Clik here to view.
New Script! - MacMRU (Most Recently Used) Plist Parser
I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual...
View ArticleMac News & Updates - 08/11/16
Blogs[LINK] Another Forensics Blog - How to image a Mac using Single User Mode[LINK] Another Forensics Blog - Mounting and Reimaging an Encrypted FileVault2 Mac Image in LinuxMore great Mac imaging...
View ArticleUpdate to MacMRU Parser - Now with Microsoft Office Support!
I've updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.This update includes support for 'Most Recently Used' artifacts for Microsoft Office for Mac 2011 and 2016....
View ArticleClik here to view.
New macOS Sierra (10.12) Forensic Artifacts – Introducing Unified Logging
I know its been a while since I've last posted - I've been hard at work delving into macOS Sierra and iOS 10 to add new artifacts into my course. Here is something new that macOS Sierra has to offer us...
View ArticleClik here to view.
Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate...
Have you ever wondered how Apple can put out statistics such as “The average iPhone is unlocked 80 times a day”? How the heck do they know?...
View ArticleNew Presentation: Logs Unite! - Forensic Analysis of Apple Unified Logs
It's no joke! Today I presented at one of my favorite conferences BsidesNOLA. I've uploaded the slides to my Github here - Logs Unite!Enjoy the log goodness!
View ArticleNew Presentation! 'The Cider Press: Extracting Forensic Artifacts from Apple...
Heather Mahalik and I presented on Apple Continuity artifacts at the SANS DFIR Summit. This is one of my favorite conferences of the year. I always have a good time reconnecting with old friends and...
View ArticleClik here to view.
Script Update - Mac (& iOS) Location Scraper (macOS and iOS 10 Updates)
Yep, you read that right - Mac Location Scraper! I've updated my 'iOS Location Scraper' script to be compatible with the same location database found on iOS - the cache_encryptedA.db (and...
View ArticleClik here to view.
Script Update - Mac MRU Parser - Spotlight Shortcuts & BLOB Parsing!
Get the script here!Added in Spotlight ShortcutsI've updated my macMRU.py script to parse the Spotlight Shortcuts plist file that I consider to be very MRU-like. This plist file contains what the user...
View ArticleClik here to view.
Script Update - Mac MRU Parser v1.3 - New 10.13 *.sfl2 MRU Files
Just a quick script update!New with 10.13 High Sierra are the newer format *.sfl2 Mac MRU files. The format changes slightly from the older *.sfl files found in 10.11 and 10.12. It also uses the...
View ArticleClik here to view.
Mount All the Things! – Mounting APFS and 4k Disk Images on macOS 10.13
Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes. A few years ago, Mac systems...
View ArticleClik here to view.
Script Update - Mac MRU Parser v1.5 - Added Volume Analysis Support and Other...
Get the script here!Added volume analysis support for the following plists. These are not really MRUs but it could be damn useful to gather this info.Sidebar List plist [10.12-] -...
View ArticleClik here to view.
iOS Imaging on the Cheap! - Part Deux! (for iOS 10 & 11)
We got some fantastic gifts of jailbreaks over the holiday so naturally I get very excited and dove right in so I can start getting back into research for iOS 10.3+ and iOS 11. The first step in this...
View ArticleClik here to view.
Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS...
UPDATE: This is still vulnerable on current versions of macOS 10.13.3 when encrypted an ALREADY EXISTING unencrypted APFS volume (versus, creating a NEW volume in original article). Thanks to...
View ArticleClik here to view.
OMG, Seriously? - APFS Encrypted Plaintext Password found in ANOTHER (More...
At some point you just need to stop looking and be blissfully ignorant...this was not one of those days. In and update to my previously updated blog article, I have found another instance where the...
View ArticleClik here to view.
Ok Internet, Lets Test this APFS Plaintext Password Bug Properly
There has been some confusion (myself included) on what is vulnerable to this bug and what isn't. Some folks can replicate and some cannot - so I think its high time to test this properly to see what...
View ArticlePresentation Slides & Demo Videos - Getting Saucy with APFS
I just had the honor of presenting at one of my favorite BSides Conference BsidesNOLA on the State of the new Apple File System (APFS). Sadly, I didn't have the time to go through the demos but I have...
View ArticleClik here to view.
Presentation - #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data...
At the SANS DFIR Summit in Austin this year I had the pleasure of presenting with Heather Mahalik on iOS Health Data. We get into data acquisition, database contents, patten of life analysis, workout...
View ArticleClik here to view.
Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine...
Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here. I find that pattern-of-life data is some of the...
View ArticleMaking it Rain on this Labor Day – Giving Back to the DFIR and Security...
In the spirit of our American holiday Labor Day, where normal people might be watching a parade, barbecuing, and shopping Labor Day deals - I’ve decided to forgo the crowds the mall and give back to...
View Article