Best way to get activity logs off of compromised OSX/iOS devices?
February 2, 2017 1:05 PM Subscribe
A friend of a friend has been severely cyber-harassed, down to her family's credit card accounts and keylogging/remote control software on her iPhone, iPad, and MacBook Pro. We have already turned off and removed the batteries from all of the devices, but now we need to get enough of the right information off of them so the police can understand what happened.
A friend of a friend is being severely cyber-harassed; she has an iPad, an iPhone 6, and a MacBook Pro. All three devices were completely compromised. The iPhone can be operated remotely and is configured to forward all texts sent & received to the hacker's phone.
I've already instructed my friend to turn off all three devices, remove the SIM card from the iPhone, and unscrew the cases to remove the batteries so they can no longer be remotely powered on.
We need to get the right information: Text message logs, to show the results of her phone number being posted publicly. Access logs, to show network activity coming from the hacker's IP address. Without being able to clearly retrieve and organize this information, there is no chance that the authorities will be able to help.
Can we rely on the Genius Bar to dump the hard drives of all three devices onto a thumb drive or something, and give it all back to us? Will we be able to see SMS logs for the iPhone just looking at the raw hard drive data, or will it be incomprehensible without iOS running on top of it?
A friend of a friend is being severely cyber-harassed; she has an iPad, an iPhone 6, and a MacBook Pro. All three devices were completely compromised. The iPhone can be operated remotely and is configured to forward all texts sent & received to the hacker's phone.
I've already instructed my friend to turn off all three devices, remove the SIM card from the iPhone, and unscrew the cases to remove the batteries so they can no longer be remotely powered on.
We need to get the right information: Text message logs, to show the results of her phone number being posted publicly. Access logs, to show network activity coming from the hacker's IP address. Without being able to clearly retrieve and organize this information, there is no chance that the authorities will be able to help.
Can we rely on the Genius Bar to dump the hard drives of all three devices onto a thumb drive or something, and give it all back to us? Will we be able to see SMS logs for the iPhone just looking at the raw hard drive data, or will it be incomprehensible without iOS running on top of it?
> A friend of a friend has been severely cyber-harassed, down to her family's credit card accounts and keylogging/remote control software on her iPhone, iPad, and MacBook Pro.
What behavior are you witnessing? I'd say it's pretty advanced for a hacker to be able to compromise all three devices simultaneously, although it's certainly possible. Do you think this is a targeted attack (they're after your friend specifically) or a drive-by attack because they clicked the wrong link? Did the attacker have physical access to the devices?
An idea: is there a possibility the Mac was hacked, but iMessage is turned on so the hacker is seeing all text messages sent to the iPhone but doesn't have control of it?
> I've already instructed my friend to turn off all three devices, remove the SIM card from the iPhone, and unscrew the cases to remove the batteries so they can no longer be remotely powered on.
Are you sure your friend has done this? The iPhone 6 isn't very user-accessible-- it requires a special pentalobe screwdriver to open and a suction cup type device makes it easier to lift the screen assembly to get access to the battery. Depending on the mode of iPhone and Macbook Pro, they usually require similar special tools.
Can we rely on the Genius Bar to dump the hard drives of all three devices onto a thumb drive or something, and give it all back to us? Will we be able to see SMS logs for the iPhone just looking at the raw hard drive data, or will it be incomprehensible without iOS running on top of it?
I'm not an expert in how much help they'll provide, but my guess is they'd push for wiping all the devices and reinstalling the OSes. I think it depends on how knowledgeable and helpful your particular Mac Genius is.
posted by bluecore at 1:35 PM on February 2, 2017 [1 favorite]
What behavior are you witnessing? I'd say it's pretty advanced for a hacker to be able to compromise all three devices simultaneously, although it's certainly possible. Do you think this is a targeted attack (they're after your friend specifically) or a drive-by attack because they clicked the wrong link? Did the attacker have physical access to the devices?
An idea: is there a possibility the Mac was hacked, but iMessage is turned on so the hacker is seeing all text messages sent to the iPhone but doesn't have control of it?
> I've already instructed my friend to turn off all three devices, remove the SIM card from the iPhone, and unscrew the cases to remove the batteries so they can no longer be remotely powered on.
Are you sure your friend has done this? The iPhone 6 isn't very user-accessible-- it requires a special pentalobe screwdriver to open and a suction cup type device makes it easier to lift the screen assembly to get access to the battery. Depending on the mode of iPhone and Macbook Pro, they usually require similar special tools.
Can we rely on the Genius Bar to dump the hard drives of all three devices onto a thumb drive or something, and give it all back to us? Will we be able to see SMS logs for the iPhone just looking at the raw hard drive data, or will it be incomprehensible without iOS running on top of it?
I'm not an expert in how much help they'll provide, but my guess is they'd push for wiping all the devices and reinstalling the OSes. I think it depends on how knowledgeable and helpful your particular Mac Genius is.
posted by bluecore at 1:35 PM on February 2, 2017 [1 favorite]
Response by poster: This is a targeted attack from a significant other's ex. The hacks are connected with multiple additional incidents of offline harassment, arson, and assault.
The most extensive hacking was on the iPhone, which was observed spontaneously turning on while across the room, with the browser opening and keystrokes appearing despite no one physically touching it.
The harassment has been ongoing for at least a few days/weeks (I'm still getting a sense of the full timeline), so the only safe choice is to assume that all three devices are completely compromised.
I'll make sure we explicitly ask the police/DA before bringing the devices to a Genius Bar or data recovery service. Friend already tried working with a data forensic specialist, but they would have needed almost three months sitting on the devices to get back to us, so that is a last resort option at this point.
posted by mins_mellow at 1:43 PM on February 2, 2017
The most extensive hacking was on the iPhone, which was observed spontaneously turning on while across the room, with the browser opening and keystrokes appearing despite no one physically touching it.
The harassment has been ongoing for at least a few days/weeks (I'm still getting a sense of the full timeline), so the only safe choice is to assume that all three devices are completely compromised.
I'll make sure we explicitly ask the police/DA before bringing the devices to a Genius Bar or data recovery service. Friend already tried working with a data forensic specialist, but they would have needed almost three months sitting on the devices to get back to us, so that is a last resort option at this point.
posted by mins_mellow at 1:43 PM on February 2, 2017
DO NOT do the data recovery yourself. I have worked in this area and know that a)chain of custody issues are important and b) the software used for extracting the data in a legally admissible way is very specialized and required training for its evidence to stand up in court.
What you are describing is a felony in the US. You should turn off the devices for sure and take them to the police. They likely do have a backlog for forensic investigation but shortcutting that process can ruin the data.
posted by procrastination at 1:51 PM on February 2, 2017 [7 favorites]
What you are describing is a felony in the US. You should turn off the devices for sure and take them to the police. They likely do have a backlog for forensic investigation but shortcutting that process can ruin the data.
posted by procrastination at 1:51 PM on February 2, 2017 [7 favorites]
Response by poster: The police don't want to help. Is there anything we can say or do short of hiring a lawyer that will get them to take the devices from us and do whatever it is they need to do to legally enter the data into evidence?
posted by mins_mellow at 3:29 PM on February 2, 2017
posted by mins_mellow at 3:29 PM on February 2, 2017
I wrote two long posts about how much trouble it is if someone has total access to your personal information and knows where your accounts are located. You would basically have to change everything. Instead, I'm going to advise calling an IT Security company that deals with businesses and ask them for a reference to someone who does work for individuals. Or maybe find folks online who have been hacked and find out who they used.
As far as the devices go, don't disconnect the batteries. You're liable to break Apple devices trying to do that. If you use them, don't connect them to a network that has an Internet connection. Turn them off, replace all three devices if you can't get forensics done quickly, get new email/Apple accounts, enable dual factor everywhere, change online account names and passwords, phone number(s) and the provider, and send the devices to someone who specializes in this work, if the police won't do it. I wouldn't take them to a local computer shop or Apple store. I'd take them to a specialist.
posted by cnc at 3:52 PM on February 2, 2017 [1 favorite]
As far as the devices go, don't disconnect the batteries. You're liable to break Apple devices trying to do that. If you use them, don't connect them to a network that has an Internet connection. Turn them off, replace all three devices if you can't get forensics done quickly, get new email/Apple accounts, enable dual factor everywhere, change online account names and passwords, phone number(s) and the provider, and send the devices to someone who specializes in this work, if the police won't do it. I wouldn't take them to a local computer shop or Apple store. I'd take them to a specialist.
posted by cnc at 3:52 PM on February 2, 2017 [1 favorite]
Given my professional experience (which i’m not going to get into here), I’m finding this to be very unlikely to be true (at least in the way it is claimed to be happening), especially if the attacker never had physical possession of the iOS devices.
If the attacker really has infiltrated the iOS devices and *never* had enough physical access to take the devices, connect them to a computer, jailbreak them (assuming the devices were running versions of iOS that can be jailbreaked), and then install loggers, etc. — and if the devices are running the current version of iOS (thus no widely-known unpatched security holes), i’d think someone at Apple higher up than the sales droids and tech support would be very interested in this.
The Mac has a higher chance of being compromised if the victim was tricked into downloading and running malicious software or if the attacker had access to the Mac and enough time to mess with it.
I think it is much more likely that the attacker only has the victim’s Apple ID / iCloud password, which would allow them to send/receive text messages from that Apple ID, as well as mess with anything else iCloud related that the user had enabled on the Mac, iPad, and iPhone.
In either case a novice trying to open an iPhone/iPad to remove the battery is not a good idea and would likely result in broken hardware.
posted by D.C. at 2:58 AM on February 3, 2017 [1 favorite]
If the attacker really has infiltrated the iOS devices and *never* had enough physical access to take the devices, connect them to a computer, jailbreak them (assuming the devices were running versions of iOS that can be jailbreaked), and then install loggers, etc. — and if the devices are running the current version of iOS (thus no widely-known unpatched security holes), i’d think someone at Apple higher up than the sales droids and tech support would be very interested in this.
The Mac has a higher chance of being compromised if the victim was tricked into downloading and running malicious software or if the attacker had access to the Mac and enough time to mess with it.
I think it is much more likely that the attacker only has the victim’s Apple ID / iCloud password, which would allow them to send/receive text messages from that Apple ID, as well as mess with anything else iCloud related that the user had enabled on the Mac, iPad, and iPhone.
In either case a novice trying to open an iPhone/iPad to remove the battery is not a good idea and would likely result in broken hardware.
posted by D.C. at 2:58 AM on February 3, 2017 [1 favorite]
I agree with D.C.: it’s more likely that just the Mac has been compromised (probably via a targeted email, or else the attacker had physical access to it at some point & installed the software themselves) and that this has allowed them to find out the iCloud (and other) passwords, which in turn allows them to fiddle with various aspects of the phone & iPad remotely (eg, turn on Find My iPhone, so that they can work out where their target is, or install Apps remotely.) It’s really, really unlikely that they have cracked the phone / iPad, assuming a recent version of iOS & if they know the iCloud password then they don’t really need to crack them - they can just install whatever apps they need remotely.
As others have said - don’t try and remove the batteries. You’ll just break the devices & recovering data from a broken devices is orders of magnitude harder than from a functioning one. Nearly impossible on a modern iPhone / iPad because the storage is encrypted with a key held in the secure enclave.
If you *really* think they’ve been compromised then turn them off, wrap them all in a couple of layers of aluminium foil & stick them somewhere sound insulating. (An alternative to wrapping them in foil is to stick them in the microwave, but don’t turn the microwave on!) Then go change the passwords for *everything* (iCloud, Google, banking, credit cards, FB: *everything*) from a known clean computer. A public library PC, or else the PC of someone completely unconnected to them would be good choices. Make sure to use secure passwords - it’s no good if the attacker can guess the new password.
Answering your questions (ish):
posted by pharm at 5:00 AM on February 3, 2017 [1 favorite]
As others have said - don’t try and remove the batteries. You’ll just break the devices & recovering data from a broken devices is orders of magnitude harder than from a functioning one. Nearly impossible on a modern iPhone / iPad because the storage is encrypted with a key held in the secure enclave.
If you *really* think they’ve been compromised then turn them off, wrap them all in a couple of layers of aluminium foil & stick them somewhere sound insulating. (An alternative to wrapping them in foil is to stick them in the microwave, but don’t turn the microwave on!) Then go change the passwords for *everything* (iCloud, Google, banking, credit cards, FB: *everything*) from a known clean computer. A public library PC, or else the PC of someone completely unconnected to them would be good choices. Make sure to use secure passwords - it’s no good if the attacker can guess the new password.
Answering your questions (ish):
We need to get the right information: Text message logs, to show the results of her phone number being posted publicly. Access logs, to show network activity coming from the hacker's IP address. Without being able to clearly retrieve and organize this information, there is no chance that the authorities will be able to help.Access logs would come from your ISP & they don’t log at the packet level by default. Your phone company will have text message logs already, but probably won’t give them out to you without some kind of court order.
Can we rely on the Genius Bar to dump the hard drives of all three devices onto a thumb drive or something, and give it all back to us? Will we be able to see SMS logs for the iPhone just looking at the raw hard drive data, or will it be incomprehensible without iOS running on top of it?Genius bar dumps will be useless to the police in any prosecution, as they don’t maintain the chain of evidence. I believe you can extract the SMS database from an iPhone backup: some instructions here in this github project. So you could take a backup of the iphone & go looking in there if you want personal evidence.
posted by pharm at 5:00 AM on February 3, 2017 [1 favorite]
« Older It's processed, but it's not processed | How can I search posts on a Facebook account? Newer »
This thread is closed to new comments.
posted by AugustWest at 1:29 PM on February 2, 2017 [3 favorites]