search

mvt-project / mvt

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
https://mvt.re
Other
10.39k stars 984 forks source link

Non bundle_id is Normal? #103

Closed duaibeom-zz closed 3 years ago

duaibeom-zz commented 3 years ago

I find some weird cases in my iPhone.

# Weird case.
None_bundle_id.log-3rd_All/datausage.json-  {
None_bundle_id.log-3rd_All/datausage.json-    "first_isodate": "2021-07-21 12:02:43.296494",
None_bundle_id.log-3rd_All/datausage.json-    "isodate": "2021-07-22 10:37:39.467761",
None_bundle_id.log-3rd_All/datausage.json-    "proc_name": "com.apple.Diagno",
None_bundle_id.log:3rd_All/datausage.json:    "bundle_id": "",
None_bundle_id.log-3rd_All/datausage.json-    "proc_id": 42,
None_bundle_id.log-3rd_All/datausage.json-    "wifi_in": 0.0,
None_bundle_id.log-3rd_All/datausage.json-    "wifi_out": 0.0,
None_bundle_id.log-3rd_All/datausage.json-    "wwan_in": 59273.0,
None_bundle_id.log-3rd_All/datausage.json-    "wwan_out": 23519.0,
None_bundle_id.log-3rd_All/datausage.json-    "live_id": 9,
None_bundle_id.log-3rd_All/datausage.json-    "live_proc_id": 42,
None_bundle_id.log-3rd_All/datausage.json-    "live_isodate": "2021-07-21 12:02:43.294491"
None_bundle_id.log-3rd_All/datausage.json-  },
None_bundle_id.log---
None_bundle_id.log-3rd_All/datausage.json-  {
None_bundle_id.log-3rd_All/datausage.json-    "first_isodate": "2021-07-21 12:20:58.993123",
None_bundle_id.log-3rd_All/datausage.json-    "isodate": "2021-07-22 15:01:31.179588",
None_bundle_id.log-3rd_All/datausage.json-    "proc_name": "EnforcementServi",
None_bundle_id.log:3rd_All/datausage.json:    "bundle_id": "",
None_bundle_id.log-3rd_All/datausage.json-    "proc_id": 142,
None_bundle_id.log-3rd_All/datausage.json-    "wifi_in": 0.0,
None_bundle_id.log-3rd_All/datausage.json-    "wifi_out": 0.0,
None_bundle_id.log-3rd_All/datausage.json-    "wwan_in": 50576.0,
None_bundle_id.log-3rd_All/datausage.json-    "wwan_out": 14317.0,
None_bundle_id.log-3rd_All/datausage.json-    "live_id": 108,
None_bundle_id.log-3rd_All/datausage.json-    "live_proc_id": 142,
None_bundle_id.log-3rd_All/datausage.json-    "live_isodate": "2021-07-21 12:20:58.991778"
None_bundle_id.log-3rd_All/datausage.json-  },

I am not an expert programmer. I need some opinion. I saw almost every case has bundle_id.

And also is it possible? image

I think my phone is hacked. So... yeah.. what should I do?

Te-k commented 3 years ago

No bundle_id means that the process was running as system. Sometimes entries in DataUsage table are truncated to 16 characters, here com.apple.Diagno is likely one of the com.apple.DiagnosticExtensions apps (like com.apple.DiagnosticExtensions.Messages). I am not sure what legitimate process is EnforcementServi, but it is likely a legit system process