Clik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From...
I’m sure many of us are working remote right now possibly using some of these remote capabilities. Remote Logins can include a few different services; SSH and Screen Sharing are two that I’ll show...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring...
There are many output styles options for the ‘log’ command. Sometimes the default output may not get you what you want. This article will walk through the various log output styles looking for USB Mass...
View ArticleNew Webinar: Analyzing macOS with BlackLight's APOLLO Plugin
I’ll walk you through using BlackLight’s APOLLO plugin to track user application usage (knowledgeC, Power Log and Screen Time), device states, network usage and processes, file quarantine, and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a...
A quick trick to get more info when you are testing different Unified log examples is to use Terminal’s man page lookup feature. This is useful to provide more context to processes that you may not be...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know...
We’ve been trapped inside our homes for months. We’ve reached the end of Netflix, listened to everything on Apple Music, watched old vacation videos trying to remember what travel was like, and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with...
TCC Modifications in the Unified LogsTCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective...
View ArticleClik here to view.
Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db...
The DFIR Twitter-sphere exploded this morning when @mattiaep mentioned /private/var/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db. I’ve been doing some research work on this file and plan to...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping...
I’ve written about this before in this article but wanted to revisit it for this series. For this scenario I want to test what certain items might look like when they are AirDrop’ed from an unknown...
View ArticleClik here to view.
APOLLO and tvOS – It Just Works! (...and judges me for binging TV)
It’s been a while since I last jailbroke an Apple TV and had a forensic look at it. Using the checkra1n jailbreak, I decided to give it a try. The jailbreak itself was easy and went very smooth. This...
View ArticleClik here to view.
Extensive knowledgeC APOLLO Updates!
While helping some investigators out I realized that my some of my APOLLO knowledgeC modules needed a bit of updating. Naturally I thought it would be quick, but it turned into quite an extensive...
View ArticleClik here to view.
Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS...
The interactionC.db database certainly does not get as much as attention as its CoreDuet partner in crime, knowledgeC.db. However, I think it has quite a bit of investigative potential. I’ve written...
View ArticleClik here to view.
Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via...
Facial Recognition in PhotosOne facet of my DFIR Summit talk I want to expand upon is a look into the Photos application, and a few of the derivative pieces of that endeavor. While trying to focus on...
View ArticleClik here to view.
Step-by-step macOS Setup for iOS Research (via @bizzybarney)
CLI…WTFCommand line interface (CLI) isn’t for everyone. Trust me; I get it. @iamevltwin forced me out of my comfort zone a few years ago and opened my eyes to the power of Terminal (command prompt on...
View ArticleClik here to view.
Part 2: Step-by-step iPhone Setup for iOS Research (via @bizzybarney)
This is a follow-on to the previous post showing how to setup your Mac for iOS testing. If you haven’t read over that one - this article draws assumptions that your Mac is setup in a certain way, or...
View ArticleClik here to view.
Analysis of Apple Unified Logs [Entry 12] – Quick & Easy Unified Log...
Collection of Unified Logs on macOS systems is pretty straight forward. You can use the command, and yes – you do have to be root.sudo log collect Collection from iOS device is not as obvious. I think...
View ArticleAPOLLO v1.4 - Now with 'Gather' Function from iOS/macOS and updates to iOS14...
I’ve been working hard on a big update to improve core functionality of APOLLO to include methods to gather up the database files needed so they can be extracted from using the APOLLO modules.New...
View ArticleClik here to view.
Part 3: Step-by-step Tooling for iOS Research (via @bizzybarney)
This is the third and final piece of the Mac and iPhone setup process! Sorry for the long delay between the last one and this one, but better late than never right? This guide will help you setup your...
View ArticleClik here to view.
I'm Back Baby!
Hello folks, I’m back! I took a bit of a break because burn out is no joke – seriously…take care of yourselves! I’ve been on what I’m calling a mid-career retirement – travelling the world to make up...
View ArticleSikkerhetsfestivalen 2024 - Lillehammer, Norway
I’ve uploaded my presentation that I gave at the lovely Sikkerhetsfestivalen 2024 in Lillehammer, Norway.This presentation goes through some pattern-of-life (APOLLO-ish) investigative scenarios.
View ArticleClik here to view.
New Presentation - Using Apple Intelligence (AI) Data in Investigations
I had the opportunity to present to a bunch of folks in one of my favorite places, Norway (yes, again!) I wanted to take an initial look into Apple Intelligence (AI), to see what was forensically...
View Article