Foreign access to my MacBook

[Nicole133]

Hello!

I would be very grateful if you could answer me the following question:
Background:

I think that on 1th January 21 somebody could have taken access to my Macbook with the password which was accessible. There is a serious stalking/mobbing background.

On 29th December 20 I have used it by myself and remember that I have shut it down. But sometimes you remember things not in the right way.. well..

On 13th January I opened it and realized with astonishment that it was running. I put in the password and realized that the activity announcement was open. That was strange since I haven“t opened it, I not even know it.

Then I started to a research and learned that I coulf check the loggins on the Terminal. I did that and there was no loggin on 1th January. But since the person is very skilled regarding to IT issues and my devices has been compromised once before, it would be possible that traces have been deleted.

• Is it possible to delete a separate login information in order that it cannot be seen on the Terminal anymore?

Furthermore I realized that on the Terminal the logins seem to be distinguished between such which were followed with a real shut down of the Mac and those which were followed with placing it into silent mode. Loggins which end with shut downs of the Mac seem to be characterized with the online time in brackets behind and those which end with just putting into silent mode, are with a zero in brackets behind and the hint „still logged in“.

• Did I get that right?

Hence, I realized that on 29th December I really seem to have shut down the MacBook. But how could it be running the next time I opened it on 13th January 21?

• Is there a possibility to check more items if somebody took access on 1th January?

I feel REALLY bad because of that. And would be REALLY grateful if somebody could provide me with some more hints.
Thank you so much.

 

[Audit13]

If you are worried, wipe the machine and change all passwords.

 

[Nicole133]

Sorry, but that is not my problem. Of course I will do that.
I want to know if somebody took access to my appartment since there is a severe stalking background.

 

[Audit13]

There is no way to know for sure if you don't know where to look. I am certainly no IT expert so I would not know exactly where to look.

How did the person get your password? Is it possible you did not shut it down and just closed the lid?

Is FileVault enabled on the drive?

 

[Nicole133]

The person would have taken the password from the notes of my iphone which I have installed as room surveillance during my absence (am an idiot I know). I have taken my iphone and used the video function of the camera App in order to observe the entry of the appartment. When I came back, the camera app was shut down. It“s not the first time. But I did not expect it happen on that day. So the suspected person must have cut the part of the video where entering the appartment.

All my passwords! have been stored on that iphone in the notes App.
Beyond the conspicuities regarding to my Macbook I realised that all the notes in my icloud of the above mentioned iphone have been deleted in the icloud, not at the phone. The icloud password was written in notes as well. That would have been done in order to stress me and leading to emotional instability.

If somebody has really deleted my notes in the icloud and its not just a synchronization mistake, wouldn“t they be deleted on my phone as well? Is there a possibility to see when my icloud was accessed the last 5-10 times?

Thank you so much!

 

[Audit13]

Is the iPhone password protected? You receive an email each time someone logs into your iCloud account?

Any suspicious activity in any of your accounts?

 

[Nicole133]

Problem is that I left the iphone which was connected with that icloud at home as room surveillance. That means that the person was able to look at all my notes since the iphone was running and not closed with my PIN.
Then he was able to enter my Icloud from his own Iphone or notebook and do all that **** there.
The information message from apple asking for allowance would have been sent right to that iphone which the person had access to during my absence you know?
I returned one hour later.

 

[ScreenSavers]

But if the iPhone was a surveillance camera can’t you watch the video the iPhone was supposedly recording and see if it was tampered with?

 

[Nicole133]

It must have been cut after 30 minutes.
This person does those things very carefully and professionally. Its not the first time as mentioned.

The video must have been cut.

 

[Mr_Brightside_@]

You're asking if someone could have logged on to the device(s), then removed all evidence of their logging in? If so, how could we prove anything?

 

[Nicole133]

Initially I wanted to know if
• The login information/history that you can find at the Terminal of a Macbook among the command „last“ can be deleted seperately.
• It is right that at the Terminal, command „last“, the loggins are distinguished between those which end with a shut down off the MAC and those which end with merely putting it in silent mode
• If there are possibilities to delete all traces of a potential loggin at 1th January 21 (my own following loggin was on 13th January) or if a forensic expert could definitively say me if somebody logged in on 1th January

 

[Mr_Brightside_@]

I think you absolutely need to take the computer to an expert.

 

[Nicole133]

Yes, thanks. I supposed that and will do that.

But could you tell me if its possible to delete the loggin history that you find if you open the TERMINAL and then put in the command „last“.
Is it possible to deleate one single loggin of a special day?

 

[Mr_Brightside_@]

Not to my knowledge, but I am not an expert.

Ask yourself: how likely is it that someone broke in (to your device/home), went through your computer, data, and video surveillance, then deleted all traces of their intrusion, but forget to shut down at the end?

 

[Nicole133]

No, not forgot to shut down it.
Maybe deliberately in order to prevent a last trace OR in order to make me ponder.
I know that anything must sound totally weird to you but as already mentioned, it has happened before. And I have to do with a person with a severe personality disorder but highly intelligent.

 

[Mr_Brightside_@]

Or maybe you just forgot to shut down in the first place.

 

[Nicole133]

If you go to Terminal and give in the command „last“ you can see the login history, right?

And you can see if you shut down or merely left the Mac in silent mode. Or am I wrong with that?
If you try this > go to the Terminal and put in the command „last“ you can see
Whether you have shut down it > brackets with the hours you spent working with the Mac OR
Whether you just closed it without shutting it down > with the note still logged it

And referring to that, I have definitively shut down it.
Maybe you could check it if it really distinguishes between shutting down and just closing it

 

[Mr_Brightside_@]

How mine appears.


me ttys000 Fri Jan 15 11:55 still logged in


me console Wed Jan 13 09:44 still logged in


reboot ~ Wed Jan 13 09:44


shutdown ~ Tue Jan 12 17:08


me ttys000 Mon Jan 11 16:33 - 16:33 (00:00)


me console Tue Jan 5 23:04 - 17:08 (6+18:04)


reboot ~ Tue Jan 5 23:03


shutdown ~ Tue Jan 5 18:57


me ttys000 Tue Jan 5 18:56 - 18:56 (00:00)


me ttys000 Mon Jan 4 10:25 - 10:25 (00:00)


me console Mon Jan 4 10:15 - 18:57 (1+08:42)


reboot ~ Mon Jan 4 10:15


shutdown ~ Wed Dec 23 13:02


me console Sat Dec 19 10:07 - 13:02 (4+02:54)


reboot ~ Sat Dec 19 10:07


shutdown ~ Fri Dec 18 19:10


me console Thu Dec 17 21:34 - 19:10 (21:35)


reboot ~ Thu Dec 17 21:34


shutdown ~ Thu Dec 17 18:29


me ttys000 Thu Dec 17 18:23 - 18:23 (00:00)


me console Thu Dec 17 18:22 - 18:27 (00:05)


reboot ~ Thu Dec 17 18:20


shutdown ~ Thu Dec 17 18:12


root console Thu Dec 17 18:11 - shutdown (00:00)


me ttys000 Thu Dec 17 18:08 - 18:08 (00:00)


me console Wed Dec 16 16:02 - 18:11 (1+02:09)


reboot ~ Wed Dec 16 16:01


shutdown ~ Wed Dec 16 15:58


me ttys000 Wed Dec 16 10:30 - 10:30 (00:00)


me ttys000 Sat Dec 12 15:33 - 15:33 (00:00)


me console Wed Dec 9 10:34 - 15:58 (7+05:23)


reboot ~ Wed Dec 9 10:34


me console Tue Dec 8 18:02 - crash (16:32)


reboot ~ Tue Dec 8 18:01


shutdown ~ Tue Dec 8 17:59


me console Tue Dec 8 17:55 - 17:59 (00:04)


reboot ~ Tue Dec 8 17:55


shutdown ~ Tue Dec 8 17:53


me ttys000 Mon Dec 7 20:13 - 20:13 (00:00)


me ttys000 Mon Dec 7 15:49 - 15:49 (00:00)


me ttys000 Mon Dec 7 12:44 - 12:44 (00:00)


me console Mon Dec 7 12:35 - 17:53 (1+05:17)


reboot ~ Mon Dec 7 12:35


shutdown ~ Mon Dec 7 12:34


me ttys000 Sun Dec 6 15:11 - 15:11 (00:00)


me ttys000 Thu Dec 3 22:03 - 22:03 (00:00)


me console Thu Dec 3 21:59 - 12:34 (3+14:35)


reboot ~ Thu Dec 3 21:59


shutdown ~ Thu Dec 3 21:56


me console Thu Dec 3 20:37 - 21:56 (01:18)


reboot ~ Thu Dec 3 20:36


shutdown ~ Thu Dec 3 20:32


root console Thu Dec 3 20:31 - shutdown (00:00)


me console Thu Dec 3 20:28 - 20:31 (00:03)


reboot ~ Thu Dec 3 20:26


shutdown ~ Thu Dec 3 20:25


root console Thu Dec 3 20:24 - shutdown (00:01)


me console Thu Dec 3 19:26 - 20:24 (00:58)


reboot ~ Thu Dec 3 19:24


shutdown ~ Thu Dec 3 19:19


root console Thu Dec 3 19:18 - shutdown (00:01)


me console Thu Dec 3 19:10 - 19:18 (00:07)


reboot ~ Thu Dec 3 19:06

 

[Nicole133]

Ok, thank you. That“s lots of stuff.

If you try something now:


Really shut it down. Wait five minutes and take access again. Go to the Terminal and check it. I bet you will see the time you have been logged in in the brackets behind.

Then try the other way. Just close it. Wait five minutes. And check it again. I bet you will get a 0 in brackets and the message „still logged in“.

Could you be so kind to check it please.

 

[retta283]

What about using the console app? There should be enough messages in there to tell that the machine was booted up and shut down, and should also provide proof of shutdown on the 29th.

 

[Nicole133]

If I check system.log I can just see today, the 15. th January. Where can I find it?

 

[retta283]

This screenshot is from an older version of OS X, but it should still mostly apply. There should be a sidebar, or an option to "Show Log List" somewhere in the app. You want to be under All Messages to view the ones from past dates. Mine goes back to the day that I installed OS X Mavericks, so it should cover everything for you certainly.

 

[Nicole133]

I dont have any many points like you under system logs.

 

[Nicole133]

I meant any menue points. There is nothing but system.log

 

[Nicole133]

I have bought the Mac in the beginning of December (calling it Patrick because of the stalking background to duisguise a bit if I am using WLAN), so the login history should appear?!