If I suspect that someone has installed a keylogger application on my computer, what is the best way to test/find if such an application exists? Also, if I boot my Mac in safe mode, does this mean that a keylogger application would be disabled on startup?
- 1If you seriously think your computer is compromised, it's probably just safer to re-build instead of continuing to use it at all.– IsziSep 28 '11 at 19:35
First, I agree with Iszi in that it would be safest to format the hard disk and re-install OSX. You would want to backup your documents and such first. If you do decide to take that route, have a look at tripwire. That should be installed immediately after you re-install OSX.
Short of that, you can do a couple of things:
- Use Little Snitch to detect and prevent any data being sent across the network.
- Secure your Mac physically, or take it with you if it is a Macbook to make sure nobody but you has physical access to it.
- Look for processes, using Activity Monitor already on your Mac in Applications/Utilities, that look like 'logKext'.
- Try this: http://www.chkrootkit.org/
- Matt, it depends on the way the alleged keylogger was installed and how it is architected. Booting in safe-mode will likely prevent many types of nasties from being loaded. At that point you could compare the process list to that of a non-safe mode boot. But that still won't guarantee you'll find anything. That's why the safest thing to do is start fresh with a newly formatted system. Short of that you can try safe-mode. Your mileage may vary. Best of luck.– MidwireOct 9 '11 at 4:19
