last IP addresses, MAC address, etc.. NOTES Reads Notes databases NOTIFICATIONS Reads notification databases PRINTJOBS Parses CUPS spooled print jobs to get information about files/commands sent to a printer QUARANTINE Reads Quarantine V2 databases, and GateKeeper .LastGKReject file QUICKLOOK Parses QuickLook Thumbnail Cache data RECENTITEMS Gets recently accessed Servers, Documents, Hosts, Volumes & Applications from .plist and .sfl files. Also gets recent searches and places for each user SAFARI Gets internet history, downloaded file information, cookies and more from Safari caches SAVEDSTATE Gets window titles from Saved Application State info SCREENTIME Parses application Screen Time data SPOTLIGHT Reads spotlight indexes (user, volume, iOS) SPOTLIGHTSHORTCUTS Gets user typed data in the spotlight bar, used to launch applications and documents SUDOLASTRUN Gets last time sudo was used and a few other times earlier (if available) TERMINALSTATE Reads Terminal saved state files which includes full text content of terminal windows TERMSESSIONS Reads Terminal (bash & zsh) sessions & history for every user UNIFIEDLOGS Reads macOS unified logging logs from .tracev3 files USERS Gets local and domain user information like name, UID, UUID, GID, homedir & Darwin paths. Also extracts auto- login stored passwords and deleted user info WIFI Gets wifi network information from the com.apple.airport.preferences.plist file ---------------------------------------------------------------------------- FAST Runs all plugins except IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS ALL Runs all plugins
Presumably after the program finishes, you have a directory full of reformatted and accessible system data that you can search in Excel.
Going through these files using specific information about the intrusion, such as the date ranges in question, the software or method you suspect maybe employed etcetera. Here is where experience, know-how, and insight into various tools and software people use – popular or common spyware, methods, trade craft.
However, what I have explained above should enable a relatively apt individual to do some initial investigation and get to the bottom of whatever you believe happened with free open source and sophisticated software without having to contact some company like Digital Forensic Corporation Services which will charge you $1,200 for a useless report only to leverage your desperation for another sale for twice that amount.
Sorry you are having to do this. Good luck.