

Ask HN: How to inspect a Macbook? - joshmlewis

So a lady came to me wanting to know if I could look at her Macbook.  Apparently her husband was an IT guy and they divorced, well that wasn't pretty.  He supposedly put key loggers and spyware programs on her Macbook and now she's pulling her hair out because no one will look at Macs around here.<p>My question:  There is so much junk on here, I just want to wipe it all and start over but she wants me to actually investigate and see if there are shady programs on here and document it.  How would I go about doing such things?  Also, does anyone know of a program that shows all outgoing internet connections and if there are fishy files?
======
jason_slack
Josh - You can have the best of both worlds. Boot to a spare HD or Target
boot, use Disk Utility and take a DMG of the hard drive as it sits now. You
can move that to where ever you want to examine the contents.

This frees up the drive for reloading the OS (and this is a must if you
suspect foul play) and you can examine at your leisure knowing you have an
exact image of the drive.

If you are in the Bay Area, CA, I would be happy to help over coffee. Contact
info in profile.

------
iamdave
_Also, does anyone know of a program that shows all outgoing internet
connections and if there are fishy files?_

Wireshark, though it's got a bit of a curve to it, provided you know how to
identify packets.

~~~
benologist
Wouldn't malware be smart enough by now not to send stuff while Wireshark's
running, or even to not send while the machine's actively being used?

~~~
iamdave
Typically yes, but if it's communicating, it's got to do it somehow, which is
why I added the caveat that op knows how to read a packet output.

------
joshmlewis
I found a thing called rpc.lockd. Looks like its some type of linux command.
Anyone know anything?

And syslogd.

~~~
jason_slack
rpc.lockd -
[http://developer.apple.com/library/mac/#documentation/Darwin...](http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/rpc.statd.8.html)

syslogd -
[http://developer.apple.com/library/mac/#documentation/Darwin...](http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/syslog.1.html%23//apple_ref/doc/man/1/syslog)

