Presentation - #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data (SANS DFIR Summit)

At the SANS DFIR Summit in Austin this year I had the pleasure of presenting with Heather Mahalik on iOS Health Data. We get into data acquisition, database contents, patten of life analysis, workout metadata, locational data, forensic data recreations, and finally tool support (or lack thereof).

Video of it will be out eventually, my Resources page will be updated when that happens, however slides are available below:

Find the presentation here!

Finally we had limited edition custom shirts made with our awesome #DFIRFIT logo by our famous DFIR Photoshopper in Residence Brian Moran. We hope that more of these shirts are made available, keep an eye on Twitter!

As always, the SANS DFIR Summit is a great time and a absolutely fantastic conference. I hope to see you all next year!




Presentation Slides & Demo Videos - Getting Saucy with APFS

I just had the honor of presenting at one of my favorite BSides Conference BsidesNOLA on the State of the new Apple File System (APFS). Sadly, I didn't have the time to go through the demos but I have uploaded them to YouTube and the slides have been uploaded to my Github, as promised.

Slides (PDF)

Mounting an APFS disk in MacOS using xmount

Mounting an APFS disk in SANS SIFT (Linux) using ewfmount

Enjoy! I hope ya'll find it useful! 

Ok Internet, Lets Test this APFS Plaintext Password Bug Properly

There has been some confusion (myself included) on what is vulnerable to this bug and what isn't. Some folks can replicate and some cannot - so I think its high time to test this properly to see what versions and scenarios are affected by this bug.

The table below is sorted by macOS version - I'm just testing 10.13.x here. (If you happen to get it to leak the password on 10.12.x please let me know.) I'm also organizing by disk formatting scenario since I believe this is where most of the confusion comes from.

APFS encrypted volumes can be created on the disk level as well as the volume level and it truly seems to make a difference. Please also test if you find (or don't find) the results in the Unified logs and/or the install.log or neither (and god forbid any other locations you might come across!). I'm also consistently using the "Erase" button versus the "Partition" button.

If I am missing a certain scenario that you think should be added please let me know. If you disagree with the current findings - also let me know (I will also expect screenshots/videos from you to be sure we're on the same page.) I have tested 10.3.3 (host system) and 10.13.4 (VM) but would love someone to sanity check me - I've been wrong in the past!) I would have done more testing on different versions but have a limited set of systems as I'm traveling right now.

I will update the spreadsheet below as necessary.

For previous related blogs see here and here.


pay attention to me cat GIF-source.gif

OMG, Seriously? - APFS Encrypted Plaintext Password found in ANOTHER (More Persistent!) macOS Log File


At some point you just need to stop looking and be blissfully ignorant...this was not one of those days. 

In and update to my previously updated blog article, I have found another instance where the plaintext password was written to system logs. This time I found it in more persistent log. This is actually a worse problem than the one I previously reported on.

The previous examples were found in the unified logs which can hang around for a few weeks, this new example stores the exact same information in the system's /var/log/install.log. I have found that the install.log will only get wiped out upon major re-installation (ie: 10.11 -> 10.12 -> 10.13), therefore these plaintext passwords will hang around for quite a bit longer than a few weeks!  I had entries dating back to when I originally installed High Sierra on this system back in November of 2017! 

Twitter user @sirkkalap, was unable to re-create what I previously reported on. I finally got some time this afternoon to re-test. As it turns out, I was unable to re-create my results from 03/24. I assumed that at some point in the past few days a silent security update was pushed out. I went to my install.log file to investigate further. As far as updates go - the only thing that has potential to be the cause of the fix is a GateKeeper ConfigData update v138 ( I have not investigated if this was the true cause. I have not updated to 10.13.4 yet, this was on 10.13.3.

During this investigations I was VERY surprised to see the same diskmanagementd logs that I had found in the unified logs. Why are they logged in the software installation log at all, I have no clue. It makes absolutely no sense to me.

Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk


UPATE TO THE UPDATE: Similar log entries are now found in another system log that is more persistent, see the article here.

UPDATE: This is still vulnerable on current versions of macOS 10.13.3 when encrypted an ALREADY EXISTING unencrypted APFS volume (versus, creating a NEW volume in original article). Thanks to @moelassus for pointing this out and to @howardnoakley for verifying. My verification test is below. Note that it gets stored in on-disk, collected logs (non-volatile logs).

Original Article Below:

I’ve been updating my course (Mac and iOS Forensics and Incident Response) to use new APFS disk images (APFS FTW!) and came across something that both incredibly useful from a forensics perspective but utterly horrifying from a security standpoint. Screenshot below of my course disk image.

It may not be noticeable at first (apart from the highlighting I’ve added of course), but the text “frogger13” is the password I used on a newly created APFS formatted FileVault Encrypted USB drive with the volume name “SEKRET”. (The new class images have a WarGames theme, hence the shout-outs to classic video games!)

The newfs_apfs command can take a passphrase as a parameter using the mostly undocumented “-S” flag. It is not documented in the man page.

However when run without parameters, it will show it.

I tried to recreate this scenario on my current system running 10.13.3 but was unable to do so therefore I believe this bug has been addressed. I was however able to recreate it on a 10.13 system (the image screenshot above is from a 10.13.1 system.) I have not tried it on a 10.13.2 system as I do not have one easily available. I will update this blog if someone can test it for me. UPDATE: Thanks to @ranvel (screenshot) and @applechinfo (video) for testing, it has also been fixed in 10.13.2. 

I haven’t done as much testing as I would like (I’m running up against a course update deadline after all!), but I did want to get this out immediate so it can be used for various investigations. I used the following steps to recreate this my 10.13 system.

Created a “clean” flash drive formatted “Mac OS Extended (Journaled)” using Disk (Quick testing shows other base formats should work similarly.) It is the Kingston DataTraveler drive labeled “Untitled” below.

Next I used the menu option “Erase” to create an Encrypted APFS volume on the drive, shown below named “SECRET_USB”. (In my testing it works the same if I go through the “Partition” options and do the same general process. The “Partition” method did error out, however it still appears to be an encrypted USB drive and the logs are the similar.)

Select “Erase” and wait until it has completed.

I used the following command to watch my unified logs in the Terminal while the process above was doing its thing:

log stream --info --predicate 'eventMessage contains "newfs_"'

…and there we have it, a plaintext password! (For better or worse.)

If anyone else does further testing I would love to know the results! Send me a message on Twitter or through my contact page!