About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Home » Learning Curve

1st Time Tracker?

It's always possible. It's never too difficult. Tracker makes it even easier.

Get It

Try It

A lot of people freaked out with the news of the two torrent trojans. They needn't have.

A recurring question is what one can do to prevent such things from happening. And a commonly seen answer is 'nothing'.

And that's simply not true.

An oft-held belief is that there is no feasible way to keep track of what installers or programs, benign or otherwise, are doing to your computer.

And that's not true either.

The following three pictures should sum up how easy it is. When Rixstep wrote that Spotify was a fantastic application they didn't pull such claims out of a hat - they'd tested the app and seen what it could do (and refused to do).

The first picture shows Tracker after Spotify.app's been dropped on it.

The second picture shows what file system changes Tracker found after Spotify.app exited.

The third picture shows all file system operations Tracker found after Spotify.app exited.

Spotify didn't ask for a password so there was no need to check areas you can't get into without one. But /Library can be accessed and written to. So Tracker checked both that and the home area.

And as can be seen: Spotify is benign: it doesn't spread junk around your system. It accessed the system keychain because it's configured for automatic login. It uses a 'storage' area for caches but that too is benign.

The only other activities (bold font means things were changed and ordinary font means things were only accessed) were Spotify's Resources directory, the ACP framework, and Tracker's built in scanner.

That's it. And it was easy. And this could have been done just as easily with an installer from The Pirate Bay.


This next section might be a bit rough for some but there's no simple way to describe what's going on. So stick it out if you can - you'll benefit from it.

Tracker is a totally unique application - at least on OS X. It's from Rixstep. Rixstep have had 'unique' apps before - they were first with industrial strength file and disk shredders too. Applications similar to Tracker exist on Windows - at least one does - so it's not an unheard of thing. Although the methodology used on Windows is vastly different.

The idea is to see everything that's happened on disk between a starting time and an ending time.

You can do most of this yourself from the command line if you want - most of it at any rate. In fact the software testers at Rixstep started this way - used the command line until Tracker was invented. So it's not (mostly) impossible.

But Tracker does make it a lot easier.

And you don't want help from Apple's fsevents either - for several rather devastating reasons.

  • fsevents runs with a limited buffer. Once the buffer's full fsevents can't do any more. Instead you get a message back saying everything is borked and you're basically SOL.

  • Apple's Spotlight is the main client of fsevents and Spotlight couldn't give a hoot about who accessed what on your computer. So fsevents won't send you any information about file system accesses. But you'll want that information if you're tracking 'unknown/untested' software: data mining is a Bad Thing™ and you'll want to know about it.

  • You need to know what's happened between time A and time B - you don't need to be told of each and every single itsy bitsy trivial file system event in there. That's what fsevents will tell you - minus the file accesses which you need - and that's way too 'busy'.

fsevents can be cool to play with if you're an inconsequential pseudo-geek but it won't tell you what you need to know how you need to know it.

Tracker will - and it's available in the free Xfile Test Drive download. Pick up a copy and follow along here.

1st Track!

Let's try to do something useful here: let's compare runs of Safari and Firefox. Presumably most of you have both browsers.

1. Put Tracker on your dock so you can drop things on it. There are other ways to do this and you don't have to drop something on Tracker to run it but this makes it easier.

2. Go to /Applications and drag Safari onto the Tracker dock icon. Your Tracker window will now look like this.

3. Hit the 'Go' button on the toolbar. It's the green one on the far left. You'll get a prompt like the following.

This prompt is very important. This shows you what's going to happen when you open a file or launch an application - this is the system launch services talking. The Oompa-Loompa attack worked by disguising files - they looked like one thing but data stored in their resource forks can reveal another. The torrent trojans didn't use this attack but future trojans can.

4. Click 'Continue'. This launches Safari.

5. Make sure you have flash and JavaScript turned on and then surf to the Apple website.

6. Wait until the page completely loads and then exit Safari.

7. Go back to Tracker and hit the 'Track' button on the toolbar. Now kick back and wait a second. When Tracker's 'Stop' button deactivates you should have something like the following.

8. Select 'List Accessed' on the 'File' menu (⌥⌘A - option-command-A) and you'll see something like the following.

9. Now start all over with Firefox. You should get something like the following.

10. Select 'List Accessed' on the 'File' menu again.

Firefox doesn't change (or create) as many files as Safari but it accesses a lot more. And if you look through the tracking results you'll see Safari is storing a lot of metadata Firefox doesn't get near whilst Firefox is looking through all the system fonts - something Safari doesn't need to do.

As neither of these applications uses a password it's not necessary to check areas where only escalated processes can go. But you can set any number of paths for Tracker to check.

Anytime you give your password to an unknown/untrusted application you simply set the path to root.

There's really no reason to be helpless in situations like this. People should check installers before running them. And a lot of the data you're after is there in plain text files for you to read.

But when it comes to tracking new applications - or even old ones - there's no reason to be helpless there either.

Not Just a List

But Tracker's not just a list of changes - it's also a full-featured file manager you use to clean up messes other apps create.

  • Inspect any item. See and modify its standard system settings and inspect its time stamps. See why it's been listed.

  • 'Manage' the items in your list. Drag them to other locations or delete them.

  • Open any item with any application. Drag to dock icons or use the built in 'open with' launcher.

  • Drop into a Terminal session at any path. For doing the dirty work in those hard to get at places.

  • Export your tracking results list. For safekeeping - for the day you want to 'really' uninstall.

Almost all the software reviewed at this site was tested with Tracker. There's really no other way to be sure what's going on - and to clean up once you know what happened.

Further Reading
Industry Watch: Tracker Grows Up
Industry Watch: Xfile 2/Tracker 2.0
Industry Watch: Tracker 2.0: Origins
Industry Watch: Don't Trust It — Track It!
Industry Watch: Tracker — The Complete 'Uninstaller'

Learning Curve: Tracker Fact Sheet
The ACP: Tracker — Don't Chance It

About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Copyright © Rixstep. All rights reserved.