Hello World!
I know, cliche right? Welcome! I hope to create a useful blog and website to help Mac OS X and iOS forensic examiners stay up-to-date with the latest in Mac forensic research.I also have an online...
View ArticleClik here to view.
OMG HFS+ FTW!
The HFS+ file system is an often forgotten part of Mac OS X analysis. Everyone always talks about being able to parse the FAT or NTFS file system files, but I almost never hear about someone needing or...
View ArticleUpdates - June 2014
A few updates to the website:Resources Section:The Resources section now contains the Synalyze It! grammars for HFS+ that I created. Just a reminder – these are work in progress; I will update them as...
View ArticleClik here to view.
HFS+ Grammar Updates – Now with Windows & Linux Support!
Updated HFS+ Grammars:My Synalyze It! HFS+ grammars have been updated thanks to some feedback from ‘Cugu’ who pointed out an error in the Reserved Field in the Header Record. It should have been 4x16...
View ArticleApple Watch Forensics - A Quick Preview
Heather Mahalik and I had the pleasure of presenting a quick rundown of what we found in iOS backups for the brand spankin' new Apple Watches that we just got. (BTW - Yes, I'm loving it. Big surprise...
View ArticleUbiquity Forensics - CEIC 2015
Click here for the newest presentation slides from CEIC 2015.I hope I'll be seeing some of you bright and early at the 9am presentation!
View ArticleUbiquity Forensics - Your iCloud and You @ BSidesNoLA
The latest version of this presentation is available in the Resources section of this website.Enjoy!
View ArticleMac4n6 now on Github!
I will now be posting my presentations, HFS+ Resources, and other things (scripts to come!) on Github. I have turned off the Google Drive shared folder so be sure to update your links! These links will...
View ArticlePresentation: OS X Spotlight Queries
I was lucky enough to be able to teach at the SANS DFIR Summit in Prague this October as well as attend the Summit. I presented a SANS 360 presentation (it was more like a SANS 600!) on OS X Spotlight...
View ArticleClik here to view.
Parsing iOS “Frequent Locations”
The Artifact:The phrase “Location, Location, Location” has special meaning for those looking for real estate but can also mean everything to a forensicator looking for locational data. One of the most...
View ArticleClik here to view.
Manual Analysis of ‘NSKeyedArchiver’ Formatted Plist Files - A Review of the...
In my iOS Frequent Locations blog post, I mentioned that the locations are stored in a ‘less than analyst friendly’ format. These plist files are in a binary plist format – no different than other...
View ArticleClik here to view.
Script Update: Dump iOS Frequent Locations – Now with KML & CSV Output!
Update DetailsI have added some output options to the script – CSV and KML.See a related post here - "Parsing iOS Frequent Locations"The script can now be called with a ‘-output’ argument with the...
View ArticlePresentation Update: Analysis and Correlation of Mac Logs
This week I had the privilege of presenting an updated version of my "Analysis and Correlation of Mac Logs" talk at the CTIN Conference. The updated slides have been uploaded to my presentation area on...
View ArticleClik here to view.
iOS Imaging on the Cheap!
Many analysts and researchers work with a very limited budget, many of us can’t get those $uper expen$ive commercial mobile acquisition and analysis tools. I’ve been asked many times, “What tools can I...
View ArticleNominated for the "Digital Forensic Investigator of the Year" Award
If you like my blog, my presentations, my class, or my other resources - please consider voting for me in the Forensic 4Cast Awards for "Digital Forensic Investigator of the Year". I appreciate your...
View ArticleBSidesNOLA Preso - The iOS of Sauron: How iOS Tracks Everything You Do
I was lucky enough to again be selected as a speaker at one of my favorite BSides conferences, BSidesNOLA (4 years running!). This one has THE BEST speaker party. Backyard tiki bar, homemade gumbo,...
View ArticleNew Presentation - iOS Location Forensics
Yesterday I did a SANS webcast on iOS Location Forensics. The recording is not up yet, however I will update this blog when it is.You can find the slides for the presentation here.
View ArticleClik here to view.
New Script – iOS Locations Scraper
Similar to my iOS Frequent Locations Dumper script, I wanted to extract the iOS locations that are stored in various SQLite databases and review them in CSV and KML output to make analysis easier. You...
View ArticleMac News & Updates - 06/19/16
With WWDC happening this week there has been lots of Apple/Mac news, so I figured I would take this opportunity to put out a list of links and videos that I found worthwhile to read/watch. I hope to do...
View ArticleMac News & Updates - 07/06/16
Malware:OSX.Pirrit[PDF] Cyberreason – The Minds Behind the Malicious Mac Adware (Amit Serper) [VIDEO] Amit Serper’s Layerone Presentation- The Blue Balls of Mac Adware OSX.Eleanor[PDF] BitDefender -...
View Article