Collaborate Disseminate
At the SANS DFIR Summit in Austin this year I had the pleasure of presenting with Heather Mahalik on iOS Health Data…. Continue reading Presentation – #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data (SANS DFIR Summit)
I just had the honor of presenting at one of my favorite BSides Conference BsidesNOLA on the State of the new Apple File System (APFS). Sadly, I didn’t have the time to go through the demos but I have uploaded them to YouTube and the slides have been u… Continue reading Presentation Slides & Demo Videos – Getting Saucy with APFS
There has been some confusion (myself included) on what is vulnerable to this bug and what isn’t. Some folks can replicate and some cannot – so I think its high time to test this properly to see what versions and scenarios are affected by this bug.The … Continue reading Ok Internet, Lets Test this APFS Plaintext Password Bug Properly
At some point you just need to stop looking and be blissfully ignorant…this was not one of those days. In and update to my previously updated blog article, I have found another instance where the plaintext password was written to system logs.&nb… Continue reading OMG, Seriously? – APFS Encrypted Plaintext Password found in ANOTHER (More Persistent!) macOS Log File
I’ve been updating my course (Mac and iOS Forensics and Incident Response) to use new APFS disk images (APFS FTW!) and came across something that both incredibly useful from a forensics perspective but utterly horrifying from a security standpoint. Scr… Continue reading Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app
We got some fantastic gifts of jailbreaks over the holiday so naturally I get very excited and dove right in so I can start getting back into research for iOS 10.3+ and iOS 11. The first step in this research is getting physical access to the device an… Continue reading iOS Imaging on the Cheap! – Part Deux! (for iOS 10 & 11)
Get the script here!Added volume analysis support for the following plists. These are not really MRUs but it could be damn useful to gather this info.Sidebar List plist [10.12-] – /Users/<username>/Library/Preferences/com.apple.sidebarl… Continue reading Script Update – Mac MRU Parser v1.5 – Added Volume Analysis Support and Other Stuff!
Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes. A few years ago, Mac systems started to use 4k blocks instead of 512 byte block… Continue reading Mount All the Things! – Mounting APFS and 4k Disk Images on macOS 10.13
Just a quick script update!New with 10.13 High Sierra are the newer format *.sfl2 Mac MRU files. The format changes slightly from the older *.sfl files found in 10.11 and 10.12. It also uses the analyst infuriating NSKeyedArchiver format. An example of… Continue reading Script Update – Mac MRU Parser v1.3 – New 10.13 *.sfl2 MRU Files
Get the script here!Added in Spotlight ShortcutsI’ve updated my macMRU.py script to parse the Spotlight Shortcuts plist file that I consider to be very MRU-like. This plist file contains what the user typed into the Spotlight search window, what they c… Continue reading Script Update – Mac MRU Parser – Spotlight Shortcuts & BLOB Parsing!