erosolar-cli 2.1.243 → 2.1.244
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/capabilities/index.d.ts +1 -0
- package/dist/capabilities/index.d.ts.map +1 -1
- package/dist/capabilities/index.js +1 -0
- package/dist/capabilities/index.js.map +1 -1
- package/dist/capabilities/unifiedInvestigationCapability.d.ts +22 -0
- package/dist/capabilities/unifiedInvestigationCapability.d.ts.map +1 -0
- package/dist/capabilities/unifiedInvestigationCapability.js +41 -0
- package/dist/capabilities/unifiedInvestigationCapability.js.map +1 -0
- package/dist/core/agentOrchestrator.d.ts +130 -1
- package/dist/core/agentOrchestrator.d.ts.map +1 -1
- package/dist/core/agentOrchestrator.js +553 -1
- package/dist/core/agentOrchestrator.js.map +1 -1
- package/dist/core/unifiedFraudOrchestrator.d.ts +542 -0
- package/dist/core/unifiedFraudOrchestrator.d.ts.map +1 -0
- package/dist/core/unifiedFraudOrchestrator.js +1449 -0
- package/dist/core/unifiedFraudOrchestrator.js.map +1 -0
- package/dist/plugins/tools/nodeDefaults.d.ts.map +1 -1
- package/dist/plugins/tools/nodeDefaults.js +2 -0
- package/dist/plugins/tools/nodeDefaults.js.map +1 -1
- package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.d.ts +3 -0
- package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.d.ts.map +1 -0
- package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.js +14 -0
- package/dist/plugins/tools/unifiedInvestigation/unifiedInvestigationPlugin.js.map +1 -0
- package/dist/tools/taoTools.d.ts.map +1 -1
- package/dist/tools/taoTools.js +790 -4
- package/dist/tools/taoTools.js.map +1 -1
- package/dist/tools/unifiedInvestigationTools.d.ts +19 -0
- package/dist/tools/unifiedInvestigationTools.d.ts.map +1 -0
- package/dist/tools/unifiedInvestigationTools.js +851 -0
- package/dist/tools/unifiedInvestigationTools.js.map +1 -0
- package/package.json +1 -1
package/dist/tools/taoTools.js
CHANGED
|
@@ -14605,9 +14605,14 @@ Generates legal evidence for FTC complaints and litigation.`,
|
|
|
14605
14605
|
'apple_backup_keys',
|
|
14606
14606
|
'apple_siri_plaintext',
|
|
14607
14607
|
'google_gmail_scanning',
|
|
14608
|
+
'google_gmail_thread_manipulation',
|
|
14609
|
+
'google_gmail_draft_abuse',
|
|
14608
14610
|
'google_chrome_telemetry',
|
|
14611
|
+
'google_chrome_hijacking',
|
|
14612
|
+
'google_browser_launch_abuse',
|
|
14609
14613
|
'google_android_tracking',
|
|
14610
14614
|
'google_play_services',
|
|
14615
|
+
'google_unified_abuse_investigation',
|
|
14611
14616
|
'generate_frida_scripts',
|
|
14612
14617
|
'generate_mdm_profile',
|
|
14613
14618
|
'generate_legal_exhibit',
|
|
@@ -14938,6 +14943,727 @@ if (ObjC.available) {
|
|
|
14938
14943
|
],
|
|
14939
14944
|
},
|
|
14940
14945
|
};
|
|
14946
|
+
// Gmail Thread Manipulation Investigation
|
|
14947
|
+
const googleGmailThreadManipulation = {
|
|
14948
|
+
abuse_category: 'Gmail Thread Hiding and Manipulation',
|
|
14949
|
+
description: 'Google/Gmail hides, archives, moves, or manipulates email threads without user action',
|
|
14950
|
+
observed_behaviors: {
|
|
14951
|
+
thread_hiding: {
|
|
14952
|
+
description: 'Threads disappear from inbox without user action',
|
|
14953
|
+
mechanisms: [
|
|
14954
|
+
'Server-side archive without IMAP command',
|
|
14955
|
+
'Label manipulation (removing INBOX label)',
|
|
14956
|
+
'Thread ID reassignment breaking references',
|
|
14957
|
+
'Priority inbox "demotion" to hidden categories',
|
|
14958
|
+
],
|
|
14959
|
+
evidence_collection: [
|
|
14960
|
+
'IMAP sync logs showing server-side changes',
|
|
14961
|
+
'Gmail API audit log via Workspace Admin',
|
|
14962
|
+
'Comparison of sent Message-ID vs delivered',
|
|
14963
|
+
'Thread reconstruction from mail headers',
|
|
14964
|
+
],
|
|
14965
|
+
},
|
|
14966
|
+
thread_launching: {
|
|
14967
|
+
description: 'Threads or windows launched without user request',
|
|
14968
|
+
mechanisms: [
|
|
14969
|
+
'Service Worker push notification triggers',
|
|
14970
|
+
'Background sync API auto-opens',
|
|
14971
|
+
'Chrome intent:// URL handling',
|
|
14972
|
+
'mailto: protocol hijacking',
|
|
14973
|
+
],
|
|
14974
|
+
evidence_collection: [
|
|
14975
|
+
'DevTools > Application > Service Workers audit',
|
|
14976
|
+
'chrome://serviceworker-internals/',
|
|
14977
|
+
'Network log correlation with UI events',
|
|
14978
|
+
],
|
|
14979
|
+
},
|
|
14980
|
+
message_delay: {
|
|
14981
|
+
description: 'Emails held by Google before delivery',
|
|
14982
|
+
investigation: [
|
|
14983
|
+
'Compare Received headers timestamps',
|
|
14984
|
+
'Calculate difference between first Received and final',
|
|
14985
|
+
'Document messages held >30 seconds',
|
|
14986
|
+
'Test with known-time emails from external servers',
|
|
14987
|
+
],
|
|
14988
|
+
},
|
|
14989
|
+
},
|
|
14990
|
+
investigation_methodology: {
|
|
14991
|
+
imap_monitoring: {
|
|
14992
|
+
tools: ['imaplib (Python)', 'mbsync', 'offlineimap'],
|
|
14993
|
+
process: [
|
|
14994
|
+
'1. Enable IMAP in Gmail settings',
|
|
14995
|
+
'2. Set up continuous sync with local maildir',
|
|
14996
|
+
'3. Log all IMAP commands and responses',
|
|
14997
|
+
'4. Monitor for STORE commands not initiated by client',
|
|
14998
|
+
'5. Track UID changes and EXPUNGE events',
|
|
14999
|
+
],
|
|
15000
|
+
script: `#!/usr/bin/env python3
|
|
15001
|
+
"""Gmail IMAP Manipulation Monitor"""
|
|
15002
|
+
import imaplib
|
|
15003
|
+
import time
|
|
15004
|
+
import json
|
|
15005
|
+
from datetime import datetime
|
|
15006
|
+
|
|
15007
|
+
def monitor_gmail_imap(username, app_password):
|
|
15008
|
+
"""Monitor Gmail IMAP for server-side manipulation"""
|
|
15009
|
+
log = []
|
|
15010
|
+
mail = imaplib.IMAP4_SSL('imap.gmail.com')
|
|
15011
|
+
mail.login(username, app_password)
|
|
15012
|
+
mail.select('INBOX')
|
|
15013
|
+
|
|
15014
|
+
# Get initial state
|
|
15015
|
+
_, data = mail.search(None, 'ALL')
|
|
15016
|
+
initial_uids = set(data[0].split())
|
|
15017
|
+
|
|
15018
|
+
while True:
|
|
15019
|
+
mail.noop() # Keep connection alive
|
|
15020
|
+
_, data = mail.search(None, 'ALL')
|
|
15021
|
+
current_uids = set(data[0].split())
|
|
15022
|
+
|
|
15023
|
+
# Detect deletions without client action
|
|
15024
|
+
missing = initial_uids - current_uids
|
|
15025
|
+
if missing:
|
|
15026
|
+
log.append({
|
|
15027
|
+
'timestamp': datetime.now().isoformat(),
|
|
15028
|
+
'event': 'SERVER_SIDE_REMOVAL',
|
|
15029
|
+
'uids': list(missing),
|
|
15030
|
+
'evidence': 'Messages removed without client STORE/EXPUNGE'
|
|
15031
|
+
})
|
|
15032
|
+
|
|
15033
|
+
# Detect new messages
|
|
15034
|
+
new = current_uids - initial_uids
|
|
15035
|
+
if new:
|
|
15036
|
+
for uid in new:
|
|
15037
|
+
_, msg_data = mail.fetch(uid, '(BODY.PEEK[HEADER])')
|
|
15038
|
+
log.append({
|
|
15039
|
+
'timestamp': datetime.now().isoformat(),
|
|
15040
|
+
'event': 'NEW_MESSAGE',
|
|
15041
|
+
'uid': uid.decode(),
|
|
15042
|
+
'headers': msg_data[0][1].decode()[:500]
|
|
15043
|
+
})
|
|
15044
|
+
|
|
15045
|
+
initial_uids = current_uids
|
|
15046
|
+
time.sleep(5)
|
|
15047
|
+
|
|
15048
|
+
# Save evidence
|
|
15049
|
+
with open('gmail_manipulation_evidence.json', 'w') as f:
|
|
15050
|
+
json.dump(log, f, indent=2)`,
|
|
15051
|
+
},
|
|
15052
|
+
gmail_api_audit: {
|
|
15053
|
+
description: 'Use Gmail API to track server-side changes',
|
|
15054
|
+
endpoints: [
|
|
15055
|
+
'GET /gmail/v1/users/me/history - Change history',
|
|
15056
|
+
'GET /gmail/v1/users/me/messages/{id} - Message metadata',
|
|
15057
|
+
'GET /gmail/v1/users/me/threads/{id} - Thread structure',
|
|
15058
|
+
],
|
|
15059
|
+
watch_for: [
|
|
15060
|
+
'labelIds changes (INBOX removal)',
|
|
15061
|
+
'historyId gaps indicating hidden operations',
|
|
15062
|
+
'threadId reassignment',
|
|
15063
|
+
],
|
|
15064
|
+
},
|
|
15065
|
+
browser_forensics: {
|
|
15066
|
+
description: 'Detect Gmail web manipulation',
|
|
15067
|
+
locations: [
|
|
15068
|
+
'IndexedDB: chrome://indexeddb-internals/',
|
|
15069
|
+
'Service Workers: chrome://serviceworker-internals/',
|
|
15070
|
+
'Local Storage: DevTools > Application > Local Storage',
|
|
15071
|
+
'Cache Storage: DevTools > Application > Cache',
|
|
15072
|
+
],
|
|
15073
|
+
automated_detection: `// Console script to detect Gmail manipulation
|
|
15074
|
+
(function detectGmailManipulation() {
|
|
15075
|
+
const observer = new MutationObserver((mutations) => {
|
|
15076
|
+
mutations.forEach((m) => {
|
|
15077
|
+
if (m.removedNodes.length > 0) {
|
|
15078
|
+
m.removedNodes.forEach((node) => {
|
|
15079
|
+
if (node.nodeType === 1 && node.getAttribute &&
|
|
15080
|
+
(node.getAttribute('role') === 'listitem' ||
|
|
15081
|
+
node.classList?.contains('zA'))) {
|
|
15082
|
+
console.log('[EVIDENCE] Thread removed from DOM:', {
|
|
15083
|
+
timestamp: new Date().toISOString(),
|
|
15084
|
+
element: node.outerHTML?.substring(0, 200),
|
|
15085
|
+
mutation: 'REMOVAL'
|
|
15086
|
+
});
|
|
15087
|
+
}
|
|
15088
|
+
});
|
|
15089
|
+
}
|
|
15090
|
+
});
|
|
15091
|
+
});
|
|
15092
|
+
observer.observe(document.body, { childList: true, subtree: true });
|
|
15093
|
+
console.log('[*] Gmail manipulation detection active');
|
|
15094
|
+
})();`,
|
|
15095
|
+
},
|
|
15096
|
+
},
|
|
15097
|
+
legal_evidence_format: {
|
|
15098
|
+
exhibit_title: 'Evidence of Gmail Thread Manipulation',
|
|
15099
|
+
sections: [
|
|
15100
|
+
'1. Timeline of observed manipulation events',
|
|
15101
|
+
'2. IMAP logs showing server-side changes',
|
|
15102
|
+
'3. Gmail API history showing label changes',
|
|
15103
|
+
'4. Screenshots with timestamps',
|
|
15104
|
+
'5. Network captures (HAR files)',
|
|
15105
|
+
'6. Comparison of expected vs actual thread state',
|
|
15106
|
+
],
|
|
15107
|
+
integrity_proof: 'SHA-256 hash all evidence files, notarize timestamps',
|
|
15108
|
+
},
|
|
15109
|
+
};
|
|
15110
|
+
// Gmail Draft Hiding/Abuse Investigation
|
|
15111
|
+
const googleGmailDraftAbuse = {
|
|
15112
|
+
abuse_category: 'Gmail Draft Manipulation and Surveillance',
|
|
15113
|
+
description: 'Google hides drafts, launches draft windows, or manipulates draft content',
|
|
15114
|
+
observed_behaviors: {
|
|
15115
|
+
draft_hiding: {
|
|
15116
|
+
description: 'Drafts disappear from Drafts folder without user deletion',
|
|
15117
|
+
mechanisms: [
|
|
15118
|
+
'Server-side deletion/archive',
|
|
15119
|
+
'Draft ID reassignment',
|
|
15120
|
+
'Sync conflicts manufactured to lose content',
|
|
15121
|
+
'Auto-discard based on content analysis',
|
|
15122
|
+
],
|
|
15123
|
+
investigation: [
|
|
15124
|
+
'Enable offline mode to cache local draft state',
|
|
15125
|
+
'Compare local IndexedDB drafts vs server state',
|
|
15126
|
+
'Monitor Gmail API drafts.list for changes',
|
|
15127
|
+
'Track draft.id stability over time',
|
|
15128
|
+
],
|
|
15129
|
+
},
|
|
15130
|
+
draft_launching: {
|
|
15131
|
+
description: 'Compose windows open without user action',
|
|
15132
|
+
mechanisms: [
|
|
15133
|
+
'Service Worker push events',
|
|
15134
|
+
'mailto: intent handling',
|
|
15135
|
+
'Chrome extension API abuse',
|
|
15136
|
+
'URL parameter injection (?compose=new)',
|
|
15137
|
+
],
|
|
15138
|
+
evidence_collection: [
|
|
15139
|
+
'Record screen with timestamp overlay',
|
|
15140
|
+
'Monitor window.open calls in console',
|
|
15141
|
+
'Track Service Worker message events',
|
|
15142
|
+
'Log chrome.runtime messages',
|
|
15143
|
+
],
|
|
15144
|
+
},
|
|
15145
|
+
content_modification: {
|
|
15146
|
+
description: 'Draft content changes without user editing',
|
|
15147
|
+
investigation: [
|
|
15148
|
+
'Store draft content locally with timestamps',
|
|
15149
|
+
'Hash comparison on each sync',
|
|
15150
|
+
'Track "last edited" metadata vs actual changes',
|
|
15151
|
+
],
|
|
15152
|
+
},
|
|
15153
|
+
},
|
|
15154
|
+
investigation_scripts: {
|
|
15155
|
+
draft_monitor: `#!/usr/bin/env python3
|
|
15156
|
+
"""Gmail Draft Manipulation Monitor via API"""
|
|
15157
|
+
import pickle
|
|
15158
|
+
import os.path
|
|
15159
|
+
from google.auth.transport.requests import Request
|
|
15160
|
+
from google_auth_oauthlib.flow import InstalledAppFlow
|
|
15161
|
+
from googleapiclient.discovery import build
|
|
15162
|
+
import hashlib
|
|
15163
|
+
import json
|
|
15164
|
+
import time
|
|
15165
|
+
from datetime import datetime
|
|
15166
|
+
|
|
15167
|
+
SCOPES = ['https://www.googleapis.com/auth/gmail.readonly']
|
|
15168
|
+
|
|
15169
|
+
def get_gmail_service():
|
|
15170
|
+
creds = None
|
|
15171
|
+
if os.path.exists('token.pickle'):
|
|
15172
|
+
with open('token.pickle', 'rb') as token:
|
|
15173
|
+
creds = pickle.load(token)
|
|
15174
|
+
if not creds or not creds.valid:
|
|
15175
|
+
if creds and creds.expired and creds.refresh_token:
|
|
15176
|
+
creds.refresh(Request())
|
|
15177
|
+
else:
|
|
15178
|
+
flow = InstalledAppFlow.from_client_secrets_file('credentials.json', SCOPES)
|
|
15179
|
+
creds = flow.run_local_server(port=0)
|
|
15180
|
+
with open('token.pickle', 'wb') as token:
|
|
15181
|
+
pickle.dump(creds, token)
|
|
15182
|
+
return build('gmail', 'v1', credentials=creds)
|
|
15183
|
+
|
|
15184
|
+
def monitor_drafts():
|
|
15185
|
+
service = get_gmail_service()
|
|
15186
|
+
evidence = []
|
|
15187
|
+
known_drafts = {}
|
|
15188
|
+
|
|
15189
|
+
while True:
|
|
15190
|
+
results = service.users().drafts().list(userId='me').execute()
|
|
15191
|
+
drafts = results.get('drafts', [])
|
|
15192
|
+
|
|
15193
|
+
current_ids = {d['id'] for d in drafts}
|
|
15194
|
+
known_ids = set(known_drafts.keys())
|
|
15195
|
+
|
|
15196
|
+
# Detect disappeared drafts
|
|
15197
|
+
missing = known_ids - current_ids
|
|
15198
|
+
for draft_id in missing:
|
|
15199
|
+
evidence.append({
|
|
15200
|
+
'timestamp': datetime.now().isoformat(),
|
|
15201
|
+
'event': 'DRAFT_DISAPPEARED',
|
|
15202
|
+
'draft_id': draft_id,
|
|
15203
|
+
'last_known_content_hash': known_drafts[draft_id]['hash'],
|
|
15204
|
+
'evidence': 'Draft removed without user action'
|
|
15205
|
+
})
|
|
15206
|
+
|
|
15207
|
+
# Update known drafts and detect content changes
|
|
15208
|
+
for draft in drafts:
|
|
15209
|
+
draft_id = draft['id']
|
|
15210
|
+
full_draft = service.users().drafts().get(userId='me', id=draft_id).execute()
|
|
15211
|
+
content = json.dumps(full_draft['message'], sort_keys=True)
|
|
15212
|
+
content_hash = hashlib.sha256(content.encode()).hexdigest()
|
|
15213
|
+
|
|
15214
|
+
if draft_id in known_drafts:
|
|
15215
|
+
if known_drafts[draft_id]['hash'] != content_hash:
|
|
15216
|
+
evidence.append({
|
|
15217
|
+
'timestamp': datetime.now().isoformat(),
|
|
15218
|
+
'event': 'DRAFT_CONTENT_CHANGED',
|
|
15219
|
+
'draft_id': draft_id,
|
|
15220
|
+
'old_hash': known_drafts[draft_id]['hash'],
|
|
15221
|
+
'new_hash': content_hash,
|
|
15222
|
+
'evidence': 'Draft content modified without user edit'
|
|
15223
|
+
})
|
|
15224
|
+
|
|
15225
|
+
known_drafts[draft_id] = {'hash': content_hash, 'seen': datetime.now().isoformat()}
|
|
15226
|
+
|
|
15227
|
+
with open('gmail_draft_evidence.json', 'w') as f:
|
|
15228
|
+
json.dump(evidence, f, indent=2)
|
|
15229
|
+
|
|
15230
|
+
time.sleep(10)`,
|
|
15231
|
+
browser_draft_monitor: `// Console script to monitor Gmail draft manipulation
|
|
15232
|
+
(function monitorGmailDrafts() {
|
|
15233
|
+
let knownDrafts = new Map();
|
|
15234
|
+
|
|
15235
|
+
// Monitor compose window creation
|
|
15236
|
+
const originalOpen = window.open;
|
|
15237
|
+
window.open = function(...args) {
|
|
15238
|
+
console.log('[EVIDENCE] window.open called:', {
|
|
15239
|
+
timestamp: new Date().toISOString(),
|
|
15240
|
+
args: args,
|
|
15241
|
+
stack: new Error().stack
|
|
15242
|
+
});
|
|
15243
|
+
return originalOpen.apply(this, args);
|
|
15244
|
+
};
|
|
15245
|
+
|
|
15246
|
+
// Monitor IndexedDB draft operations
|
|
15247
|
+
const originalIDBOpen = indexedDB.open;
|
|
15248
|
+
indexedDB.open = function(name, ...args) {
|
|
15249
|
+
const request = originalIDBOpen.call(this, name, ...args);
|
|
15250
|
+
if (name.includes('mail') || name.includes('draft')) {
|
|
15251
|
+
request.onsuccess = function(e) {
|
|
15252
|
+
console.log('[EVIDENCE] IndexedDB opened:', name);
|
|
15253
|
+
};
|
|
15254
|
+
}
|
|
15255
|
+
return request;
|
|
15256
|
+
};
|
|
15257
|
+
|
|
15258
|
+
// Monitor for compose DOM elements appearing
|
|
15259
|
+
const observer = new MutationObserver((mutations) => {
|
|
15260
|
+
mutations.forEach((m) => {
|
|
15261
|
+
m.addedNodes.forEach((node) => {
|
|
15262
|
+
if (node.nodeType === 1) {
|
|
15263
|
+
if (node.querySelector?.('[role="dialog"]') ||
|
|
15264
|
+
node.classList?.contains('AD') ||
|
|
15265
|
+
node.getAttribute?.('role') === 'dialog') {
|
|
15266
|
+
console.log('[EVIDENCE] Compose dialog appeared:', {
|
|
15267
|
+
timestamp: new Date().toISOString(),
|
|
15268
|
+
triggered_by: 'DOM_MUTATION',
|
|
15269
|
+
element: node.outerHTML?.substring(0, 300)
|
|
15270
|
+
});
|
|
15271
|
+
}
|
|
15272
|
+
}
|
|
15273
|
+
});
|
|
15274
|
+
});
|
|
15275
|
+
});
|
|
15276
|
+
observer.observe(document.body, { childList: true, subtree: true });
|
|
15277
|
+
|
|
15278
|
+
console.log('[*] Gmail draft manipulation monitoring active');
|
|
15279
|
+
})();`,
|
|
15280
|
+
},
|
|
15281
|
+
legal_evidence_format: {
|
|
15282
|
+
exhibit_title: 'Evidence of Gmail Draft Manipulation',
|
|
15283
|
+
sections: [
|
|
15284
|
+
'1. Draft disappearance timeline with API logs',
|
|
15285
|
+
'2. Content hash comparisons showing server-side changes',
|
|
15286
|
+
'3. Screenshots of unexpected compose windows',
|
|
15287
|
+
'4. Service Worker event logs',
|
|
15288
|
+
'5. IndexedDB state comparison',
|
|
15289
|
+
],
|
|
15290
|
+
},
|
|
15291
|
+
};
|
|
15292
|
+
// Chrome Browser Hijacking Investigation
|
|
15293
|
+
const googleChromeHijacking = {
|
|
15294
|
+
abuse_category: 'Chrome Browser Hijacking and Unauthorized Launch',
|
|
15295
|
+
description: 'Google launches Chrome browsers, tabs, or windows without user consent',
|
|
15296
|
+
observed_behaviors: {
|
|
15297
|
+
unauthorized_browser_launch: {
|
|
15298
|
+
description: 'Chrome launches or opens tabs without user action',
|
|
15299
|
+
mechanisms: [
|
|
15300
|
+
'Chrome autostart via login items/registry',
|
|
15301
|
+
'Background mode keeps Chrome running invisibly',
|
|
15302
|
+
'Update service triggers browser open',
|
|
15303
|
+
'Protocol handler hijacking (http/https/mailto)',
|
|
15304
|
+
'OS notification click handlers',
|
|
15305
|
+
],
|
|
15306
|
+
investigation: {
|
|
15307
|
+
macos: [
|
|
15308
|
+
'Check ~/Library/LaunchAgents/ for Chrome entries',
|
|
15309
|
+
'Check /Library/LaunchDaemons/ for Google entries',
|
|
15310
|
+
'lsregister -dump | grep -i chrome (URL handlers)',
|
|
15311
|
+
'ps aux | grep -i chrome (background processes)',
|
|
15312
|
+
'Monitor /Applications/Google Chrome.app/Contents/MacOS/',
|
|
15313
|
+
],
|
|
15314
|
+
windows: [
|
|
15315
|
+
'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
|
|
15316
|
+
'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
|
|
15317
|
+
'Task Scheduler: Google Update tasks',
|
|
15318
|
+
'Services: GoogleUpdate, gupdate, gupdatem',
|
|
15319
|
+
'HKCR\\http\\shell\\open\\command (protocol handler)',
|
|
15320
|
+
],
|
|
15321
|
+
linux: [
|
|
15322
|
+
'~/.config/autostart/*.desktop',
|
|
15323
|
+
'/etc/xdg/autostart/*.desktop',
|
|
15324
|
+
'systemctl --user list-units | grep -i chrome',
|
|
15325
|
+
'xdg-mime query default x-scheme-handler/http',
|
|
15326
|
+
],
|
|
15327
|
+
},
|
|
15328
|
+
},
|
|
15329
|
+
tab_injection: {
|
|
15330
|
+
description: 'New tabs open in existing Chrome sessions',
|
|
15331
|
+
mechanisms: [
|
|
15332
|
+
'chrome.tabs.create API from extensions',
|
|
15333
|
+
'Service Worker navigation events',
|
|
15334
|
+
'window.open from Gmail/Docs scripts',
|
|
15335
|
+
'Push notification click handlers',
|
|
15336
|
+
],
|
|
15337
|
+
detection: `// Detect unauthorized tab creation
|
|
15338
|
+
chrome.tabs.onCreated.addListener((tab) => {
|
|
15339
|
+
console.log('[EVIDENCE] Tab created:', {
|
|
15340
|
+
timestamp: new Date().toISOString(),
|
|
15341
|
+
tabId: tab.id,
|
|
15342
|
+
url: tab.pendingUrl || tab.url,
|
|
15343
|
+
openerTabId: tab.openerTabId,
|
|
15344
|
+
evidence: 'New tab created - check if user-initiated'
|
|
15345
|
+
});
|
|
15346
|
+
});`,
|
|
15347
|
+
},
|
|
15348
|
+
browser_focus_stealing: {
|
|
15349
|
+
description: 'Chrome steals focus from other applications',
|
|
15350
|
+
investigation: [
|
|
15351
|
+
'Monitor active window changes',
|
|
15352
|
+
'Log focus events with timestamps',
|
|
15353
|
+
'Correlate with Chrome process activity',
|
|
15354
|
+
],
|
|
15355
|
+
macos_script: `#!/bin/bash
|
|
15356
|
+
# Monitor focus stealing on macOS
|
|
15357
|
+
while true; do
|
|
15358
|
+
app=$(osascript -e 'tell application "System Events" to get name of first application process whose frontmost is true')
|
|
15359
|
+
if [[ "$app" == "Google Chrome" ]]; then
|
|
15360
|
+
echo "[$(date -Iseconds)] Chrome gained focus"
|
|
15361
|
+
# Check if it was user-initiated or automated
|
|
15362
|
+
lsappinfo info -only ASN "Google Chrome" >> chrome_focus_log.txt
|
|
15363
|
+
fi
|
|
15364
|
+
sleep 0.5
|
|
15365
|
+
done`,
|
|
15366
|
+
},
|
|
15367
|
+
session_hijacking: {
|
|
15368
|
+
description: 'Chrome uses stored sessions without permission',
|
|
15369
|
+
investigation: [
|
|
15370
|
+
'Monitor cookie changes in Chrome profile',
|
|
15371
|
+
'Track localStorage across sites',
|
|
15372
|
+
'Compare synced vs local session state',
|
|
15373
|
+
'Audit credential manager access',
|
|
15374
|
+
],
|
|
15375
|
+
locations: {
|
|
15376
|
+
macos: '~/Library/Application Support/Google/Chrome/Default/',
|
|
15377
|
+
windows: '%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\',
|
|
15378
|
+
linux: '~/.config/google-chrome/Default/',
|
|
15379
|
+
},
|
|
15380
|
+
files_to_monitor: [
|
|
15381
|
+
'Cookies - SQLite database of session cookies',
|
|
15382
|
+
'Login Data - Saved passwords (encrypted)',
|
|
15383
|
+
'Web Data - Autofill data',
|
|
15384
|
+
'History - Browsing history',
|
|
15385
|
+
'Preferences - JSON config including sync settings',
|
|
15386
|
+
],
|
|
15387
|
+
},
|
|
15388
|
+
},
|
|
15389
|
+
investigation_methodology: {
|
|
15390
|
+
process_monitoring: {
|
|
15391
|
+
macos: `#!/bin/bash
|
|
15392
|
+
# Monitor Chrome process launches
|
|
15393
|
+
log stream --predicate 'processImagePath contains "Chrome"' --style compact > chrome_launches.log &
|
|
15394
|
+
|
|
15395
|
+
# Monitor with dtrace (requires SIP disabled)
|
|
15396
|
+
sudo dtrace -n 'proc:::exec-success /execname == "Google Chrome"/ { printf("%Y %s %d\\n", walltimestamp, execname, pid); }' 2>/dev/null`,
|
|
15397
|
+
windows: `# PowerShell Chrome process monitor
|
|
15398
|
+
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} |
|
|
15399
|
+
Where-Object { $_.Properties[5].Value -like '*chrome*' } |
|
|
15400
|
+
Select-Object TimeCreated, @{N='Process';E={$_.Properties[5].Value}}`,
|
|
15401
|
+
linux: `#!/bin/bash
|
|
15402
|
+
# Monitor Chrome launches with audit
|
|
15403
|
+
auditctl -w /opt/google/chrome/chrome -p x -k chrome_exec
|
|
15404
|
+
ausearch -k chrome_exec --format text`,
|
|
15405
|
+
},
|
|
15406
|
+
network_monitoring: {
|
|
15407
|
+
description: 'Monitor Chrome network activity for unauthorized requests',
|
|
15408
|
+
tools: [
|
|
15409
|
+
'mitmproxy - HTTPS interception',
|
|
15410
|
+
'Wireshark - Packet capture',
|
|
15411
|
+
'Chrome DevTools Network tab',
|
|
15412
|
+
'charles proxy',
|
|
15413
|
+
],
|
|
15414
|
+
suspicious_endpoints: [
|
|
15415
|
+
'clients.google.com - Update/telemetry',
|
|
15416
|
+
'www.google.com/complete - Omnibox suggestions',
|
|
15417
|
+
'safebrowsing.googleapis.com - Safe browsing',
|
|
15418
|
+
'accounts.google.com - Auth/session',
|
|
15419
|
+
'chromesync-pa.googleapis.com - Sync',
|
|
15420
|
+
],
|
|
15421
|
+
},
|
|
15422
|
+
extension_audit: {
|
|
15423
|
+
description: 'Audit extensions for hijacking capabilities',
|
|
15424
|
+
check_permissions: [
|
|
15425
|
+
'tabs - Can create/modify tabs',
|
|
15426
|
+
'webNavigation - Can intercept navigation',
|
|
15427
|
+
'webRequest - Can intercept all requests',
|
|
15428
|
+
'background - Can run persistently',
|
|
15429
|
+
'notifications - Can create OS notifications',
|
|
15430
|
+
],
|
|
15431
|
+
audit_script: `// List extension permissions
|
|
15432
|
+
chrome.management.getAll((extensions) => {
|
|
15433
|
+
extensions.forEach((ext) => {
|
|
15434
|
+
console.log({
|
|
15435
|
+
name: ext.name,
|
|
15436
|
+
id: ext.id,
|
|
15437
|
+
permissions: ext.permissions,
|
|
15438
|
+
hostPermissions: ext.hostPermissions,
|
|
15439
|
+
enabled: ext.enabled
|
|
15440
|
+
});
|
|
15441
|
+
});
|
|
15442
|
+
});`,
|
|
15443
|
+
},
|
|
15444
|
+
},
|
|
15445
|
+
evidence_collection: {
|
|
15446
|
+
process_logs: 'Chrome launch timestamps with parent process',
|
|
15447
|
+
network_captures: 'HAR files of unauthorized requests',
|
|
15448
|
+
registry_snapshots: 'Before/after Chrome installation',
|
|
15449
|
+
focus_events: 'Timeline of Chrome focus acquisition',
|
|
15450
|
+
extension_manifest: 'Permissions of all installed extensions',
|
|
15451
|
+
},
|
|
15452
|
+
legal_evidence_format: {
|
|
15453
|
+
exhibit_title: 'Evidence of Chrome Browser Hijacking',
|
|
15454
|
+
sections: [
|
|
15455
|
+
'1. Unauthorized browser launch events with timestamps',
|
|
15456
|
+
'2. Protocol handler registration without consent',
|
|
15457
|
+
'3. Background process activity',
|
|
15458
|
+
'4. Tab creation without user action',
|
|
15459
|
+
'5. Focus stealing incidents',
|
|
15460
|
+
'6. Extension permission abuse',
|
|
15461
|
+
],
|
|
15462
|
+
},
|
|
15463
|
+
};
|
|
15464
|
+
// Unified Google Abuse Investigation Orchestrator
|
|
15465
|
+
const googleUnifiedAbuseInvestigation = {
|
|
15466
|
+
orchestrator_name: 'Google Unified Abuse Investigation Framework',
|
|
15467
|
+
description: 'Comprehensive investigation of Google\'s coordinated abuse across Gmail, Chrome, and system-level components',
|
|
15468
|
+
investigation_phases: {
|
|
15469
|
+
phase_1_reconnaissance: {
|
|
15470
|
+
name: 'System Reconnaissance',
|
|
15471
|
+
duration: 'Initial setup',
|
|
15472
|
+
tasks: [
|
|
15473
|
+
'Document all Google software installed',
|
|
15474
|
+
'Enumerate Google-related processes',
|
|
15475
|
+
'List Google-registered protocol handlers',
|
|
15476
|
+
'Capture baseline system state',
|
|
15477
|
+
'Set up monitoring infrastructure',
|
|
15478
|
+
],
|
|
15479
|
+
automation: `#!/bin/bash
|
|
15480
|
+
# Google Abuse Investigation - Phase 1: Reconnaissance
|
|
15481
|
+
echo "=== GOOGLE ABUSE INVESTIGATION - SYSTEM RECONNAISSANCE ==="
|
|
15482
|
+
echo "Timestamp: $(date -Iseconds)"
|
|
15483
|
+
echo ""
|
|
15484
|
+
|
|
15485
|
+
echo "=== Installed Google Software ==="
|
|
15486
|
+
if [[ "$OSTYPE" == "darwin"* ]]; then
|
|
15487
|
+
ls -la /Applications/ | grep -i google
|
|
15488
|
+
mdfind "kMDItemCFBundleIdentifier == 'com.google.*'"
|
|
15489
|
+
elif [[ "$OSTYPE" == "linux"* ]]; then
|
|
15490
|
+
dpkg -l | grep -i google
|
|
15491
|
+
rpm -qa | grep -i google 2>/dev/null
|
|
15492
|
+
find /opt -name "*google*" -o -name "*chrome*" 2>/dev/null
|
|
15493
|
+
fi
|
|
15494
|
+
|
|
15495
|
+
echo ""
|
|
15496
|
+
echo "=== Running Google Processes ==="
|
|
15497
|
+
ps aux | grep -i google | grep -v grep
|
|
15498
|
+
|
|
15499
|
+
echo ""
|
|
15500
|
+
echo "=== Google Protocol Handlers ==="
|
|
15501
|
+
if [[ "$OSTYPE" == "darwin"* ]]; then
|
|
15502
|
+
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -A5 -i "google\\|chrome"
|
|
15503
|
+
fi
|
|
15504
|
+
|
|
15505
|
+
echo ""
|
|
15506
|
+
echo "=== Google LaunchAgents/Daemons ==="
|
|
15507
|
+
ls -la ~/Library/LaunchAgents/ 2>/dev/null | grep -i google
|
|
15508
|
+
ls -la /Library/LaunchDaemons/ 2>/dev/null | grep -i google
|
|
15509
|
+
|
|
15510
|
+
echo ""
|
|
15511
|
+
echo "=== Google Login Items ==="
|
|
15512
|
+
osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ',' '\\n' | grep -i google`,
|
|
15513
|
+
},
|
|
15514
|
+
phase_2_gmail_monitoring: {
|
|
15515
|
+
name: 'Gmail Manipulation Monitoring',
|
|
15516
|
+
duration: 'Continuous (7-30 days recommended)',
|
|
15517
|
+
tasks: [
|
|
15518
|
+
'Deploy IMAP sync monitoring',
|
|
15519
|
+
'Install Gmail API change tracking',
|
|
15520
|
+
'Set up browser draft monitoring',
|
|
15521
|
+
'Configure email header analysis',
|
|
15522
|
+
],
|
|
15523
|
+
key_evidence: [
|
|
15524
|
+
'Thread hiding events without user action',
|
|
15525
|
+
'Draft disappearance/modification',
|
|
15526
|
+
'Message delay analysis',
|
|
15527
|
+
'Label manipulation logs',
|
|
15528
|
+
],
|
|
15529
|
+
},
|
|
15530
|
+
phase_3_chrome_monitoring: {
|
|
15531
|
+
name: 'Chrome Hijacking Monitoring',
|
|
15532
|
+
duration: 'Continuous (7-30 days recommended)',
|
|
15533
|
+
tasks: [
|
|
15534
|
+
'Deploy process launch monitoring',
|
|
15535
|
+
'Set up focus event tracking',
|
|
15536
|
+
'Install tab creation monitoring extension',
|
|
15537
|
+
'Configure network capture for Chrome traffic',
|
|
15538
|
+
],
|
|
15539
|
+
key_evidence: [
|
|
15540
|
+
'Unauthorized browser launches',
|
|
15541
|
+
'Tab creation without user action',
|
|
15542
|
+
'Focus stealing incidents',
|
|
15543
|
+
'Background process activity',
|
|
15544
|
+
],
|
|
15545
|
+
},
|
|
15546
|
+
phase_4_correlation: {
|
|
15547
|
+
name: 'Cross-Product Correlation Analysis',
|
|
15548
|
+
duration: 'After sufficient data collection',
|
|
15549
|
+
tasks: [
|
|
15550
|
+
'Correlate Gmail events with Chrome activity',
|
|
15551
|
+
'Identify patterns of coordinated abuse',
|
|
15552
|
+
'Timeline reconstruction of incidents',
|
|
15553
|
+
'Establish causation chains',
|
|
15554
|
+
],
|
|
15555
|
+
analysis_queries: [
|
|
15556
|
+
'Gmail thread hidden → Chrome tab opened (same thread)?',
|
|
15557
|
+
'Draft modified → Browser launched?',
|
|
15558
|
+
'Email received → Chrome notification → Focus stolen?',
|
|
15559
|
+
'Time correlation between Google service events',
|
|
15560
|
+
],
|
|
15561
|
+
},
|
|
15562
|
+
phase_5_evidence_packaging: {
|
|
15563
|
+
name: 'Legal Evidence Preparation',
|
|
15564
|
+
duration: 'Final phase',
|
|
15565
|
+
tasks: [
|
|
15566
|
+
'Compile all evidence with integrity proofs',
|
|
15567
|
+
'Generate timeline visualization',
|
|
15568
|
+
'Create legal exhibits',
|
|
15569
|
+
'Prepare technical declaration',
|
|
15570
|
+
'Document chain of custody',
|
|
15571
|
+
],
|
|
15572
|
+
output_files: [
|
|
15573
|
+
'evidence_timeline.json - Timestamped events',
|
|
15574
|
+
'gmail_manipulation_evidence.json - Gmail-specific',
|
|
15575
|
+
'chrome_hijacking_evidence.json - Chrome-specific',
|
|
15576
|
+
'correlation_analysis.json - Cross-product patterns',
|
|
15577
|
+
'legal_exhibits/ - Court-ready documents',
|
|
15578
|
+
'integrity_hashes.txt - SHA-256 of all evidence',
|
|
15579
|
+
],
|
|
15580
|
+
},
|
|
15581
|
+
},
|
|
15582
|
+
master_monitoring_script: `#!/bin/bash
|
|
15583
|
+
# Google Unified Abuse Investigation - Master Monitor
|
|
15584
|
+
# Run this script to start all monitoring components
|
|
15585
|
+
|
|
15586
|
+
LOG_DIR="$HOME/google_abuse_investigation/$(date +%Y%m%d_%H%M%S)"
|
|
15587
|
+
mkdir -p "$LOG_DIR"
|
|
15588
|
+
|
|
15589
|
+
echo "Starting Google Abuse Investigation"
|
|
15590
|
+
echo "Evidence directory: $LOG_DIR"
|
|
15591
|
+
echo "Start time: $(date -Iseconds)" | tee "$LOG_DIR/investigation_log.txt"
|
|
15592
|
+
|
|
15593
|
+
# Phase 1: Reconnaissance
|
|
15594
|
+
echo "=== Phase 1: System Reconnaissance ===" | tee -a "$LOG_DIR/investigation_log.txt"
|
|
15595
|
+
./phase1_recon.sh > "$LOG_DIR/reconnaissance.txt" 2>&1
|
|
15596
|
+
|
|
15597
|
+
# Start continuous monitors in background
|
|
15598
|
+
echo "=== Starting Continuous Monitors ===" | tee -a "$LOG_DIR/investigation_log.txt"
|
|
15599
|
+
|
|
15600
|
+
# Gmail IMAP monitor (requires credentials setup)
|
|
15601
|
+
python3 gmail_imap_monitor.py > "$LOG_DIR/imap_monitor.log" 2>&1 &
|
|
15602
|
+
echo "IMAP monitor PID: $!" >> "$LOG_DIR/pids.txt"
|
|
15603
|
+
|
|
15604
|
+
# Gmail API monitor (requires OAuth setup)
|
|
15605
|
+
python3 gmail_api_monitor.py > "$LOG_DIR/api_monitor.log" 2>&1 &
|
|
15606
|
+
echo "API monitor PID: $!" >> "$LOG_DIR/pids.txt"
|
|
15607
|
+
|
|
15608
|
+
# Chrome process monitor
|
|
15609
|
+
./chrome_process_monitor.sh > "$LOG_DIR/chrome_processes.log" 2>&1 &
|
|
15610
|
+
echo "Chrome process monitor PID: $!" >> "$LOG_DIR/pids.txt"
|
|
15611
|
+
|
|
15612
|
+
# Focus event monitor
|
|
15613
|
+
./focus_monitor.sh > "$LOG_DIR/focus_events.log" 2>&1 &
|
|
15614
|
+
echo "Focus monitor PID: $!" >> "$LOG_DIR/pids.txt"
|
|
15615
|
+
|
|
15616
|
+
# Network capture (requires root)
|
|
15617
|
+
if [[ $EUID -eq 0 ]]; then
|
|
15618
|
+
tcpdump -i any -w "$LOG_DIR/network_capture.pcap" 'host clients.google.com or host mail.google.com' &
|
|
15619
|
+
echo "Network capture PID: $!" >> "$LOG_DIR/pids.txt"
|
|
15620
|
+
fi
|
|
15621
|
+
|
|
15622
|
+
echo ""
|
|
15623
|
+
echo "Investigation started. Monitors running in background."
|
|
15624
|
+
echo "Evidence will be collected in: $LOG_DIR"
|
|
15625
|
+
echo "To stop: kill \$(cat $LOG_DIR/pids.txt)"
|
|
15626
|
+
echo ""
|
|
15627
|
+
echo "IMPORTANT: Also install browser extensions for Gmail/Chrome monitoring"
|
|
15628
|
+
echo "See investigation docs for browser-side setup."`,
|
|
15629
|
+
legal_framework: {
|
|
15630
|
+
applicable_laws: [
|
|
15631
|
+
'Computer Fraud and Abuse Act (CFAA) - Unauthorized access',
|
|
15632
|
+
'Electronic Communications Privacy Act (ECPA) - Email interception',
|
|
15633
|
+
'FTC Act Section 5 - Deceptive practices',
|
|
15634
|
+
'California UCL - Unlawful business practices',
|
|
15635
|
+
'CCPA - Privacy violations',
|
|
15636
|
+
'State computer crime laws',
|
|
15637
|
+
],
|
|
15638
|
+
cause_of_action: [
|
|
15639
|
+
'Breach of user agreement (selective enforcement)',
|
|
15640
|
+
'Tortious interference with communications',
|
|
15641
|
+
'Invasion of privacy',
|
|
15642
|
+
'Unfair competition',
|
|
15643
|
+
'Consumer fraud',
|
|
15644
|
+
],
|
|
15645
|
+
regulatory_complaints: [
|
|
15646
|
+
'FTC Consumer Protection Bureau',
|
|
15647
|
+
'State Attorney General Consumer Protection',
|
|
15648
|
+
'FCC (for communication interference)',
|
|
15649
|
+
'EU DPA (for GDPR violations if applicable)',
|
|
15650
|
+
],
|
|
15651
|
+
},
|
|
15652
|
+
success_metrics: {
|
|
15653
|
+
evidence_quality: [
|
|
15654
|
+
'Reproducible manipulation events',
|
|
15655
|
+
'Timestamped with integrity proofs',
|
|
15656
|
+
'Multiple independent evidence sources',
|
|
15657
|
+
'Clear causation documentation',
|
|
15658
|
+
],
|
|
15659
|
+
documentation_completeness: [
|
|
15660
|
+
'All phases completed',
|
|
15661
|
+
'Cross-product correlation established',
|
|
15662
|
+
'Legal exhibits prepared',
|
|
15663
|
+
'Chain of custody maintained',
|
|
15664
|
+
],
|
|
15665
|
+
},
|
|
15666
|
+
};
|
|
14941
15667
|
const fridaScripts = {
|
|
14942
15668
|
imessage_plaintext: `/**
|
|
14943
15669
|
* Frida script: iMessage Plaintext Capture
|
|
@@ -15254,12 +15980,55 @@ if (ObjC.available) {
|
|
|
15254
15980
|
case 'google_gmail_scanning':
|
|
15255
15981
|
result = googleGmailScanning;
|
|
15256
15982
|
break;
|
|
15983
|
+
case 'google_gmail_thread_manipulation':
|
|
15984
|
+
result = googleGmailThreadManipulation;
|
|
15985
|
+
break;
|
|
15986
|
+
case 'google_gmail_draft_abuse':
|
|
15987
|
+
result = googleGmailDraftAbuse;
|
|
15988
|
+
break;
|
|
15257
15989
|
case 'google_chrome_telemetry':
|
|
15258
15990
|
result = googleChromeTelemetry;
|
|
15259
15991
|
break;
|
|
15992
|
+
case 'google_chrome_hijacking':
|
|
15993
|
+
result = googleChromeHijacking;
|
|
15994
|
+
break;
|
|
15995
|
+
case 'google_browser_launch_abuse':
|
|
15996
|
+
result = {
|
|
15997
|
+
...googleChromeHijacking,
|
|
15998
|
+
focus: 'Browser Launch Abuse Investigation',
|
|
15999
|
+
quick_start: {
|
|
16000
|
+
macos: [
|
|
16001
|
+
'1. Open Activity Monitor, filter for "Google" or "Chrome"',
|
|
16002
|
+
'2. Run: ps aux | grep -i chrome > chrome_baseline.txt',
|
|
16003
|
+
'3. Monitor: log stream --predicate \'processImagePath contains "Chrome"\'',
|
|
16004
|
+
'4. Check login items: osascript -e \'tell app "System Events" to get login items\'',
|
|
16005
|
+
],
|
|
16006
|
+
windows: [
|
|
16007
|
+
'1. Open Task Manager, look for Chrome processes',
|
|
16008
|
+
'2. Run: Get-Process | Where-Object {$_.Name -like "*chrome*"}',
|
|
16009
|
+
'3. Check startup: Get-CimInstance Win32_StartupCommand',
|
|
16010
|
+
'4. Check scheduled tasks: Get-ScheduledTask | Where-Object {$_.TaskName -like "*Google*"}',
|
|
16011
|
+
],
|
|
16012
|
+
browser_console: [
|
|
16013
|
+
'Monitor tab creation in background page:',
|
|
16014
|
+
'chrome.tabs.onCreated.addListener((t) => console.log("Tab created:", t))',
|
|
16015
|
+
],
|
|
16016
|
+
},
|
|
16017
|
+
evidence_to_collect: [
|
|
16018
|
+
'Process launch timestamps without user action',
|
|
16019
|
+
'Parent process of Chrome (should be user shell, not system)',
|
|
16020
|
+
'Protocol handler registrations',
|
|
16021
|
+
'Background mode status',
|
|
16022
|
+
'Screenshots of unexpected browser appearances',
|
|
16023
|
+
],
|
|
16024
|
+
};
|
|
16025
|
+
break;
|
|
15260
16026
|
case 'google_android_tracking':
|
|
15261
16027
|
result = googleAndroidTracking;
|
|
15262
16028
|
break;
|
|
16029
|
+
case 'google_unified_abuse_investigation':
|
|
16030
|
+
result = googleUnifiedAbuseInvestigation;
|
|
16031
|
+
break;
|
|
15263
16032
|
case 'google_play_services':
|
|
15264
16033
|
result = {
|
|
15265
16034
|
investigation: 'Google Play Services Data Collection',
|
|
@@ -15363,26 +16132,43 @@ if (ObjC.available) {
|
|
|
15363
16132
|
break;
|
|
15364
16133
|
case 'full_google_report':
|
|
15365
16134
|
result = {
|
|
15366
|
-
report_title: 'Google Privacy Violations - Investigation Report',
|
|
15367
|
-
executive_summary: 'Google\'s privacy practices contradict their public claims. Gmail
|
|
16135
|
+
report_title: 'Google Privacy Violations and Abuse - Comprehensive Investigation Report',
|
|
16136
|
+
executive_summary: 'Google\'s privacy practices contradict their public claims. Gmail manipulates threads and drafts without user consent, Chrome launches and takes control of browsers without authorization, email content is analyzed beyond disclosed purposes, and Android tracking persists despite privacy settings.',
|
|
15368
16137
|
sections: {
|
|
15369
16138
|
gmail_scanning: googleGmailScanning,
|
|
16139
|
+
gmail_thread_manipulation: googleGmailThreadManipulation,
|
|
16140
|
+
gmail_draft_abuse: googleGmailDraftAbuse,
|
|
15370
16141
|
chrome_telemetry: googleChromeTelemetry,
|
|
16142
|
+
chrome_hijacking: googleChromeHijacking,
|
|
15371
16143
|
android_tracking: googleAndroidTracking,
|
|
16144
|
+
unified_investigation: googleUnifiedAbuseInvestigation,
|
|
15372
16145
|
},
|
|
15373
16146
|
recommendations: [
|
|
15374
16147
|
'File FTC complaint documenting undisclosed data collection',
|
|
15375
|
-
'Submit ECPA complaint for email scanning',
|
|
16148
|
+
'Submit ECPA complaint for email scanning and manipulation',
|
|
15376
16149
|
'Document ad targeting correlation with email content',
|
|
15377
16150
|
'Test location tracking with all settings disabled',
|
|
16151
|
+
'Deploy unified monitoring to capture coordinated abuse',
|
|
16152
|
+
'Document browser hijacking with process monitoring',
|
|
16153
|
+
'Collect IMAP/API logs for Gmail manipulation evidence',
|
|
15378
16154
|
],
|
|
16155
|
+
quick_start_investigation: {
|
|
16156
|
+
step_1: 'Run google_unified_abuse_investigation action for complete framework',
|
|
16157
|
+
step_2: 'Deploy IMAP monitor for Gmail thread/draft manipulation',
|
|
16158
|
+
step_3: 'Set up Chrome process monitoring',
|
|
16159
|
+
step_4: 'Install browser console scripts for real-time detection',
|
|
16160
|
+
step_5: 'Collect evidence for 7-30 days',
|
|
16161
|
+
step_6: 'Correlate events and prepare legal exhibits',
|
|
16162
|
+
},
|
|
15379
16163
|
};
|
|
15380
16164
|
break;
|
|
15381
16165
|
default:
|
|
15382
16166
|
result = { error: 'Unknown action', available_actions: [
|
|
15383
16167
|
'apple_pq3_analysis', 'apple_mdm_investigation', 'apple_clipboard_exposure',
|
|
15384
16168
|
'apple_backup_keys', 'apple_siri_plaintext', 'google_gmail_scanning',
|
|
15385
|
-
'
|
|
16169
|
+
'google_gmail_thread_manipulation', 'google_gmail_draft_abuse',
|
|
16170
|
+
'google_chrome_telemetry', 'google_chrome_hijacking', 'google_browser_launch_abuse',
|
|
16171
|
+
'google_android_tracking', 'google_play_services', 'google_unified_abuse_investigation',
|
|
15386
16172
|
'generate_frida_scripts', 'generate_mdm_profile', 'generate_legal_exhibit',
|
|
15387
16173
|
'full_apple_report', 'full_google_report',
|
|
15388
16174
|
] };
|