With WWDC happening this week there has been lots of Apple/Mac news, so I figured I would take this opportunity to put out a list of links and videos that I found worthwhile to read/watch. I hope to do this at somewhat regular intervals so keep an eye out for them! A good portion of these I’ve already tweeted out – but I’ve been told not everyone is on Twitter so here you go!

Videos:

WWDC Videos can be streamed on various Apple devices or thru the Safari browser – for you Windows folks, you can download them in the ‘Resources’ section of each link below. All videos can be accessed from the main page here, https://developer.apple.com/videos/wwdc2016/. I will highlight some of the videos I think are particular useful.

• WWDC Keynote – A good overview of what’s to come - ‘OS X’ is changing to ‘macOS’, macOS Sierra (10.12), iOS 10, watchOS 3, etc!
• Apple File System (APFS) – Yup, we’re getting a new file system! (I’m both excited and terrified! Lets hope for good documentation from Apple!)
• How iOS Security Really Works – Main points from iOS Security Guide
• What’s New in Security – Network Security & Gatekeeper

Blogs Articles & Other Web Links:

• Mari’s DeGrazia’s Another Forensic Blog - How to image a Mac with Live Linux bootable USB
  • I’m really looking forward to her Mac imaging blog series!
• BlackBag Tech Blog - Using Blacklight with F-Response's Universal/Now
• evad3rs.net - How to Install macOS Sierra on a Mac
• mikeroysoft.com - Installing the new macOS 10.12 Sierra ‘Developer Preview’ on VMware Fusion 8
• Apple Developer Docs on Apple File System (APFS)

 Tools:

• Macholibre - Mach-O & Universal Binary Parser

Upcoming Classes & Presentations:

I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!

SANS DFIR Summit Presentations in Austin, TX. There is still time to sign up for this one, starts next week! The DFIR Summit is one of my favorite conferences of the year! I like to call it Summer Camp for Digital Forensicators! 

• Summit Presentation - The iOS of Sauron - How iOS Tracks Everything You Do on Thursday this week.
•  @Night - iOS Location Forensics on Monday this week.

SANS Virginia Beach (Aug 28 – Sept 2) - This conference is right on the beach and makes it a really nice one to go to at the end of the summer season. Class during the day, walking the boardwalk in the breezy late summer evening! 

• @Night – The iOS of Sauron- How iOS Tracks Everything You Do

SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Vegas is always a good time, and the weather in September isn’t too shabby either! 

• @Night – The iOS of Sauron- How iOS Tracks Everything You Do

DFIR Prague (Oct 3 –  8 in the Czech Republic) - Stay for the Summit on the 9th!

SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

• @Night – The iOS of Sauron- How iOS Tracks Everything You Do

SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

Similar to my iOS Frequent Locations Dumper script, I wanted to extract the iOS locations that are stored in various SQLite databases and review them in CSV and KML output to make analysis easier. You can get the Python script here: https://github.com/mac4n6/iOS-Locations-Scraper

iOS is storing location data (Lats/Longs) in a variety of databases that are only accessible via physical access using a Jailbreak. Each database contains slightly different location data from Cellular (ie: LTE/CDMA), to Wi-Fi (war-driving type data), to application specific (Yelp, see example below). I still have quite a bit of research to do in this area to determine what all these points mean and how they are generated, and how long they persist for - thus a script needed to be created to make my life easier.

/private/var/mobile/Library/Caches/com.apple.routined/cache_encryptedB.db

/private/var/root/Library/Caches/locationd/

• cache_encryptedA.db
• cache_encryptedB.db
• lockCache_encryptedA.db

The new iOS Locations Scraper script takes these extracted databases from a directory, looks at each table for a column labeled ‘Latitude’ and extracts the tuple data and writes it into a CSV and/or KML file. Examples of these files are shown below.

An example of the CSV output:

An example of the KML output in Google Earth (Note: A KML file can be opened in a variety of different tools):

CAVEAT: I wanted to make sure that I put this caveat out there. Some locations are fairly exact to where the device was located at a certain time, however others are more of a general location area (ie: cell tower location). The KML example above shows location artifacts from one database table (cache_encryptedA.db, LocationHarvest) in relation to the Yelp application. That's my iPhone tracking my location when I was using the Yelp app this weekend. (Pretty neat huh?)

For more iOS location-based information take a look at some of my other presentations:

iOS Location Forensics

The iOS of Sauron – How iOS Tracks Everything You Do

Yesterday I did a SANS webcast on iOS Location Forensics. The recording is not up yet, however I will update this blog when it is.

You can find the slides for the presentation here.