Slides and Script! From Apple Seeds to Apple Pie & Introducing APOLLO: The Apple Pattern of Life Lazy Output'er

I had the privilege and honor to present at the first ever Objective by the Sea Mac Security Conference yesterday in Maui (hardship, right?). It was only the first day and it was absolutely spectacular, I may have to make this one a regular! I can easily recommend attending this conference.

I presented From Apple Seeds to Apple Pie - an Apple Pattern of Life talk (mostly focused on iOS devices). You can find the slides in my Resources section.

I also just released a (very) beta version of APOLLO (Apple Pattern of Life Lazy Output’er) on my GitHub page. The TL;DR of the script: Take all the creepy databases that Apple writes events to, perform individual SQL queries on them to pull out investigative useful data, and combine them into another SQLite database for easier/quicker analysis and correlation.

This script and its modules are still in the testing phases so please be careful when using this on real cases. Expect more modules and testing to be released, I’m holding some back due to some timestamp issues and other are partially written up.

Presentation - #DFIRFIT or BUST: A Forensic Exploration of iOS Health Data (SANS DFIR Summit)

At the SANS DFIR Summit in Austin this year I had the pleasure of presenting with Heather Mahalik on iOS Health Data. We get into data acquisition, database contents, patten of life analysis, workout metadata, locational data, forensic data recreations, and finally tool support (or lack thereof).

Video of it will be out eventually, my Resources page will be updated when that happens, however slides are available below:

Find the presentation here!

Finally we had limited edition custom shirts made with our awesome #DFIRFIT logo by our famous DFIR Photoshopper in Residence Brian Moran. We hope that more of these shirts are made available, keep an eye on Twitter!

As always, the SANS DFIR Summit is a great time and a absolutely fantastic conference. I hope to see you all next year!




Presentation Slides & Demo Videos - Getting Saucy with APFS

I just had the honor of presenting at one of my favorite BSides Conference BsidesNOLA on the State of the new Apple File System (APFS). Sadly, I didn't have the time to go through the demos but I have uploaded them to YouTube and the slides have been uploaded to my Github, as promised.

Slides (PDF)

Mounting an APFS disk in MacOS using xmount

Mounting an APFS disk in SANS SIFT (Linux) using ewfmount

Enjoy! I hope ya'll find it useful! 

BSidesNOLA Preso - The iOS of Sauron: How iOS Tracks Everything You Do

I was lucky enough to again be selected as a speaker at one of my favorite BSides conferences, BSidesNOLA (4 years running!). This one has THE BEST speaker party. Backyard tiki bar, homemade gumbo, boiled crawfish, jambalaya, bananas foster. If you want to speak at a fantastic forensics heavy security conference, I highly recommend this one!

I presented my newest presentation "The iOS of Sauron". This is a presentation that I will be continuously researching and updating so be sure to visit again to get the newest version. I hope to also write various blog articles going into more depth on some of the topics covered.

This is very much a pattern-of-life presentation - if you have a particular "pattern" you are looking for - let me know. If you think its important, I bet someone else does as well!

You can find the presentation here.