Apple iOS Diagnostic Capabilities

Apple has put out a new tech note titled “iOS: About diagnostic capabilities”. It summarizes “com.apple.mobile.pcapd”, “com.apple.mobile.file_relay”, & “com.apple.mobile.house_arrest”. The document states what use each has and why they are included on iOS devices.

Don't let an iOS device restart

iOS devices have excellent hardware and software based security. The latest iOS devices so far have no hardware flaws such that “physical imaging” is not possible. In addition, the file level encryption causes one specific headache for many of us. When an iOS (5 and later) device starts, and has a pin code applied, the first screen presented after reboot is the pin code screen. At this time, there is no way to perform a logical acquisition of the device, even if you have the valid pairing certificate for this device. The level of security Protected until Open means one must unlock the iOS device once, and then many files become accessible. The number of files available at any given time varies, again because of file level encryption and the times that files will become encrypted again. So, this reminder is, NEVER let an iOS device lose power, forcing it to restart. If you don’t know the pin code, upon power up, you will not be able to do any collection.

UPDATE: This does not prevent a file-relay communication with the iOS device, however this will not return data that is protected until first unlock. iTunes backups occur over Apple File Relay (AFC), which was the initial intent of this blog post. Thanks to Austin Colby, BlackBag Technologies for this tip.

Resetting an Airport base station

I just had a question come in about accessing an Airport Base station when the password is not known. Apple has a tech note (HT3728) for “Resetting an Airport base station”. This article gives temporary access to the device without clearing settings or logs. I also added this to our select Apple Technical Documents bookmarked on this site.

Network Utility on your Portable Workstation

As a part of the Portable Forensic Workstation we setup earlier, a utility is included from Apple. The Network Utility is rather powerful and can be used for many areas of interest in a case. This OSXDaily article describes its functions quite well.

Stellar introduces Mail Converter for the Mac

MacTech is reporting that Stellar has released a new application to convert email to common formats. This can be especially handy with the Microsoft Outlook format for analysis.

Focus Files updated

I have just updated the OS X Focus Files and iOS Focus Files with additional paths from questions I have received lately. Please feel free to email any additional file locations you would like shared with the community. The files listed on each page are common to most analysis performed for each of the operating systems.

Portable Forensic Workstation revisited

Awhile back, I wrote an article on creating your own “Portable OS X Workstations”, allowing any triage or analysis assigned person to boot, and view any Mac in a safe manner. Times have changed! It is time to revisit the concept, and create the best portable solution to protect, collect, and image ANY evidence we come across. Let’s create a current Portable Triage and Analysis Workstation.

BlackBag Technologies releases SoftBlock 1.0.7

BlackBag Technologies has released their latest version of SoftBlock for OS X. This low-level kernel extension allows a Mac to be safely used as a triage or imaging device without threat of evidence alteration. Using SoftBlock and the “Thunderbolt Target Disk Mode” allows for extremely fast 10Gb/s (or 20Gb/s on Mac Pro) triage and imaging of evidence.

Apple posts LE guide

Apple has posted a guide to the requests and returns they receive and comply to under court order. The guide shows what can and cannot happen with data stored on a device as well as stored on their servers.

Boot Camp and Thunderbolt

Boot Camp, Windows and Thunderbolt have not been the easiest technologies to combine. Today I located a Knowledge Base article from Apple regarding usage of Thunderbolt devices after upgrading from Windows 7 to 8. The article, titled “Boot Camp: Thunderbolt devices not recognized after Windows 8 upgrade” helps a bit for items that were once working and may not after the update. ZDNET has an article from September of 2013 regarding Thunderbolt and Windows compatibility that may be of interest also. If you are looking to use the Apple Thunderbolt to Ethernet adapter, there is a community discussion related to drivers. As of today, it appears drivers are still written by specific manufacturers for specific devices, and there is no all-encompassing Microsoft driver for the Thunderbolt port.

MacQuisition 2014R1 released

BlackBag Technologies has updated MacQuisition to version 2014R1. Notable is faster targeted collection, compatibility for OS X 10.9 and improved user authentication process. MacQuisition is a live OS X incident response tool as well as a bootable flash drive for imaging.

Passware updated for OS X 10.9

Passware Inc. has updated Passware to version 13.1. Notable is the extraction of OS X 10.9 Mavericks user passwords from live memory images, additional GPU acceleration, support for Quickbooks for Mac, and a Mobile Forensics section.

SeV Expedition Jacket

SCOTTeVEST (SeV) has sent their Expedition jacket for a run with digital forensic gear. This 37 pocket jacket was a pleasure to review, and we are very happy for the new sponsorship from SeV. Read the full article here.

Apple knowledgebase on iCloud Security

Apple’s KB article on iCloud Security discusses the levels and strength of encryption used for both storage and in-transit data.

EPPB updated

Elcomsoft has updated Phone Password Breaker with the following features, now fully supports new iCloud backup encryption introduced in iOS 7.1, including 3rd party app data (such as WhatsApp, Skype, Viber etc).”

Spotlight Inspector has been updated

Spotlight Inspector has been updated to v1.1 beta. This version includes notable features such as speed improvements, bug fixes, and refinements for specific data types.

SANS Mac Forensic Class

SANS is offering a new class, FOR518, a Mac forensic class authored by Sarah Edwards.

1Password updated with 20 new features

1Password, the secure storage application for OS X and iOS has been updated to version 4.2 on the Mac. This includes many new features. This is a first mention on AppleExaminer for this app. It has always been a great security app. With the new features, one can now store more objects within the encrypted database that can be case notes, pictures, or other items.

Emailchemy v12 is out with more features

Emailchemy v12 (v12.1.1 is current) is out with full native support for Microsoft Outlook 2011 for Mac, and a new data de-duplication feature. See their website for full details.

AppleExaminer Store Updated

We have just updated our AppleExaminer Store to note some of the latest technology to help with any analysis. Notably, Thunderbolt Docks, storage arrays, and drive bays have been added. Thank you for your continued support in using our Amazon Store links.

Apple releases 2 white papers of interest

Apple has posted 2 white papers that make for interesting reference guides at the very least. The first is “iOS Security” Feb. 2014 and the second is “Secure Coding Guide” Feb 11, 2014.

EXT driver for OS X

Paragon, a known company for its NTFS for OS X driver and HFS driver for Windows, has just released EXT for OS X, a driver allowing for read/write access to EXT 2/3/4 formatted volumes. As always, test compatibility products to make certain it isn’t changing your evidence.

"What is '/var/folders'" by Jason Reynolds

A blog post titled “What is ‘/var/folders?’” has been posted by Jason Reynolds. It is a great read for analysts as well as the intended audience of system administrators.

BlackLight 2014R1 released

BlackBag Technologies has released the latest version of BlackLight. New to version 2014R1 is the “Unified Messaging” view, Improved SQLite Database Recovery including all fragments from the database and write-ahead-log, rendering of the “Crushed PNG” format, and specific updates for Mavericks 10.9 compatibility. See their website for full details.

Elcomsoft iOS Forensic Toolkit updated

Elcomsoft has released their latest version of EIFT. Elcomsoft iOS Forensic Toolkit has been updated, adding physical acquisition support for jailbroken iOS 7 devices. Physical acquisition support is now available for jailbroken devices running Apple iOS 7 including iPhone 4S, 5 and 5C, iPad 2nd to 4th gen, iPad Mini, iPod Touch 5th gen, and either having no passcode protection or carrying a jailbreak installed. In addition, the new release adds support for previously unavailable versions of iOS 6.1.3-6.1.5.

Oxygen Forensic Suite - Passware Edition

Passware and Oxygen have partner to create a new edition of Oxygen Forensic Suite. This enhancement allows for the decryption of encrypted iOS backups and direct analysis within Oxygen. More info is available at the Passware website.

Focus Files updated

We have updated our Focus Files for OS X with some of the newest location to find various data when conducting an analysis.

User Library Folder

The User Library Folder is one of the most important locations to find evidence for any case. In this article, we show its location, and how different versions of OS X have allowed access to this important location.

Extended Attributes

Extended attributes are extra information about a file or folder than can greatly change its function or appearance. In this article, we explore how to view and interpret extended attributes for OS X.

Recon from Sumuri released

Sumuri LLC has released Recon, a new application to triage OS X evidence. The application is preconfigured to find evidentiary artifacts on OS X 10.7 and later. More details can be found at the their website.

iBored updated to v1.1.17

iBored, the free disk viewing and editing utility, has been updated to v1.1.17. This app allows for a low level look at each disk sector, “templates” for sector views, and extraction of sectors for bad disk recovery.

UFED Physical/Logical Analyzer 3.9 released

Cellebrite has released UFED Physical/Logical Analyzer v3.9 with support for iOS 7.0.x keychain decryption, viewing of creation, modification and access timestamps of files extracted, and the ability to open an encrypted DMG with known password using the open advanced function.

Passware Kit Forensic updated for better FileVault 2 support

Passware has updated its “Passware Kit Forensic” with better support for FileVault 2 decryption, notably GPU usage. See their website for a full list of features as well as other decryption products available.

BlackLight 2013R3 released

BlackBag Technologies has released BlackLight 2013R3 for both Windows and OS X. This release includes a new Social Media view, new Locations view, new Data Interpreter window, additional Messaging support, and a revamped Device Status window. See the BlackLight webpage for all details.

UFED Physical/Logical Analyzer 3.8.7 released

Cellebrite has announced version 3.8.7 of their physical/logical analyzer with “physical, file system and advanced logical” extractions from “selected locked and unlocked” Apple devices. See their website for full details.

Find Any File updated

Find Any File from Thomas Templemann has been updated with more capabilities for searching the Mac file system. This tool does not utilize Spotlight indexes, and will search areas Spotlight does not. This utility searches for files by name, not content. See the website for full details, and other useful utilities.

Virtual Disk Conversion

This article, “Virtual Disk Conversion - Converting Parallels or Fusion VMs” shows how the application disk format can be normalized to a ‘raw’ or ‘dd’ format for use within any analysis application. While many analysis applications support some virtual disk formats, it can be very useful to have the raw format for usage outside of the analysis application, and within the operating system environment directly. This article discusses the use of the free “qemu” software and how to perform the conversion.

Disk Layout and CoreStorage

In this article, Disk Layout and CoreStorage, we discuss the disk layouts one might encounter on a Macintosh. Specifically, we explore Disk Utility, file systems, partition layouts, and CoreStorage. Further, we examine the effect on imaging each type has and how best to collect data for analysis.

SQLite deleted record python script

A great article titled, “Python Parser to Recover Deleted SQLite Database Data” has been posted by Mari DeGrazia on her website. As a part of the article, the python script is available for download.

BlackLight and free training

Today, I wanted to pass along great news to all of my AppleExaminer readers. BlackLight from BlackBag Technologies is available to anyone who works in the digital forensics sector, free for 30 days by simply visiting their website and clicking on BlackLight. You will see the “Request a Demo” button on this page. BlackLight runs on both OS X and Windows, and can analyze Windows, iOS and OS X.

Likewise, the BBT-320 class is free to law enforcement! This is a 2 day class that will take you thru every feature of BlackLight, with a certificate at the end as well. This class is a bit ‘near and dear’ to me as I helped make this real life analysis. At the end of class, you will have analyzed a Mac with both OS X and Windows, along with 2 iOS backups. Thank you again for being an AppleExaminer reader.

Lastly, if you are a BlackBag customer (training or software), make sure you request their free tools to download. They are invaluable during any analysis.

DON’T USE FAKE INFORMATION!