iOS 12 APOLLO Updates
Many modules were updated to specially support iOS 12 including those below. Many were already available on iOS 12 (Powerlog, Passes, SMS, etc) without a jailbreak. As always, let me know if I missed...
View ArticleNew Presentation from Objective by the Sea 2.0 - Watching the Watchers
Just got back from a wonderful time hanging out with the who’s who of Mac security folk in swanky Monaco at the Objective by the Sea conference. I’ve uploaded my presentation Watching the Watchers in...
View ArticleNew(ish) Presentation: Poking the Bear - Teasing out Apple's Secrets through...
I had the wonderful opportunity to present this presentation at two great conferences in October; Jailbreak Security Summit and BSides NoLA. Unfortunately I was going on an extended vacation almost...
View ArticleNew Year New APOLLO – Officially out of Beta iOS 13 Module Updates!
I spent this weekend updating and sprucing up APOLLO for its v1.0 release. It took far longer than anticipated, mostly because I’ve added quite a few new modules. It also takes a while to go through...
View ArticleClik here to view.
Providing Context to iOS App Usage with knowledgeC.db and APOLLO
With the APOLLO v1.0 update, I updated many of the Application Activity modules used with the knowledgeC.db database. I mentioned in this article that these were updated to provide more context to...
View ArticleClik here to view.
macOS & iOS "Secure" Notes - I Can See Your Secrets, No Brute Forcing Required!
I wrote a blog for BlackBag Tech on the not so secret secrets that could be stored in secure notes using the Notes application on macOS and iOS. Note snippets, location data, and media attachment...
View ArticleClik here to view.
New Presentation - Exploring macOS with APOLLO from #OBTS 3.0
This was presented yesterday at Objective by the Sea 3.0 in beautiful Maui. Official macOS support and modules are coming to APOLLO!Slides and video are available here. I hope to update the APOLLO...
View ArticleIntroducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]
I’ve decided to spend some time revisiting analysis of Unified Logs as blog series during this quarantine. It is the perfect topic to make bite sized and I can make it as long or as short as...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 1] – Converting Log...
Apple introduce Unified Logging many years ago in 10.12 and has constantly been changing it since its introduction. My main problem is usually using the ‘log’ utility. It has changed over time and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 2] – sudo make me a...
The first item in the Unified Logs we will take a look at is a relatively simple one – evidence of the ‘sudo’ command.In this example I’m attempting to view all the log types (including default and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 3] – Playing in the...
While I’ve been researching various queries with these unified logs, I’ve noticed some peculiar but forensically useful entries. I have found many of these entries to be created when I’m browsing...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 4] – It’s Login Week!
No one can find flour or yeast anyway! 😆This week is all about system logins! On the system (via password, TouchID, or Apple Watch), local logins using Terminal, and remote logins over SSH and Screen...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 5] – Login...
Local logins are created when an already logged in user opens a Terminal window. Each terminal window is a separate ‘login’ process. If you have six Terminal windows (or tabs) open, you have six...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From...
I’m sure many of us are working remote right now possibly using some of these remote capabilities. Remote Logins can include a few different services; SSH and Screen Sharing are two that I’ll show...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring...
There are many output styles options for the ‘log’ command. Sometimes the default output may not get you what you want. This article will walk through the various log output styles looking for USB Mass...
View ArticleNew Webinar: Analyzing macOS with BlackLight's APOLLO Plugin
I’ll walk you through using BlackLight’s APOLLO plugin to track user application usage (knowledgeC, Power Log and Screen Time), device states, network usage and processes, file quarantine, and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a...
A quick trick to get more info when you are testing different Unified log examples is to use Terminal’s man page lookup feature. This is useful to provide more context to processes that you may not be...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know...
We’ve been trapped inside our homes for months. We’ve reached the end of Netflix, listened to everything on Apple Music, watched old vacation videos trying to remember what travel was like, and...
View ArticleClik here to view.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with...
TCC Modifications in the Unified LogsTCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective...
View ArticleClik here to view.
Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db...
The DFIR Twitter-sphere exploded this morning when @mattiaep mentioned /private/var/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db. I’ve been doing some research work on this file and plan to...
View Article