News
Entertainment
Science & Technology
Life
Culture & Art
Hobbies
News
Entertainment
Science & Technology
Culture & Art
Hobbies
mac4n6 - Mac OS X and iOS forensic research, blog, and resources - Technology
14 | Follower
I'm Back Baby! — mac4n6.com
Hello folks, I’m back! I took a bit of a break because burn out is no joke – seriously…take care of yourselves! I’ve been on what I’m calling a mid-career retirement – travelling the world to make up for lost pandemic travels. I’ve been working on a few projects, most recently (and the purpose for
Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins — mac4n6.com
I’m sure many of us are working remote right now possibly using some of these remote capabilities. Remote Logins can include a few different services; SSH and Screen Sharing are two that I’ll show here. These services are disabled by default and would need to be turned on in the user’s Shar
Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you're binging Netflix! Now Playing on your Apple Devices! — mac4n6.com
We’ve been trapped inside our homes for months. We’ve reached the end of Netflix, listened to everything on Apple Music, watched old vacation videos trying to remember what travel was like, and mindlessly browsed YouTube videos. All these actions have been recorded in your unified logs! I came acro
Analysis of Apple Unified Logs: Quarantine Edition [Entry 4] – It’s Login Week! — mac4n6.com
No one can find flour or yeast anyway! 😆 This week is all about system logins! On the system (via password, TouchID, or Apple Watch), local logins using Terminal, and remote logins over SSH and Screen Sharing. There are many ways of accessing a macOS system, certainly this is not all inclusive but
Analysis of Apple Unified Logs: Quarantine Edition [Entry 3] – Playing in the Sandbox, Enumerating Files and Directories — mac4n6.com
While I’ve been researching various queries with these unified logs, I’ve noticed some peculiar but forensically useful entries. I have found many of these entries to be created when I’m browsing directories via Finder. However, they don’t appear to be logged on every directory I browse. Many of the
Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module — mac4n6.com
TCC Modifications in the Unified Logs TCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective Privacy settings on macOS and iOS. 
Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules — mac4n6.com
The interactionC.db database certainly does not get as much as attention as its CoreDuet partner in crime, knowledgeC.db. However, I think it has quite a bit of investigative potential. I’ve written about it before in a prior blog , however I’d like to give it more attention here. I spent this wee
Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney) — mac4n6.com
Facial Recognition in Photos One facet of my DFIR Summit talk I want to expand upon is a look into the Photos application, and a few of the derivative pieces of that endeavor.  While trying to focus on the topic of facial recognition, it seemed prudent to include a brief progression from s
Extensive knowledgeC APOLLO Updates! — mac4n6.com
While helping some investigators out I realized that my some of my APOLLO knowledgeC modules needed a bit of updating. Naturally I thought it would be quick, but it turned into quite an extensive update. I’ve included lots of brand-new modules as well as updates to ones that I’ve had before.&n
Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge — mac4n6.com
I’ve written about this before in this article but wanted to revisit it for this series. For this scenario I want to test what certain items might look like when they are AirDrop’ed from an unknown source. Many schools have been receiving bomb threats via AirDrop, I want to see if there is a way t
Part 1: Step-by-step macOS Setup for iOS Research (via @bizzybarney) — mac4n6.com
CLI…WTF Command line interface (CLI) isn’t for everyone.  Trust me; I get it.  @iamevltwin forced me out of my comfort zone a few years ago and opened my eyes to the power of Terminal (command prompt on Mac).  Now it is pinned to the Dock on every Mac I use, but I still
APOLLO and tvOS – It Just Works! (...and judges me for binging TV) — mac4n6.com
It’s been a while since I last jailbroke an Apple TV and had a forensic look at it. Using the checkra1n jailbreak , I decided to give it a try. The jailbreak itself was easy and went very smooth. This was using an 4th Gen Apple TV running tvOS 13.4 I wanted to run it through some of my A
Analysis of Apple Unified Logs: Quarantine Edition [Entry 5] – Login Inception!? Yes! – Local Logins! — mac4n6.com
Local logins are created when an already logged in user opens a Terminal window. Each terminal window is a separate ‘login’ process. If you have six Terminal windows (or tabs) open, you have six ‘login’ processes.
Analysis of Apple Unified Logs [Entry 12] – Quick & Easy Unified Log Collection from iOS Devices for Testing — mac4n6.com
Collection of Unified Logs on macOS systems is pretty straight forward. You can use the command, and yes – you do have to be root. sudo log collect  Collection from iOS device is not as obvious. I think most of us are doing the sysdiagnose/AirDrop method which is tricky. Trying to trigg
Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring USBMSC devices with --style — mac4n6.com
There are many output styles options for the ‘log’ command. Sometimes the default output may not get you what you want. This article will walk through the various log output styles looking for USB Mass Storage Class devices using the keyword ‘USBMSC ‘. These devices may include thumb drives and exte
Part 2: Step-by-step iPhone Setup for iOS Research (via @bizzybarney) — mac4n6.com
This is a follow-on to the previous post showing how to setup your Mac for iOS testing . If you haven’t read over that one - this article draws assumptions that your Mac is setup in a certain way, or that you know what you’re doing otherwise. Feel free to go read that first, I’ll wait.. Alright, n
APOLLO v1.4 - Now with 'Gather' Function from iOS/macOS and updates to iOS14 and macOS 11 modules — mac4n6.com
I’ve been working hard on a big update to improve core functionality of APOLLO to include methods to gather up the database files needed so they can be extracted from using the APOLLO modules. New APOLLO Functions: ‘gather_macos’ - Automagically finds and collects database files on macOS us
Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database — mac4n6.com
The DFIR Twitter-sphere exploded this morning when @mattiaep mentioned /private/var/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db. I’ve been doing some research work on this file and plan to present pieces of it during my talk at the upcoming SANS DFIR Summit. I reached out to @iamevltw
New Webinar: Analyzing macOS with BlackLight's APOLLO Plugin — mac4n6.com
I’ll walk you through using BlackLight’s APOLLO plugin to track user application usage (knowledgeC, Power Log and Screen Time), device states, network usage and processes, file quarantine, and application permissions (TCC) on macOS. Webinar is available here. Download APOLLO here.
Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a process!? — mac4n6.com
A quick trick to get more info when you are testing different Unified log examples is to use Terminal’s man page lookup feature. This is useful to provide more context to processes that you may not be familiar with. Perhaps you have something interesting in the eventMessage field and want to know mo