Live Monitoring Active

Your Apple account
is being watched.
Now you can watch back.

Forensic Monitor reads Apple's native rapportd and bluetoothd system daemons in real time and alerts you when a foreign device authenticates as the owner of your Apple ID account. Every alert is anchored to a machine-generated, cryptographically timestamped log entry written by Apple's own software. No inference. No interpretation. The log is the evidence.

⬇ Download .pkg Installer { } Download Script Only { } View on GitHub

1,731

Devices Documented
Against Founder

Day Window

8,919

Traceable Authentications

Lines of Inference

// How It Works

Plug it in. It captures the invisible — unknown devices, crowdsourced operations, individuals — authenticating against your Apple account without your knowledge and their proximity to you.

The evidence is immutable. Every captured device is logged, timestamped, and sealed under a SHA-256 chain of custody that cannot be altered without breaking the math.

Print the Vault Hardening Report. Hand it to your attorney.

The logs are presumed authentic under Federal Rules of Evidence 902(13) and 902(14). The defendants have to prove the impossible — that the math is wrong.

Apple's Own Software Writes the Evidence

The script reads rapportd — Apple's Continuity authentication daemon — in real time using macOS's built-in log stream command. Every entry in the output is written by Apple's software, not by this tool. The monitor captures; it does not generate.

PairVerify Proves Prior Enrollment

For a device to authenticate as owner of your Apple account via DirectLink, it must pass Apple's PairVerify M2 challenge-response cryptographic handshake. This requires a private key generated at enrollment and registered on Apple's Identity Services servers. Proximity alone cannot produce this result. Every captured device is pre-enrolled before any proximity event occurred.

Four Parallel Streams, Zero Latency

The monitor runs four concurrent streams: RSSI proximity trapping via rapportd, SameAccountDevice authentication monitoring, MAC address harvesting with repeat-offender tracking, and BLE early warning via bluetoothd. All four run simultaneously in the background and write to separate log files.

Real-Time Push Alerts, Tiered by Severity

Every event triggers a push notification to your iPhone or Android device via Pushover, prioritized by severity — from normal proximity approach to emergency-level owner access and batch credential deployment events. New MAC addresses and repeat offenders are distinguished automatically.

Self-Authenticating Under FRE 902

Log output qualifies as self-authenticating under Federal Rule of Evidence 902 as records generated in the ordinary course of system operation. The LIVE_STREAM.log produced by this tool constitutes the primary forensic record produced by this tool.n.

// Installation

🖥

macOS Ventura 13 or later

Tested on macOS Sequoia 15 / MacBook Air M4

📲

Pushover Account

Free 30-day trial · $5 one-time per platform · pushover.net

🔐

Terminal Full Disk Access

System Settings → Privacy & Security → Full Disk Access

📦

No Additional Dependencies

bash and curl are pre-installed on every Mac

OPTIONAL COMPONENTS

The SHA-256 Vault Daemon is included in the package. For users requiring a complete, unbreakable evidentiary chain, the optional LaunchDaemon installer unlocks several capabilities unavailable to a standard terminal script: root-level execution, tamper-proof hash sealing in a user-inaccessible vault, automatic restart on crash, and persistence across logout and reboot — running continuously whether or not anyone is logged in.

v4.0 — Legal-Ready Auditing
The vault installer now generates a timestamped Hardening Report automatically on installation — and on demand at any time via generate_report.sh. Each report documents daemon status, vault integrity, live forensic statistics, and asserts the evidentiary basis under Federal Rules of Evidence 902(13) and 902(14). The report is sealed in the root vault and its SHA-256 hash is appended to the master chain of custody at the exact moment of generation. Run it before any court filing, discovery response, or supplemental submission.

# Option A — pkg installer (recommended for most users)

# Download ForensicMonitor.pkg and double-click to install.

# Terminal opens automatically. Five prompts walk you through setup.

# Option B — manual (experienced users)

$ chmod +x forensic_monitor.sh

$ ./forensic_monitor.sh

Monitoring... Press Ctrl+C to stop

RSSI thresholds: Contact=-35 Close=-45 Approach=-65

# Watch events in real time (open a second Terminal window)

$ tail -f ~/Documents/forensic_monitor/LIVE_STREAM.log

// Alert Reference

BATCH DEPLOY

Multiple pre-enrolled devices deployed simultaneously against your account

EMERGENCY

KNOWN TARGET

A pre-designated target node appeared — an identified operator is in your rapportd log

EMERGENCY

APPROACH DETECTED

Unauthorized device within 20–50 feet via rapportd RSSI — and in proximity of your device

EMERGENCY

BLE APPROACH

Device within 20–50 feet via bluetoothd RSSI — confirmed close-range presence

EMERGENCY

OWNER ACCESS CONFIRMED

AcLv = User (11) owner-level access — nefarious entity has full control of your account

HIGH

NEW MAC CAPTURED

Previously unseen device authenticated as account owner

HIGH

NEW TEAM DETECTED

Previously unseen organizational AID or IDS token appeared

HIGH

RE-AUTH REPEAT OFFENDER

A previously captured MAC address re-authenticated — they are back

HIGH

PAIRVERIFY LOGGED

Cryptographic handshake completed by foreign device

HIGH

// Case Reference

ZERO TRUST FORENSIC AUDIT — EXECUTIVE PERIMETER

Forensic Account Monitor is purpose-built for executives and high-value targets who require an independent security perimeter — including scenarios where the threat originates from inside their own IT infrastructure.

Unlike enterprise MDM solutions that route telemetry through managed servers, this tool reads Apple's native system daemons directly on the monitored device and writes output locally. There is no cloud dependency, no managed endpoint, and no third-party data handling. The monitoring chain cannot be intercepted, altered, or disabled by a network-level administrator.

For Corporate Deployment
The complete source code is open and auditable. We recommend having your IT security department review and approve the script before deployment. Once approved, it can be installed on executive devices as an independent audit layer that operates entirely outside the managed IT perimeter — providing a ground-truth record that cannot be influenced by the infrastructure it is monitoring.

WHO THIS TOOL IS FOR

Forensic Account Monitor is most useful for typical targets of crowdsourcing campaigns — individuals and professionals whose positions, work, or beliefs make them targets of coordinated swarming tactics.

Government and Law Enforcement Personnel
ICE and Border Patrol agents, judges, politicians, and public health officials are frequent targets of organized harassment campaigns that use proximity-based surveillance to track movements and monitor communications.

Whistleblowers and Dissidents
Corporate whistleblowers and political dissidents face well-resourced adversaries with the organizational capacity to deploy the kind of MDM-based fleet infrastructure this tool is specifically designed to detect.

Activists and Journalists
Those who investigate extremist groups, cults, or organized crime are routinely subjected to swarming tactics. This tool documents those operations in real time using Apple's own self-authenticating system logs — producing evidence that is admissible in federal court.

Celebrities and Public Figures
High-profile individuals — entertainers, athletes, executives, and social media personalities — are increasingly targeted by coordinated proximity-based surveillance operations. Their public schedules, recognizable locations, and high-value personal data make them prime targets for the kind of organized, technology-enabled stalking this tool is specifically designed to detect and document.

KRAEMER V. JOHN DOES

This tool was developed and deployed by Thomas D. Kraemer after discovering an empty ltk.plist — a nefarious file used to keep Apple’s Auto Unlock feature open — which led to the identification of a DDM running in the background of his device with no visible profile. Further investigation revealed the DDM had been used to crowdsource unauthorized access to his Apple ID across a violent criminal network. Over a 40+-day monitoring window, the tool captured over 1,700 distinct MAC addresses authenticating as owner of his Apple ID account under a single cloned IDS token (BBzlfMIo), deployed by an unauthorized Declarative Device Management organizational account.

Forensic Monitor — Apple Account Surveillance Detection

Your Apple accountis being watched.Now you can watch back.

Your Apple account
is being watched.
Now you can watch back.