Hello everybody,
Thank you so much for your kind responses.
I felt like I need to write a single response for you all and I hope it find you well.
In trying to keep my question short and simple, it seems it didn’t give enough background. This computer is a MacBook Pro, i9. 2019 maybe.
Two recent firmware resets & SSD wipe and restores have been done.
Some suggestions as to how it could have happened was about the hardware. Honestly, it seems like the hardware is doing perfectly fine. There are no glitches whatsoever. On top of it, it’s software glitches are showing up in a newly purchased MacBook Air which is pristine (no old files, no weird applications, no roaming in unknown-unverified websites, not even a clean flashdisk)
One very clear sign was that the old one suddenly had it’s System File dates set to 22-November-2025. There was no reinstall or anything of that kind at that time range. Suddenly, the new one which was purchased in mid January, 2026 had it’s system files set to the same exact date.
Clearly, there is an external interference, and over the years, it seems to be narrowing down to Near-By Experiences.
A good example happened today, before I got a chance to set the security settings in the old one, I noticed it was “connected” to a bluetooth, but I couldn’t find the device which it was connecting to. No electronics in my apartment even had their power on.
One of you asked if it was a forensic work or just recovery. It is at the moment, a forensic work towards the goal of recovery and no-contamination further on.
The reason is that, the simple re-installs, (as proven by two attempts in firmware reset) don’t even help the situation: I can’t get a clean install it seems. As the hardware repair is a difficult option, a software forensics/diagnostics is the only current option. Even as an offline computer use, it needs to be security-tightened around radio interactions.
My question is : How should this “Seal Broken” message be evaluated, especially with the below information I am providing, “compromised”or “not compromised”?
Also, the fact that the system files & folders having an irrelevant date of 16 Jan 2026 which corresponds to no significant date, should be critical I’d say. But, I’d love to hear your thoughts.
I’ll do my best to highlight the areas where I found to add possible additional information. This I think really adds to the evaluation because, what I’ve described to you above have, over the years, narrowed down to a cloning, MITM kind of a scenario. If the firmware compromise has succeeded and the system will keep corrupting towards a “Sharing” direction, then the action decision will differ accordingly.
These are the results of the Terminal tests:
(I can’t screenshot and copy here yet)
% diskutil list internal
/dev/disk0 (internal, physical):
# Type Name Size Identifier
0 GUID_Partition_scheme. *1.0 TB disk0
1 EFI. EFI 314.6 MB disk0s1
2 Apple_APFS Container disk1. 1 TB disk0s2
/dev/disk1 (synthesized):
# Type Name Size Identifier
0 APFS Container Scheme - +1.0 TB disk1 PHYSICAL STORE disk0s2
1 APFS Volume. APPLE SSD AP1024N Me… 3.2 GB disk1s1
2 APFS Volume. Preboot 284.5 MB disk1s2
3 APFS Volume. Recovery 623.9 MB. disk1s3
4 APFS Volume VM 20.5 KB disk1s4
5 APFS Volume APPLE SSD AP1024N Media 15.3 GB. disk1s5
6 APFS Snapshot com.apple.os.update-… 15.3 GB disk1s5s1
Thank you for your consideration.
If you look at the information especially the one at the bottom you see that it boots from the snapshot and snapshot itself has a broken seal too. If you can help explain how this boot process is working that will be wonderful.
