Spotlight data, where is it?

Spotlight is a built-in indexing engine for OS X. For it to operate fast, data must be stored on disk. In this article, we discuss how Spotlight works, and where data can be found.

NUIX 6 supports and runs on Mac

NUIX has released version 6 of its analysis software. Showing the strong surge of Apple hardware in the analysis environment, NUIX has released version 6 with support for specific OS X file types and the ability to run on OS X. See the full text on the NUIX website.

iCloud, where do I find data?

When MobileMe was discontinued, iCloud replaced the service with new concepts for the Apple eco-system. Originally introduced with OS X 10.7.2 and iOS 5, iCloud began as a sync service amongst all devices. Today, iCloud offers robust sync capabilities and data storage for both Apple and third-party developers. Based on the sign-in of a specific Apple ID, devices have additional functionality. Here are the important areas to consider for any investigation:

iCloud Drive:
  • 5GB of storage free with up to 1TB of purchased storage
  • acts as a local attached media device for saving of data
  • syncs across all devices

  • Photos, syncs pictures and video across all devices
  • Mail, settings and signatures are pushed to iCloud and out to all devices
  • Contacts, syncs all Contact information across devices, including delete
  • Calendar, syncs data in the Calendar app across all devices
  • Reminders, syncs data in the Reminders app across all devices
  • Safari, bookmarks and open tabs are pushed to iCloud and out to all devices
  • Notes, syncs data from the Notes app to all devices
  • Keychain, syncs saved passwords, secure notes, and form data across devices. Keychain is integrated with Safari and allows for random password generation and storage.
  • Back To My Mac, remote screen control of Macintosh computers
  • Find My Mac/Find My iPhone, geo-locates the device, allows for remote erase and remote lock

  • iOS has the Passbook feature, which allows for apps to save boarding passes, coupons, movie tickets, and soon, credit card and debit card information.

iCloud Preference Pane as seen from OS X 10.10

A local cache is stored on each Macintosh computer in the user’s Library/Mobile Documents/. Folders for iOS and OS X apps are found here.

What is still to come?

  • With all of the great announcements today, what is still to come?
  • OS X 10.10, this new operating system that is slated for fall release. This will bring about many new features such as Handoff, iCloud Drive and more.
  • Apple Watch is slated for 2015, with no specific date given.
  • AppleTV updates, the latest beta of the AppleTV software only runs on the 3rd generation AppleTV.
  • HomeKit, expansion of this segment of home automation is likely going to be a large segment by Christmas of this year.
  • As more announcements come from Apple, we will continue to update you on the areas significant to Apple digital forensics.

iPhone 6, 6 Plus and Apple Watch

Apple has now introduced:

iPhone 6 and iPhone 6 Plus
  • A8 and M8 processors (found in iPhone 5s with A7 and M7 versions)
  • Main processor and Motion processor
  • Retina HD Display
  • 16GB, 64GB, and 128GB
  • 4.7” and 5.5” display size
  • Touch ID on both models
  • Sensors including barometer
  • 20 LTE bands, 200 LTE carriers supported
  • VoLTE - Voice over LTE
  • 802.11ac - 3x faster than 802.11n
  • WiFi calling - transition calls between WiFi and LTE seamlessly
  • 8MP iSight Camera with True Tone flash
  • 1080p at 30fps, 60fps, and Slow-Mo at 240fps

Apple Watch, Apple Watch Sport, Apple Watch Edition
  • S1 processor, 4 sapphire senors on underside
  • Mag Safe power to back side of watch
  • Direct communication between watches
  • Force touch vs. light touch and swipe for variety of inputs from screen
  • Sync with iPhone or live stream such as music
  • Share internet connection of iOS device with watch (Bluetooth 4 LE)
  • On-board storage of music
  • Dial (crown) gives digital data to watch such as zoom, scroll, and return to home screen
  • Display activated by motion of wrist
  • View and respond to messages and email
  • Send pictures, drawings, and health information to another watch
  • Taptic Engine - provides feedback to wearer appropriate to app
  • 2 sizes available
  • Glances, quick view of customizable information available thru a swipe up
  • Analysis of text within messages for quick reply
  • Siri is available by holding down the Crown (like Home button on iPhone)
  • Friend list allows for viewing of location on Maps in real time
  • Communication to other watches has new tap and drawing options. Friend will feel Taptic feedback based on taps to screen.
  • Third party apps can push Notifications to watch form iOS device
  • Ability to control AppleTV
  • iPhone 5 and later supported for connection
  • Coming in 2015

iOS 8 New Features

iOS 8 brings about a robust maturity by extending iOS 7 functions and the introduction of new features. Notable to analysts and investigators are the following new features.

Available September 17 for download, supporting the iPhone 4s and later, iPod Touch 5th Generation, iPad 2 and later, and iPad mini.

• 2-up display within many apps, the display changes based on orientation of the iPhone
• Horizontal home screen view, not just portrait view. Icons shift when device rotates.
• Time lapse video
• Audio and video messages within Messages app
• Fitness App - tracks motion such as speed and elevation or even standing still
• Health app - tracks personal health including heart beat and calories (personalize fingerprint of owner)

Apple Pay - iPhone 6 and 6 plus, and Apple Watch
• Touch ID
• “Secure Element” chip
• All cards are in Passbook
• Add card from iTunes or take picture using iSight Camera
• Device only secure number and dynamic security number
• Suspend payments directly from device
• Apple does not keep records of purchases
• AMEX, Visa and MasterCard only in USA starting in October

CarPlay, HealthKit and HomeKit
  • CarPlay, display the iOS device screen on supported car radios
  • HealthKit, foundation of health sensors and reporting to apps
  • HomeKit, foundation for control of devices such as lighting, door locks, garage door, thermostats

Elcomsoft iOS Forensic Toolkit updated

  • Elcomsoft has updated their iOS Forensic Toolkit (EIFT) to version 1.24. Included in this release is:
  • Works will all 7.x iOS devices with the Pangu 1.2 jailbreak installed
  • Automatic iOS version detection
  • Compatibility with new keybag that may include previously unseen records
  • Latest news for this tool can be found on the Elcomsoft website.

BlackLight 2014R2 released

BlackBag Technologies has released the newest version of BlackLight, 2014R2. Key to this release is speed of searching and user-requested improvements. Both the Windows and Mac applications information is available from their website.

Apple iOS Diagnostic Capabilities

Apple has put out a new tech note titled “iOS: About diagnostic capabilities”. It summarizes “”, “”, & “”. The document states what use each has and why they are included on iOS devices.

Don't let an iOS device restart

iOS devices have excellent hardware and software based security. The latest iOS devices so far have no hardware flaws such that “physical imaging” is not possible. In addition, the file level encryption causes one specific headache for many of us. When an iOS (5 and later) device starts, and has a pin code applied, the first screen presented after reboot is the pin code screen. At this time, there is no way to perform a logical acquisition of the device, even if you have the valid pairing certificate for this device. The level of security Protected until Open means one must unlock the iOS device once, and then many files become accessible. The number of files available at any given time varies, again because of file level encryption and the times that files will become encrypted again. So, this reminder is, NEVER let an iOS device lose power, forcing it to restart. If you don’t know the pin code, upon power up, you will not be able to do any collection.

UPDATE: This does not prevent a file-relay communication with the iOS device, however this will not return data that is protected until first unlock. iTunes backups occur over Apple File Relay (AFC), which was the initial intent of this blog post. Thanks to Austin Colby, BlackBag Technologies for this tip.

Resetting an Airport base station

I just had a question come in about accessing an Airport Base station when the password is not known. Apple has a tech note (HT3728) for “Resetting an Airport base station”. This article gives temporary access to the device without clearing settings or logs. I also added this to our select Apple Technical Documents bookmarked on this site.

Network Utility on your Portable Workstation

As a part of the Portable Forensic Workstation we setup earlier, a utility is included from Apple. The Network Utility is rather powerful and can be used for many areas of interest in a case. This OSXDaily article describes its functions quite well.

Stellar introduces Mail Converter for the Mac

MacTech is reporting that Stellar has released a new application to convert email to common formats. This can be especially handy with the Microsoft Outlook format for analysis.

Focus Files updated

I have just updated the OS X Focus Files and iOS Focus Files with additional paths from questions I have received lately. Please feel free to email any additional file locations you would like shared with the community. The files listed on each page are common to most analysis performed for each of the operating systems.

Portable Forensic Workstation revisited

Awhile back, I wrote an article on creating your own “Portable OS X Workstations”, allowing any triage or analysis assigned person to boot, and view any Mac in a safe manner. Times have changed! It is time to revisit the concept, and create the best portable solution to protect, collect, and image ANY evidence we come across. Let’s create a current Portable Triage and Analysis Workstation.

BlackBag Technologies releases SoftBlock 1.0.7

BlackBag Technologies has released their latest version of SoftBlock for OS X. This low-level kernel extension allows a Mac to be safely used as a triage or imaging device without threat of evidence alteration. Using SoftBlock and the “Thunderbolt Target Disk Mode” allows for extremely fast 10Gb/s (or 20Gb/s on Mac Pro) triage and imaging of evidence.

Apple posts LE guide

Apple has posted a guide to the requests and returns they receive and comply to under court order. The guide shows what can and cannot happen with data stored on a device as well as stored on their servers.

Boot Camp and Thunderbolt

Boot Camp, Windows and Thunderbolt have not been the easiest technologies to combine. Today I located a Knowledge Base article from Apple regarding usage of Thunderbolt devices after upgrading from Windows 7 to 8. The article, titled “Boot Camp: Thunderbolt devices not recognized after Windows 8 upgrade” helps a bit for items that were once working and may not after the update. ZDNET has an article from September of 2013 regarding Thunderbolt and Windows compatibility that may be of interest also. If you are looking to use the Apple Thunderbolt to Ethernet adapter, there is a community discussion related to drivers. As of today, it appears drivers are still written by specific manufacturers for specific devices, and there is no all-encompassing Microsoft driver for the Thunderbolt port.

MacQuisition 2014R1 released

BlackBag Technologies has updated MacQuisition to version 2014R1. Notable is faster targeted collection, compatibility for OS X 10.9 and improved user authentication process. MacQuisition is a live OS X incident response tool as well as a bootable flash drive for imaging.

Passware updated for OS X 10.9

Passware Inc. has updated Passware to version 13.1. Notable is the extraction of OS X 10.9 Mavericks user passwords from live memory images, additional GPU acceleration, support for Quickbooks for Mac, and a Mobile Forensics section.

SeV Expedition Jacket

SCOTTeVEST (SeV) has sent their Expedition jacket for a run with digital forensic gear. This 37 pocket jacket was a pleasure to review, and we are very happy for the new sponsorship from SeV. Read the full article here.

Apple knowledgebase on iCloud Security

Apple’s KB article on iCloud Security discusses the levels and strength of encryption used for both storage and in-transit data.

EPPB updated

Elcomsoft has updated Phone Password Breaker with the following features, now fully supports new iCloud backup encryption introduced in iOS 7.1, including 3rd party app data (such as WhatsApp, Skype, Viber etc).”

Spotlight Inspector has been updated

Spotlight Inspector has been updated to v1.1 beta. This version includes notable features such as speed improvements, bug fixes, and refinements for specific data types.

SANS Mac Forensic Class

SANS is offering a new class, FOR518, a Mac forensic class authored by Sarah Edwards.

1Password updated with 20 new features

1Password, the secure storage application for OS X and iOS has been updated to version 4.2 on the Mac. This includes many new features. This is a first mention on AppleExaminer for this app. It has always been a great security app. With the new features, one can now store more objects within the encrypted database that can be case notes, pictures, or other items.

Emailchemy v12 is out with more features

Emailchemy v12 (v12.1.1 is current) is out with full native support for Microsoft Outlook 2011 for Mac, and a new data de-duplication feature. See their website for full details.

AppleExaminer Store Updated

We have just updated our AppleExaminer Store to note some of the latest technology to help with any analysis. Notably, Thunderbolt Docks, storage arrays, and drive bays have been added. Thank you for your continued support in using our Amazon Store links.

Apple releases 2 white papers of interest

Apple has posted 2 white papers that make for interesting reference guides at the very least. The first is “iOS Security” Feb. 2014 and the second is “Secure Coding Guide” Feb 11, 2014.

EXT driver for OS X

Paragon, a known company for its NTFS for OS X driver and HFS driver for Windows, has just released EXT for OS X, a driver allowing for read/write access to EXT 2/3/4 formatted volumes. As always, test compatibility products to make certain it isn’t changing your evidence.

"What is '/var/folders'" by Jason Reynolds

A blog post titled “What is ‘/var/folders?’” has been posted by Jason Reynolds. It is a great read for analysts as well as the intended audience of system administrators.

BlackLight 2014R1 released

BlackBag Technologies has released the latest version of BlackLight. New to version 2014R1 is the “Unified Messaging” view, Improved SQLite Database Recovery including all fragments from the database and write-ahead-log, rendering of the “Crushed PNG” format, and specific updates for Mavericks 10.9 compatibility. See their website for full details.

Elcomsoft iOS Forensic Toolkit updated

Elcomsoft has released their latest version of EIFT. Elcomsoft iOS Forensic Toolkit has been updated, adding physical acquisition support for jailbroken iOS 7 devices. Physical acquisition support is now available for jailbroken devices running Apple iOS 7 including iPhone 4S, 5 and 5C, iPad 2nd to 4th gen, iPad Mini, iPod Touch 5th gen, and either having no passcode protection or carrying a jailbreak installed. In addition, the new release adds support for previously unavailable versions of iOS 6.1.3-6.1.5.

Oxygen Forensic Suite - Passware Edition

Passware and Oxygen have partner to create a new edition of Oxygen Forensic Suite. This enhancement allows for the decryption of encrypted iOS backups and direct analysis within Oxygen. More info is available at the Passware website.

Focus Files updated

We have updated our Focus Files for OS X with some of the newest location to find various data when conducting an analysis.

User Library Folder

The User Library Folder is one of the most important locations to find evidence for any case. In this article, we show its location, and how different versions of OS X have allowed access to this important location.

Extended Attributes

Extended attributes are extra information about a file or folder than can greatly change its function or appearance. In this article, we explore how to view and interpret extended attributes for OS X.

Recon from Sumuri released

Sumuri LLC has released Recon, a new application to triage OS X evidence. The application is preconfigured to find evidentiary artifacts on OS X 10.7 and later. More details can be found at the their website.

iBored updated to v1.1.17

iBored, the free disk viewing and editing utility, has been updated to v1.1.17. This app allows for a low level look at each disk sector, “templates” for sector views, and extraction of sectors for bad disk recovery.

UFED Physical/Logical Analyzer 3.9 released

Cellebrite has released UFED Physical/Logical Analyzer v3.9 with support for iOS 7.0.x keychain decryption, viewing of creation, modification and access timestamps of files extracted, and the ability to open an encrypted DMG with known password using the open advanced function.