Author Archives: Sarah Edwards

New(ish) Presentation: Poking the Bear – Teasing out Apple’s Secrets through Dynamic Forensic Testing and Analysis

Posted on by

I had the wonderful opportunity to present this presentation at two great conferences in October; Jailbreak Security Summit and BSides NoLA. Unfortunately I was going on an extended vacation almost immediately after so I forgot to post this to the site… Continue reading New(ish) Presentation: Poking the Bear – Teasing out Apple’s Secrets through Dynamic Forensic Testing and Analysis

Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics

Posted on by

I was first introduced to the protobuf data format years ago accidentally when I was doing some MITM network analysis from an Android device. The data I was looking at was being transferred in this odd format, I could tell there were some known strings… Continue reading Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics

iOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd)

Posted on by

My previous article showed a new capability of APOLLO with KMZ location file support. It worked great…for routined data, but there was something missing. What about the cellular and Wi-Fi locations that are stored in databases? Well, turns out I need … Continue reading iOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd)

iOS Location Mapping with APOLLO – I Know Where You Were Today, Yesterday, Last Month, and Years Ago!

Posted on by

I added preliminary KMZ (zipped KML) support to APOLLO. If any APOLLO module’s SQL query has “Location” in its Activity field, it will extract the location coordinates in the column “Coordinates” as long as they are in Latitude, Longitude format (ie: 3… Continue reading iOS Location Mapping with APOLLO – I Know Where You Were Today, Yesterday, Last Month, and Years Ago!

New Presentation from SANS DFIR Summit 2019 – They See Us Rollin’, They Hatin’ – Forensics of iOS CarPlay and Android Auto

Posted on by

Heather Mahalik and I teamed up again this year at the SANS DFIR Summit to present on iOS CarPlay and Android Auto.Presentation is here. Will post a link to the video when it’s available.Always a good time and love seeing friends every year. Still one … Continue reading New Presentation from SANS DFIR Summit 2019 – They See Us Rollin’, They Hatin’ – Forensics of iOS CarPlay and Android Auto

New Presentation from MacDevOpsYVR 2019 – Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis

Posted on by

I had the pleasure last week to attend MacDevOpsYVR in Vancouver, Canada. While I barely saw the city, I got to hang out with some awesome Mac Sys Admins and Dev Ops people. I’ve not been to a conference outside of Security/Forensics before so it was a… Continue reading New Presentation from MacDevOpsYVR 2019 – Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis

Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)

Posted on by

I started filling in the gaps to missing APOLLO modules. While doing this I realized there was some capability that was missing with the current script that had to be updated. As far as script updates go the following was done:Support for multiple data… Continue reading Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)

Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases

Posted on by

Two iOS databases that I’ve always found interesting (and probably should test more) are netusage.sqlite and DataUsage.sqlite. These two databases contain very similar information – one is available in a backup (and file system dumps) the other only in… Continue reading Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases