1,630 UNAUTHORIZED DEVICES DOCUMENTED 36-DAY MONITORING WINDOW PAIRVERIFY CRYPTOGRAPHIC HANDSHAKE CAPTURED SELF-AUTHENTICATING UNDER FRE 902 KRAEMER V. JOHN DOES 1–1,630· SDNY APPLE RAPPORTD OUTPUT — UNALTERED 1,630 UNAUTHORIZED DEVICES DOCUMENTED 36-DAY MONITORING WINDOW PAIRVERIFY CRYPTOGRAPHIC HANDSHAKE CAPTURED SELF-AUTHENTICATING UNDER FRE 902 KRAEMER V. JOHN DOES 1–1,630· SDNY APPLE RAPPORTD OUTPUT — UNALTERED

Live Monitoring Active

Your Apple account
is being watched.
Now you can watch back.

Forensic Monitor reads Apple's native rapportd and bluetoothd system daemons in real time and alerts you when a foreign device authenticates as the owner of your Apple ID account. Every alert is anchored to a machine-generated, cryptographically timestamped log entry written by Apple's own software. No inference. No interpretation. The log is the evidence.

⬇ Download forensic_monitor.sh { } View on GitHub ↗ Read the Docs

1,630

Devices Documented

Day Window

6,968

Auth Events Captured

Lines of Inference

// How It Works

Apple's Own Software Writes the Evidence

The script reads rapportd — Apple's Continuity authentication daemon — in real time using macOS's built-in log stream command. Every entry in the output was written by Apple's software, not by this tool. The monitor captures; it does not generate.

PairVerify Proves Prior Enrollment

For a device to authenticate as owner of your Apple account via DirectLink, it must pass Apple's PairVerify M2 challenge-response cryptographic handshake. This requires a private key generated at enrollment and registered on Apple's Identity Services servers. Proximity alone cannot produce this result. Every captured device was pre-enrolled before any proximity event occurred.

Four Parallel Streams, Zero Latency

The monitor runs four concurrent streams: RSSI proximity trapping via rapportd, SameAccountDevice authentication monitoring, MAC address harvesting with repeat-offender tracking, and BLE early warning via bluetoothd. All four run simultaneously in the background and write to separate log files.

Real-Time Push Alerts, Tiered by Severity

Every event triggers a push notification to your iPhone or Android device via Pushover, prioritized by severity — from normal proximity approach to emergency-level owner access and batch credential deployment events. New MAC addresses and repeat offenders are distinguished automatically.

Self-Authenticating Under FRE 902

Log output qualifies as self-authenticating under Federal Rule of Evidence 902 as records generated in the ordinary course of system operation. The LIVE_STREAM.log produced by this tool constitutes Exhibit E in Kraemer v. John Does 1–1,630, SDNY.

// Installation

🖥

macOS Ventura 13 or later

Tested on macOS Sequoia 15 / MacBook Air M4

📲

Pushover Account

Free 30-day trial · $5 one-time per platform · pushover.net

🔐

Terminal Full Disk Access

System Settings → Privacy & Security → Full Disk Access

📦

No Additional Dependencies

bash and curl are pre-installed on every Mac

# Option A — pkg installer (recommended for most users)

# Download ForensicMonitor.pkg and double-click to install.

# Terminal opens automatically. Five prompts walk you through setup.

# Option B — manual (experienced users)

$ chmod +x forensic_monitor.sh

$ ./forensic_monitor.sh

Monitoring... Press Ctrl+C to stop

RSSI thresholds: Contact=-35 Close=-45 Approach=-65

# Watch events in real time (open a second Terminal window)

$ tail -f ~/Documents/forensic_monitor/LIVE_STREAM.log

// Alert Reference

EMERGENCY: KNOWN TARGET

A pre-designated target node appeared in rapportd output

EMERGENCY

EMERGENCY: BATCH DEPLOY

Multiple new SameAccountDevice identities loaded simultaneously

EMERGENCY

OWNER ACCESS CONFIRMED

AcLv = User (11) owner-level access event detected

HIGH

NEW MAC CAPTURED

Previously unseen device authenticated as account owner

HIGH

NEW TEAM DETECTED

Previously unseen organizational AID or IDS token appeared

HIGH

RE-AUTH REPEAT OFFENDER

A previously captured MAC address re-authenticated

HIGH

PAIRVERIFY LOGGED

Cryptographic handshake completed by foreign device

NORMAL

APPROACH DETECTED

Device within 20–50 feet via rapportd RSSI

NORMAL

BLE APPROACH

Device within 20–50 feet via bluetoothd RSSI

NORMAL

// Case Reference

KRAEMER V. JOHN DOES 1–1,630· SDNY

This tool was developed and deployed by Plaintiff Thomas D. Kraemer during the investigation underlying this action. Over a 36-day monitoring window (03/27/2026–05/02/2026), it captured 1,630 distinct MAC addresses authenticating as owner of Plaintiff's Apple ID account under a single cloned IDS token (BBzlfMIo), deployed by an unauthorized Declarative Device Management organizational account operating under Apple Identity Designators AID BBMjQHOv and AID BBMfPQqP. This tool is made available so that any user, researcher, or judicial officer may independently verify the monitoring methodology and reproduce the results on their own hardware. The complete forensic record, complaint, and supporting exhibits are available through the PACER federal court records system.

SCOPE AND LEGAL NOTICE

This tool monitors only the operator's own Apple devices and Apple ID account. It reads only the system logs that macOS generates natively on the operator's own hardware. It does not access, intercept, or monitor any external network, third-party device, or communication stream. Released for forensic research, personal device security monitoring, and judicial verification purposes.

Your Apple accountis being watched.Now you can watch back.

Your Apple account
is being watched.
Now you can watch back.