blog

Making it Rain on this Labor Day – Giving Back to the DFIR and Security Communities

In the spirit of our American holiday Labor Day, where normal people might be watching a parade, barbecuing, and shopping Labor Day deals - I’ve decided to forgo the crowds the mall and give back to the community, monetarily. (BBQ is still fair game.) 

Donating is of those things that can easily be put off, and put off, and put off. Tomorrow's holiday is a perfect day to celebrate the contributions of folks who work on research and software in my communities that I use all the time.

First up is Patrick Wardle’s Objective-See Tools and Blog. I’ve been reading his research and using (and recommending) his tools for years. His Patreon site is here. Uniquely, his Patreon donators can attend his new Objective by the Sea Mac security conference in Maui for free (as if you need more excuses)! I’m really stoked to be able to attend and speak there myself!

Next is a tool that I’ve come to love and use daily, DB Browser for SQLite. Doing mainly Mac and mobile forensics (yes, I do Android too! Shh, don’t tell anyone, it’ll ruin my Apple street cred), I use this seriously every single day. I appreciate that its multi-platform and really allows me to dig into SQLite databases. The tool has really improved greatly in the last few years. They recently introduced their Patreon

Back to blogs - I decided to throw some Dollarydoos towards my Aussie friend and insane blog aggregator Phill Moore. Phill takes the time each week read and comment on hundreds of blogs and organizes them to give DFIR folk a quick and easy way to catch up with what’s going on in the community on his thisweekin4n6.com blog. He also condenses some of this information in a monthly podcastHis Patreon for his podcast is here.

Finally, I will end on more tools – Jailbreaks! I use all sorts of jailbreaks for forensic research. In no way could I have done much of my current iOS research without the contributions of Meridian and LiberiOS jailbreaks for iOS 10 and 11. I depend on jailbreaks to provide me with full file system access, so I can dive into various databases and third-party app data that isn’t backed up with a normal iTunes backup. These can be forensic gold mines and without jailbreaks those of us in the forensic community likely wouldn’t have a chance to know or capture the data contained within them. Ben Sparks (Meridian) has a donate link on his page. Jonathan Levin (LiberiOS) advertises (upon successful jailbreak) to donating to the charity of your choice using the hashtag #LiberiOS. I chose Girls Who Code.

I encourage everyone who uses something (tool, research, whatever) and appreciates it to give something back – whether it be additional research, donations, a drink, or a simple ‘hey, this really helped me’ kind of message (you’d be surprised the warm fuzzies this can give to a frustrated researcher!). FWIW - I prefer a cool story involving my research/tools alongside a drink.

 
 

Script Update - Mac MRU Parser - Spotlight Shortcuts & BLOB Parsing!

Get the script here!

Added in Spotlight Shortcuts

I've updated my macMRU.py script to parse the Spotlight Shortcuts plist file that I consider to be very MRU-like. This plist file contains what the user typed into the Spotlight search window, what they clicked on, and when this all occurred. You can find artifacts of application usage, documents, emails, photos, etc.

Bookmark and Alias BLOB Parsing

The second part of the update (and probably the most requested!) was to add in arguments to allow the analyst to see the parse out the Bookmark and Alias BLOB data. Previously the script only had an option to show the BLOB hexdump. Using mac_alias [download here], the script can now parse these BLOBs. This comes with a caveat, this script relies on the documented structures by others (with a few minor changes by my own research). These have not been officially documented by Apple therefore YMMV. Many of us are still researching these, hopefully this script will help the process! This update provides three new arguments:

  • --blob_hex = This is the same as what --blob was before. Just a hexdump of the BLOB data.
  • --blob_parse_raw = This shows the raw output from mac_alias, not exactly the easiest to read but good for debugging.
  • --blob_parse_human = This shows the pieces of the BLOBs in a (mostly) human-friendly (example below).

I want to say thank you to a few folks that allowed these additions to be made:

  • Alastair Houghton & Wim Lewis - For mac_alias and the reversing the Alias/Bookmark structures. I took a shot at it years ago and gave up, really appreciate someone else's effort!
  • Phill Moore of thisweekin4n6.com - You'll notice some support for legacy keys in the com.apple.recentitems.plist have also been added in this update thanks to Phil and his oddly old MRUs files! :) I also appreciate his testing of this tool on Windows also. (Sorry Phil, didn't get a chance to test it on Windows yet!) 
  • Shout out to Patrick Olsen for his work on Alias V3 structures. Unfortunately I did not get to use his research - turns out V3 Alias BLOBs do not get used in any of the MRUs that I'm parsing in this script (they are all V2)! Maybe in the future!