Boot Camp and Thunderbolt

Boot Camp, Windows and Thunderbolt have not been the easiest technologies to combine. Today I located a Knowledge Base article from Apple regarding usage of Thunderbolt devices after upgrading from Windows 7 to 8. The article, titled “Boot Camp: Thunderbolt devices not recognized after Windows 8 upgrade” helps a bit for items that were once working and may not after the update. ZDNET has an article from September of 2013 regarding Thunderbolt and Windows compatibility that may be of interest also. If you are looking to use the Apple Thunderbolt to Ethernet adapter, there is a community discussion related to drivers. As of today, it appears drivers are still written by specific manufacturers for specific devices, and there is no all-encompassing Microsoft driver for the Thunderbolt port.

MacQuisition 2014R1 released

BlackBag Technologies has updated MacQuisition to version 2014R1. Notable is faster targeted collection, compatibility for OS X 10.9 and improved user authentication process. MacQuisition is a live OS X incident response tool as well as a bootable flash drive for imaging.

Passware updated for OS X 10.9

Passware Inc. has updated Passware to version 13.1. Notable is the extraction of OS X 10.9 Mavericks user passwords from live memory images, additional GPU acceleration, support for Quickbooks for Mac, and a Mobile Forensics section.

SeV Expedition Jacket

SCOTTeVEST (SeV) has sent their Expedition jacket for a run with digital forensic gear. This 37 pocket jacket was a pleasure to review, and we are very happy for the new sponsorship from SeV. Read the full article here.

Apple knowledgebase on iCloud Security

Apple’s KB article on iCloud Security discusses the levels and strength of encryption used for both storage and in-transit data.

EPPB updated

Elcomsoft has updated Phone Password Breaker with the following features, now fully supports new iCloud backup encryption introduced in iOS 7.1, including 3rd party app data (such as WhatsApp, Skype, Viber etc).”

Spotlight Inspector has been updated

Spotlight Inspector has been updated to v1.1 beta. This version includes notable features such as speed improvements, bug fixes, and refinements for specific data types.

SANS Mac Forensic Class

SANS is offering a new class, FOR518, a Mac forensic class authored by Sarah Edwards.

1Password updated with 20 new features

1Password, the secure storage application for OS X and iOS has been updated to version 4.2 on the Mac. This includes many new features. This is a first mention on AppleExaminer for this app. It has always been a great security app. With the new features, one can now store more objects within the encrypted database that can be case notes, pictures, or other items.

Emailchemy v12 is out with more features

Emailchemy v12 (v12.1.1 is current) is out with full native support for Microsoft Outlook 2011 for Mac, and a new data de-duplication feature. See their website for full details.

AppleExaminer Store Updated

We have just updated our AppleExaminer Store to note some of the latest technology to help with any analysis. Notably, Thunderbolt Docks, storage arrays, and drive bays have been added. Thank you for your continued support in using our Amazon Store links.

Apple releases 2 white papers of interest

Apple has posted 2 white papers that make for interesting reference guides at the very least. The first is “iOS Security” Feb. 2014 and the second is “Secure Coding Guide” Feb 11, 2014.

EXT driver for OS X

Paragon, a known company for its NTFS for OS X driver and HFS driver for Windows, has just released EXT for OS X, a driver allowing for read/write access to EXT 2/3/4 formatted volumes. As always, test compatibility products to make certain it isn’t changing your evidence.

"What is '/var/folders'" by Jason Reynolds

A blog post titled “What is ‘/var/folders?’” has been posted by Jason Reynolds. It is a great read for analysts as well as the intended audience of system administrators.

BlackLight 2014R1 released

BlackBag Technologies has released the latest version of BlackLight. New to version 2014R1 is the “Unified Messaging” view, Improved SQLite Database Recovery including all fragments from the database and write-ahead-log, rendering of the “Crushed PNG” format, and specific updates for Mavericks 10.9 compatibility. See their website for full details.

Elcomsoft iOS Forensic Toolkit updated

Elcomsoft has released their latest version of EIFT. Elcomsoft iOS Forensic Toolkit has been updated, adding physical acquisition support for jailbroken iOS 7 devices. Physical acquisition support is now available for jailbroken devices running Apple iOS 7 including iPhone 4S, 5 and 5C, iPad 2nd to 4th gen, iPad Mini, iPod Touch 5th gen, and either having no passcode protection or carrying a jailbreak installed. In addition, the new release adds support for previously unavailable versions of iOS 6.1.3-6.1.5.

Oxygen Forensic Suite - Passware Edition

Passware and Oxygen have partner to create a new edition of Oxygen Forensic Suite. This enhancement allows for the decryption of encrypted iOS backups and direct analysis within Oxygen. More info is available at the Passware website.

Focus Files updated

We have updated our Focus Files for OS X with some of the newest location to find various data when conducting an analysis.

User Library Folder

The User Library Folder is one of the most important locations to find evidence for any case. In this article, we show its location, and how different versions of OS X have allowed access to this important location.

Extended Attributes

Extended attributes are extra information about a file or folder than can greatly change its function or appearance. In this article, we explore how to view and interpret extended attributes for OS X.

Recon from Sumuri released

Sumuri LLC has released Recon, a new application to triage OS X evidence. The application is preconfigured to find evidentiary artifacts on OS X 10.7 and later. More details can be found at the their website.

iBored updated to v1.1.17

iBored, the free disk viewing and editing utility, has been updated to v1.1.17. This app allows for a low level look at each disk sector, “templates” for sector views, and extraction of sectors for bad disk recovery.

UFED Physical/Logical Analyzer 3.9 released

Cellebrite has released UFED Physical/Logical Analyzer v3.9 with support for iOS 7.0.x keychain decryption, viewing of creation, modification and access timestamps of files extracted, and the ability to open an encrypted DMG with known password using the open advanced function.

Passware Kit Forensic updated for better FileVault 2 support

Passware has updated its “Passware Kit Forensic” with better support for FileVault 2 decryption, notably GPU usage. See their website for a full list of features as well as other decryption products available.

BlackLight 2013R3 released

BlackBag Technologies has released BlackLight 2013R3 for both Windows and OS X. This release includes a new Social Media view, new Locations view, new Data Interpreter window, additional Messaging support, and a revamped Device Status window. See the BlackLight webpage for all details.

UFED Physical/Logical Analyzer 3.8.7 released

Cellebrite has announced version 3.8.7 of their physical/logical analyzer with “physical, file system and advanced logical” extractions from “selected locked and unlocked” Apple devices. See their website for full details.

Find Any File updated

Find Any File from Thomas Templemann has been updated with more capabilities for searching the Mac file system. This tool does not utilize Spotlight indexes, and will search areas Spotlight does not. This utility searches for files by name, not content. See the website for full details, and other useful utilities.

Virtual Disk Conversion

This article, “Virtual Disk Conversion - Converting Parallels or Fusion VMs” shows how the application disk format can be normalized to a ‘raw’ or ‘dd’ format for use within any analysis application. While many analysis applications support some virtual disk formats, it can be very useful to have the raw format for usage outside of the analysis application, and within the operating system environment directly. This article discusses the use of the free “qemu” software and how to perform the conversion.

Disk Layout and CoreStorage

In this article, Disk Layout and CoreStorage, we discuss the disk layouts one might encounter on a Macintosh. Specifically, we explore Disk Utility, file systems, partition layouts, and CoreStorage. Further, we examine the effect on imaging each type has and how best to collect data for analysis.

SQLite deleted record python script

A great article titled, “Python Parser to Recover Deleted SQLite Database Data” has been posted by Mari DeGrazia on her website. As a part of the article, the python script is available for download.

BlackLight and free training

Today, I wanted to pass along great news to all of my AppleExaminer readers. BlackLight from BlackBag Technologies is available to anyone who works in the digital forensics sector, free for 30 days by simply visiting their website and clicking on BlackLight. You will see the “Request a Demo” button on this page. BlackLight runs on both OS X and Windows, and can analyze Windows, iOS and OS X.

Likewise, the BBT-320 class is free to law enforcement! This is a 2 day class that will take you thru every feature of BlackLight, with a certificate at the end as well. This class is a bit ‘near and dear’ to me as I helped make this real life analysis. At the end of class, you will have analyzed a Mac with both OS X and Windows, along with 2 iOS backups. Thank you again for being an AppleExaminer reader.

Lastly, if you are a BlackBag customer (training or software), make sure you request their free tools to download. They are invaluable during any analysis.


Elcomsoft iOS Forensic Toolkit v1.21 released

Elcomsoft has updated its iOS Forensic Toolkit to version 1.21. Notable in this version is guided mode for both simple and complex pass code cracking which includes both dictionary and brute force methods, better jailbroken device support, and iTunes 11.1 support. See the Elcomsoft website for full details.

Volatility for OS X

Volatility is available for carving Macintosh RAM images. The MacMemoryForensics page on Google Code has downloads, wiki and profiles for OS X versions.

Spotlight Inspector

Spotlight Inspector is a new, free tool from 504ensics Labs. The tool parses the Spotlight indexes from a Mac and allows for analysis, timeline and differences.

UFED v2.2.0.0 released

Cellebrite has released version with updated support for iOS 7, and the new iPhone 5s and 5c. See their website for full details.

OS X Server basics

A good article is available on TechRepublic regarding the installation and config of an OS X 10.8 server. This short article will give any investigator a perspective on how a suspect Mac server was configured.

Elcomsoft Phone Password Breaker updated

Elcomsoft has updated their Phone Password Breaker with greater support for iCloud and iOS 7. See their press release for full details.

Imager comparison chart posted

Eric Zimmerman has posted a Google doc comparing many of the imaging solutions. Its a great read with some surprising results.

IEF v6.2 released

Magnet Forensics has released Internet Evidence Finder v6.2. Notable in this release is the dynamic app finder which compares data structures to the possible parent app. See the press release for a full list of features.

MPE+ updated for iOS 7 devices

AccessData has updated MPE+ with new support for iOS devices thru iOS 7.