Oddbean

How would they get root access to delete the logs? They wouldn’t be able to without it right? The real question is about whether someone got into the computer at all, or if it wasn’t even touched. Because during the time span the logging has no records. So either it was a sophisticated actor with merging I’m not aware of, or they could get root access. But then the question is how they could get root access to delete logs, and then also are there separate logs for deleting things from the file system? 🤔

So ya I’d say that if there are ZERO logs of any kind at the exact time of attack, that’s definitely suspicious. MacOS is extremely verbose, so I can’t see that happening. As far as getting root, it’s possible they found a privilege escalation vulnerability. It’s not terribly uncommon, especially if you’ve heavily customized things or write a lot of code, which could inevitably give someone a way to root. As far as logs for deleting logs, it’s definitely possible but I’m not familiar enough with their logging structure to say off hand. Sucks dude, hope you figure out what happened. One thing you can do is hire a forensics firm, but that’s big money.

I tested it for 10 minutes while asleep just in this train ride. Zero logs whatever. It appears to be shockingly asleep when it is in fact asleep. When I plug **anything** into any port however, for even the slightest amount of time, there are hundreds of logs.