Collaborate Disseminate
While helping some investigators out I realized that my some of my APOLLO knowledgeC modules needed a bit of updating. Naturally I thought it would be quick, but it turned into quite an extensive update. I’ve included lots of brand-new modules as well … Continue reading Extensive knowledgeC APOLLO Updates!
It’s been a while since I last jailbroke an Apple TV and had a forensic look at it. Using the checkra1n jailbreak, I decided to give it a try. The jailbreak itself was easy and went very smooth. This was using an 4th Gen Apple TV running tvOS 13.4… Continue reading APOLLO and tvOS – It Just Works! (…and judges me for binging TV)
I’ve written about this before in this article but wanted to revisit it for this series. For this scenario I want to test what certain items might look like when they are AirDrop’ed from an unknown source. Many schools have been receiving bomb threats … Continue reading Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge
The DFIR Twitter-sphere exploded this morning when @mattiaep mentioned /private/var/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db. I’ve been doing some research work on this file and plan to present pieces of it during my talk at the upcoming… Continue reading Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database
TCC Modifications in the Unified LogsTCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective Privacy settings on macOS and iOS.
We’ve been trapped inside our homes for months. We’ve reached the end of Netflix, listened to everything on Apple Music, watched old vacation videos trying to remember what travel was like, and mindlessly browsed YouTube videos. All these actions have … Continue reading Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you’re binging Netflix! Now Playing on your Apple Devices!
A quick trick to get more info when you are testing different Unified log examples is to use Terminal’s man page lookup feature. This is useful to provide more context to processes that you may not be familiar with. Perhaps you have something interesti… Continue reading Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a process!?
I’ll walk you through using BlackLight’s APOLLO plugin to track user application usage (knowledgeC, Power Log and Screen Time), device states, network usage and processes, file quarantine, and application permissions (TCC) on macOS.Webinar is available… Continue reading New Webinar: Analyzing macOS with BlackLight’s APOLLO Plugin
There are many output styles options for the ‘log’ command. Sometimes the default output may not get you what you want. This article will walk through the various log output styles looking for USB Mass Storage Class devices using the keyword ‘USBMSC ‘…. Continue reading Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring USBMSC devices with –style
I’m sure many of us are working remote right now possibly using some of these remote capabilities. Remote Logins can include a few different services; SSH and Screen Sharing are two that I’ll show here. These services are disabled by default and w… Continue reading Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins