Mac News & Updates - 08/11/16

August 11, 2016 in update, iOS, osx

Blogs

[LINK] Another Forensics Blog - How to image a Mac using Single User Mode
[LINK] Another Forensics Blog - Mounting and Reimaging an Encrypted FileVault2 Mac Image in Linux
- More great Mac imaging articles from Mari!
[LINK] The Eclectic Light Company - Tools to calm your panic, and to protect
- Great overview of Objective-See's tools
[LINK] Pike's Universum - Say hello to new logging in Sierra
- New and different logging stuff in macOS Sierra, this is BIG for DFIR folks!
- [LINK] Additional information in the Apple Developer Docs
- [VIDEO] Video from WWDC
- [PDF] Slides from WWDC
[LINK] BlackBag Technologies - Acquiring iOS 10 Devices with Blacklight
- Yep, iTunes backups change too!
[LINK] Sysforensics.org - Mac DFIR - HFS+ Date Added Timestamp

Papers

[LINK/PDF] Detecting Malicious Behaviour Using system Calls by Vincent Van Mieghem

Presentations

[VIDEO/Keynote] OS X Security - Defense in Depth by Rich Trouton
[VIDEO/PDF] Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao, Slides here.
[VIDEO/SLIDESHARE] Let's Play Doctor: Practicle OS X Malware Detection & Analysis by Patrick Wardle, Slides here
[PDF] Apple's BlackHat Slides - Behind the Scenes with iOS Security by Ivan Krstic
[SPEAKERDECK] I Got 99 Problems, but Little Snitch ain't one! by Patrick Wardle

Tools

[LINK] MacMRU Parser - Python script to rip thru Mac MRU plist files, old and new ones!
- [LINK] Blog article here. What, I can't link to my own stuff? ;)
[LINK] Pangu Jailbreak is out for 9.2 - 9.3.3 (64-bit) devices

Malware

[LINK] OS X & IOS RE 101 - Reverse Engineering OS X/iOS Resources
[LINK] OS X Adwind Malware Analysis by Malwarebytes
[LINK] Objective-See - Persisting via a Finder Sync
[LINK] Open Source OS X Keylogger - keylogger-osx
OSX/Keydnap - Keychain/Credential Stealer/Backdoor
- [MALWARE!] Sample (via Objective-See, passwd: infect3d)
- [LINK] ESET Analysis

My Upcoming Classes & Presentations:

I’ll be teaching my SANS FOR518 – Mac Forensic Analysis class at the following conferences, there are some bonus @Night presentations as well! I hope to see many of you at one of these conference some day!

[LINK] SANS Virginia Beach (Aug 28 – Sept 2) - This one is coming up soon! This conference is super chill and relaxed, and you get to watch fighter jets from the beach!

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Network Security (Sept 12 – 17 in Las Vegas, NV) - Missed Vegas for Blackhat or DEF CON? Didn't get enough of it? Join me...if you're feelin' lucky! :)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS DFIR Prague (Oct 3 – 8 in the Czech Republic), Stay for the Summit on the 9th!

[LINK] SANS San Francisco (Nov 27 – Dec 2)

@Night – iOS Location Forensics

[LINK] SANS Cyber Defense Initiative (Dec 12 – 17 in Washington, DC)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

[LINK] SANS Cyber Threat Intelligence Summit (Jan 25 – 30 in Arlington, VA)

@Night – The iOS of Sauron- How iOS Tracks Everything You Do

Script Update: Dump iOS Frequent Locations – Now with KML & CSV Output!

January 24, 2016 in iOS, scripts, update

Update Details

I have added some output options to the script – CSV and KML.

See a related post here - "Parsing iOS Frequent Locations"

The script can now be called with a ‘-output’ argument with the following options:

k – KML Output only
c – CSV Output only
e – Everything (KML and CSV)

Note: The verbose script output is still available from standard output.

Usage

python dump_freq_locs.py –output e <StateModel#.plist>

Updated script (v1.1) is available in GitHub

Output Examples

Example of the CSV output in Excel

Example of the KML output in Google Earth

Example of the KML output in Google ‘My Maps’

Updates - June 2014

June 14, 2014 in update

A few updates to the website:

Resources Section:

The Resources section now contains the Synalyze It! grammars for HFS+ that I created. Just a reminder – these are work in progress; I will update them as needed.

Also in the Resources section is the most current version of my presentations. If you attended one of my presentations in the past and want that specific copy, please feel free to contact me.

Reverse Engineering Mac Malware – A basic walk though of static and dynamic reverse engineering of Mac malware on a Mac. Approximately 20% static, and 80% dynamic analysis. No assembly knowledge needed!
When Macs Get Hacked – Intrusion analysis on the Mac - where and what to look for to find Mac malware doing a dead-box forensic analysis.
Analysis and Correlation of Mac Logs – Mac systems log a ton of data! This presentation helps correlate this information with other system artifacts to give the analyst a better view of what happened on the system.

Training & Events:

I will be teaching my FOR518: Mac Forensic Analysis at the SANS DFIRCON East 2014 conference in Ft. Lauderdale, Florida in early November. Visit here for more information.

Just a reminder, I will also be co-teaching FOR518: Mac Forensic Analysis with Hal Pomeranz at the following locations in the Fall:

On a budget? If you are looking to get into FOR518: Mac Forensic Analysis at HALF-PRICE(!), seats are still available in the second beta of the class in San Jose, CA in July. Sign up soon! Sign up here. I will be attending the class, while the great Unix god himself – Hal Pomeranz teaches. I assure you he will drop some serious command line kung fu upon us.