Apple Pattern of Life Lazy Output'er (APOLLO) on Windows

 

• APOLLO - Apple Pattern of Life Lazy Output'er (APOLLO) by mac4n6  extracts and correlates data from numerous databases, then organizes it to show a detailed event log of application usage, device status, and many other pattern-of-life artifacts from Apple devices.

I do appreciate Apple computers and devices, but one can not always be afforded to work with one as a forensic workstation.  Therefore I intended to highlight the APOLLO tool for iOS and MacOS images/filesystems when working on Windows. 

APOLLO is a that tool queries unique macOS/iOS databases with custom built SQLite query based modules to build one consolidated APOLLO database, sql_json, or csv file.

SOME of the SQLite databases APOLLO will run against  

• KnowledgeC.db: stores knowledge of user, application usage(interaction with and how long an app was used), apps in focus, chats, access to email, calendar, calls, web usage. (4 weeks retained).

• Routined: Location tracking. Cache.db (ZRTCLLocationMo) for 7 days of location, speed

• Netusage.db: App databases

• InteractionC.db:  Contact interaction from phone, email, messages.

• PowerLogs: Large database of logs, macOS, app usage, camera state, audio, airdrop. flashlight, battery levels.

• Health databases: heart rate, health data, location, weather, calories burned.

• Sms.db: iMessage, SMS, FaceTime

• CallHistory.storedata: traces calling

• History.db: Web history.  Shows if flagged as synced across devices with knowledge.C db(HW UUID).

• Passes23.sqlite: Apple Wallet transactions and cc info.

• cache_encryptedC.db: not encypted; contains a table "motion state history".  Showing movement steps count and floors

Builds a story about the user, pattern of life, and timeline.

To Install on Windows one way is to use Windows Subsystem for Linux (WSL):

How to install WSL on Windows 10

Once installed, select the Windows key and type WSL

*if receiving "ModuleNotFoundError: No module named 'simplekml'"

try:

• sudo apt-get update
• sudo apt install python3-pip
• pip3 install simplekml

-----------------------------------------------------------------------------------------------------------------------------

EXAMPLE:

For testing I used the lab example Mac OS image from a great site for training and practice Cyber Defenders at "https://cyberdefenders.org/labs/34".

Name: FruitBook.E01

MD5 checksum:    7300f808f5046e8372c27854daf6d553
SHA1 checksum:   e629634283f2e5861a91847ec64042e240516da4 

Password: cyberdefenders.org

After downloading the image, I next opened it in FTK imager and exported the APFS container to work with a file system folder directory to run against APOLLO.

Next step is to run APOLLO on the below exported folders:

APOLLO was ran with the following python3 command:

Banner to user reads:

==> Will lazily run APOLLO on 247 unique modules and 32 unique databases.

==> Searching for database files...this may take a hot minute...

Output with show the module(.txt file sqlite query) that ran, the database it ran against, and the number of records found.

The output of the tool produced a single database file named "apollo.db" in the tool directory.

Used the tool "db browser for sqlite" to view the db file. 

Download link

Selecting open database and opening apollo.db opens the database file that contains only one table "APOLLO".

The APOLLO table contains five (5) columns.

KEY(timestamp), Activity, Output(query output), Database(db queried), Module(.txt file that ran)

Filtering on columns or any column can be very useful

When selecting the output cell the text (mode = JSON) will populate in the text viewing window.

One of the questions for the CyberDefenders challenge is:

6.  Name the data URL of the quarantined item.

APOLLO can be used on this question by filtering on Activity for "Quarantine":

The output reads:

Below are some of the Activities the APOLLO modules will create and a can be filtered for on iOS and MacOS devices:

Conclusion:

APOLLO is not too heavy or time consuming to process on Apple devices. And best of all it is free, which may be great for processing lots of iOS or Mac Devices at once to get a look at some possible useful activity information.  I am grateful to check it out and appreciative to the hard work Sarah Edwards puts into it.  

Please check out Sarah Edwards talk at OSDFCon 

“Go for Launch: Getting Started with Practical APOLLO Analysis”

https://www.youtube.com/watch?v=xPebuGJF7Gk

APOLLO github

https://github.com/mac4n6/APOLLO

Belkasoft Evidence Center X - trial license

 

I recently signed up for a trial license to try out the new Belkasoft Evidence Center X tool.

Link at https://belkasoft.com/get

The tool is described on the product page as a "Solution to accelerate Digital Forensics and Incident Response Investigations".  With the features that support the major data sets to Aquire(imaging including checkm8), Examine, Review & Analyze, and Report.

I spoke with friendly customer service reps from the company and they emailed over a trial exe with a readme file that wrote:

INTRODUCTION

Belkasoft Evidence Center is a digital forensic software which makes it easy for an 

investigator to acquire, search, analyze, store and share digital evidence found inside 

computer and mobile devices, RAM and cloud. The toolkit will quickly extract digital 

evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps, 

iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will 

automatically analyze the data source and lay out the most forensically important artifacts 

for investigator to review, examine more closely or add to report.

SYSTEM REQUIREMENTS

Belkasoft Evidence Center can be installed on any computer running 

Windows 10, Windows 8, Windows 7 (including 64 bit), Windows Vista and Windows 2003.

Mac users can run the tool under bootcamp.

HOW TO INSTALL

Run setup file and follow instructions of the installation program. It 

takes just a few minutes to get the product installed.

• Ran the becu.trial.fixed.x64.exe to install

• Was given an option to activate trial license online or offline which was nice if you forensic work station is on a segmented network.  

• 30 days start when first installing.  Interesting caveat it was noted that when reporting with the trial version only 50% of random data makes it to the report.  Which makes sense for a trial license.

• Dashboard interface opens for to name and create new case

• Taking a look at the Options (settings)

        -can set CPU core and Memory cache number sizes

        -Picture recognition settings to assist examination and analysis.  There is a dropdown to detect 

        language and more/less false positives options for face and skin.

    

        -Malware detection with VirusTotal, which is nice

        

        -Allows for hashsets to be added and includes remote capabilities

• Selected create and open for new case.  And the Add Data Source option opens:

        -Options for Adding Existing data source or Acquiring a new one

• Added a Disk Image(Windows), Mobile Image (iOS), and Ram Image(Windows) I had made for practice.

• Artifact selection menu opened:

• Processing shows Dashboard of progress, and Task manager tab for tasks being ran on images

Bottom right corner shows progress bar

When processing I found it best to wait to let it finish all the tasks before opening artifact categories.

• Processing finished (shown on Dashboard) about a little less than1hr for all 3 images

• In case explorer shows device geometry for hard drive image only

• In case Explorer the tree pane shows items analyzed

• Overview tab is the analyzed count for all evidence items

• Other tabs include one for Timeline, Bookmarks, Task maanger, Remote Aquisition, and Incident Investigations

• The Incident Investigations tab categorizes the artifacts useful for intrusions and would seem to be useful for Incident Response cases (Downloads, Execution, Persistence, Recent, Eventlogs):

• The remote acquisition tab allows for a package to be generated or deployed via GPO, WMI, or via a configurable IP/port.  Which would seem helpful for IR investigations.

 

• Search function allows for multiple kinds of searches.  Results display properties if found in execution artifacts.

The tool also offers a timeline, hex, plist, registry, and sqlite view.

CONCLUSION:

Overall I like Belkasoft's Evidence Center's ability to parse all kinds of data sources including disk, memory, and mobile and I believe it is a less expensive option than other industry tools.  However I don't believe it is quite at the caliber of mobile forensics as the leading mobile tools.  Belkasoft's strong suite, for me, is its ability to be deployable and used for Incident Response.  I like the ability to configure VirusTotal and parse Incident Investigation artifacts.  I believe it could be best used for a small to larger enterprise setting and deployed as such.  The tool also has some benefits in its acquisition capabilities for which the checkm8 jailbreak package is included with a licensed version.  

However may make a post on how to do that for free on windows with a bootable version linux and the checkm8 exploit from GitHub.

If your budget isn't has high as the other licensed tools go but you want a little more support than Autopsy (also a great tool) I would recommend giving the trial version of this tool a go to see if it gets what you are looking for.

 

Microsoft Teams artifacts and chat logs

 Take a look at location: 

C:\Users\<username>\AppData\Roaming\Microsoft\Teams\IndexedDB\

On my workstation there is a folder at this location:

https_teams.microsoft.com_0.indexeddb.leveldb

Looking at the *.log file at this location

Open the .log file in Notepad++ <download>

File--> Open--> Path to 

"C:\Users\username>\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb" 

Open the .log file

Sample of the "000007.log" file in Notepad++

In Notepad++ with the .log file open --> Press "ctrl+F"

Searching for the value "renderContent" returned some messages logged from MS Teams.

Select Find All in Current Document

The find results show all lines containing the value "renderContent" followed by posted messages.

Sample recovered MS Teams messages

There are also other potential values of interest in this log including: 

"imdisplayname" 

"RichText/Html" (provided further chat and web content)

"meetingtitle"

MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"

This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination.  Also recommending checking out a article written a few months back at cyberforensicator <link>.

-Bryan

Video and Image Analysis - Authentication

Video authentication 

Video authentication is a process that is used to obtain the trustworthiness of a digital video and to assure a video hasn't been altered or tampered.

Performing Authentication Examinations of Imagery and Videos

Review visible scene content:

• Shadows
• Lighting
• Density
• Texture/Patterns (skin and background pattern)
• Gravity
• Physical body details (hair, muscles, body curves)
• Contact with other objects and body
• Skin to skin contact
• Imperfections on body
• Consistencies/Inconsistencies

Visual scene content includes low-quality synthesized faces, visible splicing boundaries, color mismatch, visible parts of the original face, inconsistent synthesized face orientations.

Review non-scene content:

• EXIF info (duration, GPS, software writer, codec)
• Comparing signatures of camera to video/image in question 
• Behavior of file type (compression type) 
• Reviewing binary structures and sequence of bytes in the hex of the file
• Evidence of being opened in a video editor 

Viewing the EXIF data of a file

Using structural analysis from the video forensic tool (link MEDEX forensics) showing a video editing tool was detected in the structure of the video file.

Reference:

https://medexforensics.com/#applications-span

https://cognitech.com/

https://arxiv.org/pdf/2001.06564.pdf

Downloading a DJI Drone flight log (from an iPhone)

Unmanned Aerial Vehicle (UAV) forensics

First and best place to get information about a UAV is on the controller device be it a iPhone, iPad, or Android. 

Will be looking at an unlocked iPhone and where to find flight records.


1.  First plug iPhone into a computer that has iTunes and sync/connect device





2.  Select File Sharing in left column.

                 













3. In left window select the DJI app installed on the device depending on UAV model
(typically DJI Go or DJI Fly).  In this case selecting DJI Fly.

4. Highlight the folder "FlightRecords" and save to local location.

                                  




















5. View saved Flight Records.  Saved as binary(.txt) file with date of flight in filename.




And a .dat file is saved in the MCDatFlightRecords folder:

6.  Convert the .DAT to a CSV with the DatCon tool.
Found at: DatCon download page
*requires java installed

Run tool

Add the .DAT file from the MCDatFlightRecords folder and specify an output directory:
Hit

Hit GO!

CSV Saved



7.  View CSV

The CSV contains several columns on relevant data about UAV including data about direction, temperature, height, wind, battery, controller and more data of possible interest.


Columns will show a list of the  GPS:Long and GPS:Lat and dates

8. *Another method:
AirData - plot the data online

• Airdata.com great site to upload the downloaded .txt  file to to view the data from the UAV.
• Create an account and select upload to upload the .txt file from the FlightRecords folder.

Shows lots of data from the binary file!

Example