APOLLO v1.4 - Now with 'Gather' Function from iOS/macOS and updates to iOS14 and macOS 11 modules

December 03, 2020 in iOS, macos, APOLLO, update, scripts

I’ve been working hard on a big update to improve core functionality of APOLLO to include methods to gather up the database files needed so they can be extracted from using the APOLLO modules.

New APOLLO Functions:

‘gather_macos’ - Automagically finds and collects database files on macOS using modules.
- Any directory, mounted volume, etc.
- Ability to ignore certain directories
‘gather_ios’ - Automagically finds and collects database files on jailbroken iOS devices using modules.
- IP and Port Required
- Ability to ignore certain directories
‘extract’ - Nearly the same as before, rips through all the databases and extracts data via the SQL queries in the modules.
- Improved CSV output
- New JSON output within SQLite database

I’ve also updated many modules for iOS 14 and macOS 11. I’ve got more updates planned, however I still need to tweak, research, and test before I release.

You can see the new workings of the tool in my OSDFCon presentation - “Go for Launch: Getting Started with Practical APOLLO Analysis”

And for pure fun(!) a bonus Halloween themed presentation with “Getting Spooky with Apollo” that I did for a Fortego F-Con Lightning Talk. 👻🎃

New Presentation - Exploring macOS with APOLLO from #OBTS 3.0

March 13, 2020 in analysis, macos

This was presented yesterday at Objective by the Sea 3.0 in beautiful Maui. Official macOS support and modules are coming to APOLLO!

Slides and video are available here. I hope to update the APOLLO GitHub with updated script/modules next week. I’ll be sure to post here when I do.

New(ish) Presentation: Poking the Bear - Teasing out Apple's Secrets through Dynamic Forensic Testing and Analysis

December 10, 2019 in analysis, osx, iOS

I had the wonderful opportunity to present this presentation at two great conferences in October; Jailbreak Security Summit and BSides NoLA. Unfortunately I was going on an extended vacation almost immediately after so I forgot to post this to the site. I had a strict self imposed no-laptop policy for this vacation so it would just have to wait. FWIW: Everyone should take a vacation that is [mostly] offline, very refreshing!

The presentation is here, and the video of the presentation from the Jailbreak summit is here. Both of these links are also available in the Resources section of this website.

While I was off exploring Southeast Asia (see my twitter feed for those updates), there has been some major updates to iOS Jailbreaking that are worth a mention with this posting. The Checkm8 exploit was one of the major points of discussion during this presentation, as it was going to be a game changer for this type of analysis.

While I was drinking fruity drinks with umbrellas in them, the public jailbreak came out - Checkra1n. I almost broke my no-laptop policy when this happened, but I held back - someone else would write about it. Fortunately my good friend Mattia Epifani has written some fantastic blogs about using this in the forensic realm. I highly recommend reading through these.

iOS Device Acquisition with checkra1n Jailbreak [Elcomsoft & Mattia]

Checkm8, Checkra1n and the new "golden age" for iOS Forensics [Mattia]

Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?") [Mattia]

Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?") [Mattia]

Checkra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!") [Mattia]

New Presentation from SANS DFIR Summit 2019 - They See Us Rollin', They Hatin' - Forensics of iOS CarPlay and Android Auto

August 06, 2019 in analysis, iOS

Heather Mahalik and I teamed up again this year at the SANS DFIR Summit to present on iOS CarPlay and Android Auto.

Presentation is here. Will post a link to the video when it’s available.

Always a good time and love seeing friends every year. Still one of my favorite conferences! It was a nice surprise winning a couple of Forensic 4cast awards too! Thank for your votes! ☺️

New Presentation from MacDevOpsYVR 2019 - Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis

June 17, 2019 in iOS, analysis, scripts

I had the pleasure last week to attend MacDevOpsYVR in Vancouver, Canada. While I barely saw the city, I got to hang out with some awesome Mac Sys Admins and Dev Ops people. I’ve not been to a conference outside of Security/Forensics before so it was a delight to see the types of presentations and insight these fine folks had to offer.

The presentation includes how my APOLLO project has evolved over the last few months since it was introduced in November, 2018. I also go though some of my real life pattern-of-life examples from my iOS 12 device. We talked about everything including to my health, moving bodies (and chopping them up!), taking selfies, and how much I will spend for good food. Once the video is released I will be sure to upload a link to it, it will certainly provide more (humourous) context to the slides. [Edit 06/18/2019 - Video here!]

A unique addition to normal conference presentations was the use of a graphic recorder (Ashton of Mind’s Eye Creative) to provide additional context to the presentations. She records in real time key points of each presentation and does an absolutely fantastic job at it. This allows for additional context for discussions after the presentation with fellow attendees. Example of my talk is below: