What to do if you think you have been hacked.

This is a post to help individuals on what to do if they think they have been hacked. This is not legal advice. If you think you have been a victim of a crime, for example, someone has hacked your computer for monetary purposes, blackmail, or whatever, you need to report this to the police. Even if the police tell you they can not do anything, you want to have a record of this event, and make law enforcement aware of your particular situation.

Next, this post is about what to do specifically for an Apple macOS machine, however the same principals are used for Windows or other operating systems and links to installation for Linux and Windows are provided. These instructions are provided if you do not have the funds to hire a private detective or computer forensic expert, i.e. if you are a student and you think someone hacked your laptop to look at your emails or steal private pictures of you, whatever.

Again, this post is not for those that have resources to hire an attorney, private investigator, or forensic expert but basically want to try to do this themselves. Some of these tasks are increasingly more technical, so if you are not technical proficient, you may want to befriend someone in computer science (or a professor of computer forensics) they may have some forensic clinic (like a legal clinic) but for stuff like this. Obviously, if you do have resources, you should hire a private investigator, forensic computer expert, and attorney, not in that order but in some progressive fashion.

If at all possible, having a friend or someone to be present in at least some of these activities is a good idea. If for some reason testimony in a legal action or case is needed, it’s handy to have someone be able to provide additional testimony of these first steps.

  1. Create a backup of your machine. No, Time Machine is not good enough, you need to make a forensic copy of your machine which includes the operating system, files (and their permissions, date of creation, modification) and any applications that may have been created (and any logs they may have generated). Making a forensic duplicate of your machine means you need to have at least one, but I generally like to make two, external hard drives of a copy of your machine. So purchase external hard drives (SSDs are faster and generally preferred) and follow this tutorial. When you finish creating the two backups, providing one of the backups to a 3rd party willing to testify that this was done, and attest to the snapshot of the machine at a given time.
  2. Decide how you will use this machine ongoing. This is the harder part. If your machine is critical to your operation – if you are a student and you need it for school, or you can’t live without it, it is best if you stop using this machine. If you were to hire a 3rd party, you would give them this machine and they would have it for several months. In general you want to analyze your backups on a separate machine. Whether the compromised machine is transmitting data, or continuously monitoring you, you need to make the decision on what continued risk you are wiling to take.
  3. Analyze the macOS image for log or other forensic information. These instructions are a bit more technical but this is what it takes to get the information you need. Now that you have an image of your machine you need to analyze it. There are a number of paid solutions out there and I will leave it to them to sell you on their benefit, ease of use, and bells and whistles. If you are not technical and only know how to click on stuff, I assure you it will be easier than where this is going. If you have some idea on how to navigate terminal or shell and you have some technical know-how, this should be pretty manageable. If you know how to clone a Github repository, it should be cake.
  4. Install mac_apt via the installation script. The software to process your macOS image into relevant files for you to analyze is written in a language called Python, Python has a package manage which libraries for which provide the aforementioned software to digest the data from the macOS hard drive image to a digestible and searchable form is the function of the mac_apt.py main file or program. Linux, Windows and macOS installation instructions are provided at the bottom of the page. The following macOS script is also available here, which I moved to better accommodate wget and curl.
curl https://transfersh.pleasemarkdarkly.com/hlCIE/mac_aptInstall-macOS-v21.sh -o mac_aptInstall-macOS-v21.sh
chmod +x mac_aptInstall-macOS-v21.sh

The script will ask for the sudo or administrator account password and then an installation directory. When it completes navigate to that directory. When the script completes, to run the program you can use the following, with ~/Developer as the example directory and /Volume/macOS-backup for the backup path for the volume you previously made. Note that I include additional program arguments which I explain below. Text after the # are not processed by the shell and are provided for reference.

cd ~/Developer # change directory to ~/Developer
source env/bin/activate # activate the Python environment
python3 ./mac_apt.py --xlsx --output_path ~/Downloads/Analysis --password 12345 ALL # main program to process the macOS image

The above command to run mac_apt first requires you to navigate to the installation directory, then you must activate the Python3 environment, then you run the program providing the macOS image you created earlier as input. Additionally, we provide a number of program arguments to format the data, decrypt any files, output in a location convienent to us, and run all the plugins available.

The following shows all the capabilities of the tool, some of which we specify above, feel free to make any modifications to suit your specific needs.

usage: mac_apt.py [-h] [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL] [-p PASSWORD] [-pf PASSWORD_FILE] [-d] input_type input_path plugin [plugin ...]

mac_apt is a framework to process macOS forensic artifacts
You are running macOS Artifact Parsing Tool version 1.1

Note: The default output is now sqlite, no need to specify it now

positional arguments:
  input_type            Specify Input type as either DD, DMG, E01, VMDK, AFF4, SPARSE or MOUNTED
  input_path            Path to macOS image/volume
  plugin                Plugins to run (space separated). FAST will run most plugins

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Path where output files will be created
  -x, --xlsx            Save output in Excel spreadsheet
  -c, --csv             Save output as CSV files
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
  -p PASSWORD, --password PASSWORD
                        Personal Recovery Key(PRK) or Password for any user (for decrypting encrypted volume).
  -pf PASSWORD_FILE, --password_file PASSWORD_FILE
                        Text file containing Personal Recovery Key(PRK) or Password
  -d, --dont_decrypt    Don't decrypt as image is already decrypted!

The following 36 plugins are available:
    APPLIST             Reads apps & printers installed and/or available for
                        each user from appList.dat
    ARD                 Reads ARD (Apple Remote Desktop) cached databases about
                        app usage
    AUTOSTART           Retrieves persistent and auto-start programs, daemons,
                        services
    BASICINFO           Gets basic system and OS configuration like SN,
                        timezone, device name, last logged in user, FS info,
                        etc..
    BLUETOOTH           Parses System Bluetooth Artifacts
    CHROME              Read Chrome History, Top Sites, Downloads, Tabs/Sessions
                        and Extension info
    COOKIES             Reads .binarycookies, .cookies files and HSTS.plist for
                        each user
    DOCKITEMS           Reads the Dock plist for every user
    DOCUMENTREVISIONS   Reads DocumentRevisions database
    DOMAINS             Get information about ActiveDirectory Domain(s) that
                        this mac is connected to
    FSEVENTS            Reads file system event logs (from .fseventsd)
    IDEVICEBACKUPS      Reads and exports iPhone/iPad backup databases
    IDEVICEINFO         Reads and exports connected iDevice details
    IMESSAGE            Parses iMessage conversations, exports messages and
                        attachments
    INETACCOUNTS        Reads configured internet account (iCloud, Google,
                        Linkedin, facebook..) settings used by Mail, Contacts,
                        Calendar and other apps
    INSTALLHISTORY      Parses the InstallHistory.plist to get software
                        installation history
    MSOFFICE            Reads Word, Excel, Powerpoint and other office
                        MRU/accessed file paths
    NETUSAGE            Reads the NetUsage (network usage) database to get
                        program and other network usage data
    NETWORKING          Gets network related information - Interfaces, last IP
                        addresses, MAC address, etc..
    NOTES               Reads Notes databases
    NOTIFICATIONS       Reads notification databases
    PRINTJOBS           Parses CUPS spooled print jobs to get information about
                        files/commands sent to a printer
    QUARANTINE          Reads Quarantine V2 databases, and GateKeeper
                        .LastGKReject file
    QUICKLOOK           Parses QuickLook Thumbnail Cache data
    RECENTITEMS         Gets recently accessed Servers, Documents, Hosts,
                        Volumes & Applications from .plist and .sfl files. Also
                        gets recent searches and places for each user
    SAFARI              Gets internet history, downloaded file information,
                        cookies and more from Safari caches
    SAVEDSTATE          Gets window titles from Saved Application State info
    SCREENTIME          Parses application Screen Time data
    SPOTLIGHT           Reads spotlight indexes (user, volume, iOS)
    SPOTLIGHTSHORTCUTS  Gets user typed data in the spotlight bar, used to
                        launch applications and documents
    SUDOLASTRUN         Gets last time sudo was used and a few other times
                        earlier (if available)
    TERMINALSTATE       Reads Terminal saved state files which includes full
                        text content of terminal windows
    TERMSESSIONS        Reads Terminal (bash & zsh) sessions & history for every
                        user
    UNIFIEDLOGS         Reads macOS unified logging logs from .tracev3 files
    USERS               Gets local and domain user information like name, UID,
                        UUID, GID, homedir & Darwin paths. Also extracts auto-
                        login stored passwords and deleted user info
    WIFI                Gets wifi network information from the
                        com.apple.airport.preferences.plist file
    ----------------------------------------------------------------------------
    FAST                Runs all plugins except IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS
    ALL                 Runs all plugins

Presumably after the program finishes, you have a directory full of reformatted and accessible system data that you can search in Excel.

Going through these files using specific information about the intrusion, such as the date ranges in question, the software or method you suspect maybe employed etcetera. Here is where experience, know-how, and insight into various tools and software people use – popular or common spyware, methods, trade craft.

However, what I have explained above should enable a relatively apt individual to do some initial investigation and get to the bottom of whatever you believe happened with free open source and sophisticated software without having to contact some company like Digital Forensic Corporation Services which will charge you $1,200 for a useless report only to leverage your desperation for another sale for twice that amount.

Sorry you are having to do this. Good luck.

Avoid using online Digital Forensic Corporation Services.

Online forensic services vary widely in quality and in what actual useful services they provide to you. If you think you have been hacked, and you are in need of computer expert forensic services, you would be best to avoid companies like Digital Forensics Corporation. Primary, these services will charge you $1,000+ make you sign an agreement which basically says you can’t complain about them publicly, run basic software to generate a report for you, and then sell you additional services for more $1,000-$5,000. The first report is not admissible in court.

We have clients who have spent $1,000 for basically a worthless report and they signed some agreement which causes personal liability for any complaints they make online. They do this by outlining a complaint resolution process by which the company goes through meaningless hoops to do nothing, and you agree by signing the contract to follow them – then if you post online how worthless and ineffective their report is, they threaten you with a claim that you have harmed their business and that you are in breach of their contract. Furthermore, you agreed by signing the contact that resolution in court is in the jurisdiction of Northern District of Ohio so you likely have to hire an attorney in that state or a local attorney to represent you remotely pro hac vice. Needless to say it is a hassle.

A sample of such ridiculous language from the aforementioned company looks as follows.

In the event the Company believes Client’s breach of this Agreement creates a risk of irreparable harm, the Company has the right to seek emergency injunctive relief before the Court of Common Pleas of Cuyahoga County or the Federal District Court for the Northern District of Ohio. Further, only in the limited scenarios of collection of unpaid fees and defamation claims, Company has the right to initiate a lawsuit outside of arbitration. CLIENT AGREES THAT THESE LIMITED EXCEPTIONS ARE FAIR.

In the event either Party receives an order from a court of law, such as a subpoena, it may require the Party to disclose Confidential Information of the other Party. Further, in the event that Client publishes/posts statements regarding Company in violation of this Agreement, Company reserves the right to disclose whatever information may be necessary to refute Client’s statements.

WhatsApp and FB sue malware/spyware Israeli Software company NSO

The once a secret spyware company NSO which sells iPhone malware for a cool $50m is being held accountable. The NSO’s “software” Pegasus works by a simple sending of a text which then gives complete remote control of the device to its operators. NSO “customer” used Pegasus to locate and carry out a murder of an outspoken Saudi journalist. Impressed that FB is taking this stand. Read the complaint.

Corporate Investigations Upgrade

While most people are aware of the Secretary of State database of corporations, we go a step further and have been building a unique database specifically for corporate investigations.

Specialize Corporate Products

Whether you are interested in companies by region, topic, genre, nature, we have tools to help us slice and dice the world of companies so we can focus on a specific target.

Check out our other services. We are here ready to help.

Case Study Highlight – Corporate Investigation

A client was permanently disfigured in an unfortunate but common chemical fire at a medical Marijuana farm. Our office was hired to locate a then unknown delivery driver for possible claims of liability. Not only did we locate the driver, we uncovered many more additional defendants who were doing work at the farm for major corporations.

After months of investigation we located millions of dollars in assets and added as many as seven defendants. As a result of our discovery of additional parties and their assets, defendants immediately came to the table discussing settlement while we were still uncovering assets. Our investigation justified the addition of multiple law firms to help with prosecuting the claims.  

Specialized Corporate Investigations Partners with Victim’s Advocacy Group Collision Advisors.

Victims of hit and run automobile accidents have a new resource to turn to https://www.collision-advisors.com/. Collision Advisors has launched a new website and operation to make it easier for victims to be paired with medical care and legal representation.

The insurance industry is designed to reduce the claims brought by claimants and those individuals and properties damaged. The insurance industry is singularly focused on maximize their bottom line and quarterly profits. Insurance companies are reluctant to payout even when you are covered for accidents such as hit and runs. To better combat this unfair fight we fully support this effort by Collision Advisors. Specialized is offering a flat rate investigation fee to help victims identify the “phantom vehicle” in the hit and run. As well as connect you to representation in order to make sure you receive the treatment you deserve without paying all the costs.

Case Study – Racketeering and Pump and Dump Investigations

A number of questionable individuals and attorneys were investigated by Specialized. In additional to sorting through the false names and layers of corporate shells, custom software was developed in C# to map the targets to corporate entities – due to the volume of corporate shells and the time period spanning several decades this was an enormous task. Additionally, the fraud-ring’s scheme to entrap individuals, take over start-ups and use the companies to launder unregistered securities, Specialized developed custom software.

Individual, Corporate Shell, and Unregistered Securities Tracker

The above software generated specific details of individuals, corporations, attorneys and volume of unregistered securities and the money they generated in pump and dump schemes. This information was provided to attorneys and law enforcement and resulted in a Qui Tam lawsuit filing, a RICO civil lawsuit, a SEC lawsuit and criminal charges in Southern District of New York.

In addition to collating evidence, the individuals needed to be tracked down and served. This was a feat within itself. Specialized was up to the challenge.

Natasha-Pankina Ilustrator

Purrfectly hand-crafted illustrations.

Natasha provided Specialized with our logo, product illustrations and visualizations where appropriate. Natasha Pankina maintains the copyright for these illustrations and reproductions without her approval is strictly prohibited. Support independent illustrators today by purchasing stock illustrations from www.natasha-pankina.com.

Case Study – Identification of a crooked attorney using computer forensics.

Litigation is all about leverage. In 2018, a dishonest attorney involved in a divorce illegally accessed the opponents computer. We were hired to perform a forensic analysis of the computer. We were able to identify the individual’s access and create a detailed list of specific files they accessed. Our client used this information to sue the attorney and his client for Computer Fraud and Abuse.