What to do if you think you have been hacked.

This is a post to help individuals on what to do if they think they have been hacked. This is not legal advice. If you think you have been a victim of a crime, for example, someone has hacked your computer for monetary purposes, blackmail, or whatever, you need to report this to the police. Even if the police tell you they can not do anything, you want to have a record of this event, and make law enforcement aware of your particular situation.

Next, this post is about what to do specifically for an Apple macOS machine, however the same principals are used for Windows or other operating systems and links to installation for Linux and Windows are provided. These instructions are provided if you do not have the funds to hire a private detective or computer forensic expert, i.e. if you are a student and you think someone hacked your laptop to look at your emails or steal private pictures of you, whatever.

Again, this post is not for those that have resources to hire an attorney, private investigator, or forensic expert but basically want to try to do this themselves. Some of these tasks are increasingly more technical, so if you are not technical proficient, you may want to befriend someone in computer science (or a professor of computer forensics) they may have some forensic clinic (like a legal clinic) but for stuff like this. Obviously, if you do have resources, you should hire a private investigator, forensic computer expert, and attorney, not in that order but in some progressive fashion.

If at all possible, having a friend or someone to be present in at least some of these activities is a good idea. If for some reason testimony in a legal action or case is needed, it’s handy to have someone be able to provide additional testimony of these first steps.

  1. Create a backup of your machine. No, Time Machine is not good enough, you need to make a forensic copy of your machine which includes the operating system, files (and their permissions, date of creation, modification) and any applications that may have been created (and any logs they may have generated). Making a forensic duplicate of your machine means you need to have at least one, but I generally like to make two, external hard drives of a copy of your machine. So purchase external hard drives (SSDs are faster and generally preferred) and follow this tutorial. When you finish creating the two backups, providing one of the backups to a 3rd party willing to testify that this was done, and attest to the snapshot of the machine at a given time.
  2. Decide how you will use this machine ongoing. This is the harder part. If your machine is critical to your operation – if you are a student and you need it for school, or you can’t live without it, it is best if you stop using this machine. If you were to hire a 3rd party, you would give them this machine and they would have it for several months. In general you want to analyze your backups on a separate machine. Whether the compromised machine is transmitting data, or continuously monitoring you, you need to make the decision on what continued risk you are wiling to take.
  3. Analyze the macOS image for log or other forensic information. These instructions are a bit more technical but this is what it takes to get the information you need. Now that you have an image of your machine you need to analyze it. There are a number of paid solutions out there and I will leave it to them to sell you on their benefit, ease of use, and bells and whistles. If you are not technical and only know how to click on stuff, I assure you it will be easier than where this is going. If you have some idea on how to navigate terminal or shell and you have some technical know-how, this should be pretty manageable. If you know how to clone a Github repository, it should be cake.
  4. Install mac_apt via the installation script. The software to process your macOS image into relevant files for you to analyze is written in a language called Python, Python has a package manage which libraries for which provide the aforementioned software to digest the data from the macOS hard drive image to a digestible and searchable form is the function of the mac_apt.py main file or program. Linux, Windows and macOS installation instructions are provided at the bottom of the page. The following macOS script is also available here, which I moved to better accommodate wget and curl.
curl https://transfersh.pleasemarkdarkly.com/hlCIE/mac_aptInstall-macOS-v21.sh -o mac_aptInstall-macOS-v21.sh
chmod +x mac_aptInstall-macOS-v21.sh

The script will ask for the sudo or administrator account password and then an installation directory. When it completes navigate to that directory. When the script completes, to run the program you can use the following, with ~/Developer as the example directory and /Volume/macOS-backup for the backup path for the volume you previously made. Note that I include additional program arguments which I explain below. Text after the # are not processed by the shell and are provided for reference.

cd ~/Developer # change directory to ~/Developer
source env/bin/activate # activate the Python environment
python3 ./mac_apt.py --xlsx --output_path ~/Downloads/Analysis --password 12345 ALL # main program to process the macOS image

The above command to run mac_apt first requires you to navigate to the installation directory, then you must activate the Python3 environment, then you run the program providing the macOS image you created earlier as input. Additionally, we provide a number of program arguments to format the data, decrypt any files, output in a location convienent to us, and run all the plugins available.

The following shows all the capabilities of the tool, some of which we specify above, feel free to make any modifications to suit your specific needs.

usage: mac_apt.py [-h] [-o OUTPUT_PATH] [-x] [-c] [-l LOG_LEVEL] [-p PASSWORD] [-pf PASSWORD_FILE] [-d] input_type input_path plugin [plugin ...]

mac_apt is a framework to process macOS forensic artifacts
You are running macOS Artifact Parsing Tool version 1.1

Note: The default output is now sqlite, no need to specify it now

positional arguments:
  input_type            Specify Input type as either DD, DMG, E01, VMDK, AFF4, SPARSE or MOUNTED
  input_path            Path to macOS image/volume
  plugin                Plugins to run (space separated). FAST will run most plugins

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Path where output files will be created
  -x, --xlsx            Save output in Excel spreadsheet
  -c, --csv             Save output as CSV files
  -l LOG_LEVEL, --log_level LOG_LEVEL
                        Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
  -p PASSWORD, --password PASSWORD
                        Personal Recovery Key(PRK) or Password for any user (for decrypting encrypted volume).
  -pf PASSWORD_FILE, --password_file PASSWORD_FILE
                        Text file containing Personal Recovery Key(PRK) or Password
  -d, --dont_decrypt    Don't decrypt as image is already decrypted!

The following 36 plugins are available:
    APPLIST             Reads apps & printers installed and/or available for
                        each user from appList.dat
    ARD                 Reads ARD (Apple Remote Desktop) cached databases about
                        app usage
    AUTOSTART           Retrieves persistent and auto-start programs, daemons,
    BASICINFO           Gets basic system and OS configuration like SN,
                        timezone, device name, last logged in user, FS info,
    BLUETOOTH           Parses System Bluetooth Artifacts
    CHROME              Read Chrome History, Top Sites, Downloads, Tabs/Sessions
                        and Extension info
    COOKIES             Reads .binarycookies, .cookies files and HSTS.plist for
                        each user
    DOCKITEMS           Reads the Dock plist for every user
    DOCUMENTREVISIONS   Reads DocumentRevisions database
    DOMAINS             Get information about ActiveDirectory Domain(s) that
                        this mac is connected to
    FSEVENTS            Reads file system event logs (from .fseventsd)
    IDEVICEBACKUPS      Reads and exports iPhone/iPad backup databases
    IDEVICEINFO         Reads and exports connected iDevice details
    IMESSAGE            Parses iMessage conversations, exports messages and
    INETACCOUNTS        Reads configured internet account (iCloud, Google,
                        Linkedin, facebook..) settings used by Mail, Contacts,
                        Calendar and other apps
    INSTALLHISTORY      Parses the InstallHistory.plist to get software
                        installation history
    MSOFFICE            Reads Word, Excel, Powerpoint and other office
                        MRU/accessed file paths
    NETUSAGE            Reads the NetUsage (network usage) database to get
                        program and other network usage data
    NETWORKING          Gets network related information - Interfaces, last IP
                        addresses, MAC address, etc..
    NOTES               Reads Notes databases
    NOTIFICATIONS       Reads notification databases
    PRINTJOBS           Parses CUPS spooled print jobs to get information about
                        files/commands sent to a printer
    QUARANTINE          Reads Quarantine V2 databases, and GateKeeper
                        .LastGKReject file
    QUICKLOOK           Parses QuickLook Thumbnail Cache data
    RECENTITEMS         Gets recently accessed Servers, Documents, Hosts,
                        Volumes & Applications from .plist and .sfl files. Also
                        gets recent searches and places for each user
    SAFARI              Gets internet history, downloaded file information,
                        cookies and more from Safari caches
    SAVEDSTATE          Gets window titles from Saved Application State info
    SCREENTIME          Parses application Screen Time data
    SPOTLIGHT           Reads spotlight indexes (user, volume, iOS)
    SPOTLIGHTSHORTCUTS  Gets user typed data in the spotlight bar, used to
                        launch applications and documents
    SUDOLASTRUN         Gets last time sudo was used and a few other times
                        earlier (if available)
    TERMINALSTATE       Reads Terminal saved state files which includes full
                        text content of terminal windows
    TERMSESSIONS        Reads Terminal (bash & zsh) sessions & history for every
    UNIFIEDLOGS         Reads macOS unified logging logs from .tracev3 files
    USERS               Gets local and domain user information like name, UID,
                        UUID, GID, homedir & Darwin paths. Also extracts auto-
                        login stored passwords and deleted user info
    WIFI                Gets wifi network information from the
                        com.apple.airport.preferences.plist file
    FAST                Runs all plugins except IDEVICEBACKUPS, SPOTLIGHT, UNIFIEDLOGS
    ALL                 Runs all plugins

Presumably after the program finishes, you have a directory full of reformatted and accessible system data that you can search in Excel.

Going through these files using specific information about the intrusion, such as the date ranges in question, the software or method you suspect maybe employed etcetera. Here is where experience, know-how, and insight into various tools and software people use – popular or common spyware, methods, trade craft.

However, what I have explained above should enable a relatively apt individual to do some initial investigation and get to the bottom of whatever you believe happened with free open source and sophisticated software without having to contact some company like Digital Forensic Corporation Services which will charge you $1,200 for a useless report only to leverage your desperation for another sale for twice that amount.

Sorry you are having to do this. Good luck.