I’ve uploaded my presentation that I gave at the lovely Sikkerhetsfestivalen 2024 in Lillehammer, Norway.
This presentation goes through some pattern-of-life (APOLLO-ish) investigative scenarios.
apollo
I’ve uploaded my presentation that I gave at the lovely Sikkerhetsfestivalen 2024 in Lillehammer, Norway.
This presentation goes through some pattern-of-life (APOLLO-ish) investigative scenarios.
I’ve been working hard on a big update to improve core functionality of APOLLO to include methods to gather up the database files needed so they can be extracted from using the APOLLO modules.
New APOLLO Functions:
‘gather_macos’ - Automagically finds and collects database files on macOS using modules.
Any directory, mounted volume, etc.
Ability to ignore certain directories
‘gather_ios’ - Automagically finds and collects database files on jailbroken iOS devices using modules.
IP and Port Required
Ability to ignore certain directories
‘extract’ - Nearly the same as before, rips through all the databases and extracts data via the SQL queries in the modules.
Improved CSV output
New JSON output within SQLite database
I’ve also updated many modules for iOS 14 and macOS 11. I’ve got more updates planned, however I still need to tweak, research, and test before I release.
You can see the new workings of the tool in my OSDFCon presentation - “Go for Launch: Getting Started with Practical APOLLO Analysis”
And for pure fun(!) a bonus Halloween themed presentation with “Getting Spooky with Apollo” that I did for a Fortego F-Con Lightning Talk. 👻🎃
While helping some investigators out I realized that my some of my APOLLO knowledgeC modules needed a bit of updating. Naturally I thought it would be quick, but it turned into quite an extensive update. I’ve included lots of brand-new modules as well as updates to ones that I’ve had before.
Most of the updates to the older ones provided better backwards compatibility with older versions of macOS and iOS as well as adding additional contextual items to some of the queries from ZSTRUCTUREDMETADATA. Regression testing was performed on iOS 11, 12, and 13 and macOS 10.13, 10.14, and 10.15. Of course, please let me know if you run into a knowledgeC “stream” that I’ve not created a module for, or any issues that you might come across.
I’ve highlighted a few modules below using my iOS 13.5 device. However, they may also apply to macOS and older iOS versions as well – review the modules for more documentation.
knowledge_activity_level_feedback.txt
knowledge_airplay_prediction.txt
knowledge_calendar_event_title.txt
knowledge_charging_smart_topoff_checkpoint.txt
knowledge_dasd_battery_temperature.txt
knowledge_device_locked_imputed.txt
knowledge_discoverability_usage.txt
knowledge_event_tombstone.txt
knowledge_inferred_microlocation_visit.txt
knowledge_knowledge_sync_addition_window.txt
knowledge_photos_edit_all.txt
knowledge_photos_deletes_all.txt
knowledge_photos_deletes_recent.txt
knowledge_photos_engagement.txt
knowledge_photos_share_airdrop.txt
knowledge_photos_share_all.txt
knowledge_photos_share_extension.txt
knowledge_segment_monitor.txt
knowledge_siri_activites.txt
knowledge_siri_flow_activity.txt
knowledge_sync_addition_window.txt
knowledge_sync_deletion_bookmark.txt
knowledge_user_first_backlight_after_wakeup.txt
The knowledge_app_activity_passbook.txt module was added to conveniently look for Apple Wallet (com.apple.Passbook) activity. Shown below I’m switching between my Apple Cash card and my Apple Card (yes, I got one for “research”).
The knowledge_photos_deletes_all.txt module appears to keep track of when I deleted a photo from the Photos app. This output is fairly vague. However, it could be useful in evidence destruction cases. The output of this one is similar to the other knowledge_photos_* modules.
Want to know if a thing was AirDrop’ed, copied, searched for, or otherwise interacted with from the iOS ShareSheet? The knowledge_sharesheet_feedback.txt module will help with that! Shown below, this module is keeping track of:
Photo Markups (com.apple.MarkupUI.Markup.MarkupPhotoExtension) via Camera App (com.apple.camera)
File Copies (com.apple.UIKit.activity.CopyToPasteboard) in Photos (com.apple.mobileslideshow)
Sending a photo in Messages (com.apple.MobileSMS) via Photos app (com.apple.mobileslideshow)
Finding text in a webpage (com.apple.mobilesafari.activity.findOnPage) in Safari (com.apple.mobilesafari)
Airdrop Activity (com.apple.UIKit.activity.AirDrop)
Some modules are fairly self-explanatory. The knowledge_system_airplane_mode.txt modules keeps track of whether Airplane Mode on the device is enabled or not.
The next two are associated with the iOS low power mode functionality. The first, knowledge_device_battery_saver.txt which shows that I’ve activated Low Power Mode via the Control Center and while knowledge_device_low_power_mode.txt shows that it was turned on about two seconds after.
knowledge_activity_level.txt
knowledge_app_activity.txt
knowledge_app_activity_calendar.txt
knowledge_app_activity_clock.txt
knowledge_app_activity_mail.txt
knowledge_app_activity_maps.txt
knowledge_app_activity_notes.txt
knowledge_app_activity_photos.txt
knowledge_app_activity_safari.txt
knowledge_app_activity_weather.txt
knowledge_app_install.txt
knowledge_app_intents.txt
knowledge_app_location_activity.txt
knowledge_audio_bluetooth_connected.txt
knowledge_audio_output_route.txt
knowledge_device_batterylevel.txt
knowledge_device_inferred_motion.txt
knowledge_device_is_backlit.txt
knowledge_device_locked.txt
knowledge_device_pluggedin.txt
knowledge_discoverability_signals.txt
knowledge_notification_usage.txt
knowledge_paired_device_nearby.txt
knowledge_portrait_entity.txt
knowledge_portrait_topic.txt
knowledge_app_relevantshortcuts.txt
knowledge_safari_browsing.txt
knowledge_settings_doNotDisturb.txt
knowledge_siri.txt
knowledge_standby_timer.txt
knowledge_widgets_viewed.txt
The module knowledge_app_inFocus.txt has added extensions context. The extensions below show a location sign-in alert (com.apple.AuthKitUI.AKLocationSignInAlert) via the Springboard (com.apple.springboard), access to the Camera (com.apple.camera) via Messages (com.apple.MobileSMS), and access to Photos (com.apple.mobileslideshow) via Messages. All the while, playing around with the Unc0ver Jailbreak (science.xnu.undecimus).
New with knowledge_app_webusage.txt are the “Digital Health” columns. These will show website visits and associated URLs on various apps (not just Safari or Chrome!).
In this example I was using Twitter (via Safari) on a device with the macOS hardware UUID (or iOS UDID) in Device ID column - let’s say my laptop. On my iPhone, I was also on Twitter but this time the iOS application (com.atebits.Tweetie2) ordering a new t-shirt from Jailbreak Brewery.
Additions to knowledge_audio_media_nowplaying.txt include:
Is AirPlay Video
Playing – Values likely for Stopped, Playing, Paused – I will test those and update those in a future update.
Duration
Elapsed
Identifier
Media Type – Audio, Music, Video, Podcast
Output Device IDs (Binary plist in hex)
This is only a small slice of knowledgeC examples (and a very small part of APOLLO) so I hope this gives you some incentive to give it a try!
It’s been a while since I last jailbroke an Apple TV and had a forensic look at it. Using the checkra1n jailbreak, I decided to give it a try. The jailbreak itself was easy and went very smooth. This was using an 4th Gen Apple TV running tvOS 13.4
I wanted to run it through some of my APOLLO modules to see if any needed to be updated. Fortunately, none do as it acts just like iOS! (whew!) There is a noticeable lack of some files and databases compared to iOS proper, but some good ones are still accessible!
Starting with my favorite database, knowledgeC.db you will notice there are many less “streams” for tvOS. Even so, there are a few that are still of investigative use!
This screenshot below shows me going back and forth between different apps and the usage time for them. I watch both recent NASA launches on NASA TV (gov.nasa.NASA) while also watching some TV on Amazon Prime (com.amazon.aiv.AIVApp). The com.apple.HeadBoard app is the main app selection screen.
(Note this module is getting an update hopefully later this week, what you see below has some of those updates.🤞)
This screenshot shows what binge-watching Alias on Amazon Prime looks like. After the NASA launch, back into Alias I went! episode after episode until the “Are you still watching?” message pops up. 😆
It’s not just TV and movies for me, sometimes I’m rocking out to music! This screenshot shows me streaming Apple Music. In the middle of this I watched some cat videos in the Photos app. Unfortunately, those do have any metadata associated.
Next up are app permissions with TCC.db. This one is sparse compared with those of iOS and macOS but could show some useful information. kTCCServiceLiverpool is generally assumed to be part of location services and kTCCServiceUbiquity is associated with iCloud. kTCCServiceMSO is a new one to me but apparently HBO needs it. 🤷🏻♀️
You may think that Apple TVs probably do not capture much locational activity, however they are keeping track of WiFi locations in locationd’s cache_encryptedB.db. This particular Apple TV doesn’t leave my living room, but I do have others that I could travel with…if and when I travel again!
Finally, all this streaming adds up on the network usage which can be seen in the netusage.sqlite database. I’ve sorted this output by Wi-Fi in. Not surprising on top are processes for Netflix, HBO, and Amazon. The NASA app even made it close to the top too! 🚀
TCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective Privacy settings on macOS and iOS.
When changing these permissions on macOS entries do get written into the unified logs. While there are many related TCC entries, I want to focus on just permission changes. These can be extracted using a query where I’m looking for the text ‘Update Access Record:’ in the log message.
log show --info --predicate 'eventMessage contains[c] "Update Access Record:"'
To create these entries, I went into my own settings and toggled some on (Allowed) and some off (Denied).
Camera access was denied to QuickTime Player (com.apple.QuicktimePlayerX)
Camera access was allowed for Zoom (us.zoom.xos)
Microphone access was denied to PowerPoint (com.microsoft.Powerpoint)
Microphone access was denied for SnagIt (com.TechSmith.Snagit2020)
Accessibility access was denied for SnagIt (com.TechSmith.Snagit2020)
Accessibility access was allowed for iStat Menus (com.bjango.istatmenus)
Accessibility access was allowed for SnagIt (com.TechSmith.Snagit2020)
Unfortunately, these entries are removed from the logs after in a short time period. I’ve seen mine being removed anywhere from about 1 hour to 1h40m. 😧
On iOS many of the same privacy settings apply as well. In this example I toggled the WhatsApp permission for microphone access to on.
I’ve connected to my phone using the Console.app application on macOS. This particular phone is named miPhoneX (iPhone X running iOS 13.1). This is the easiest way to test certain scenarios on iOS devices, sadly there doesn’t appear to be a ‘log’ executable for jailbroken devices. Unified logs can also be extracted using sysdiagnose or copying them off a jailbroken device and manually creating a logarchive.
Toggling permissions back and forth I can see the same entries I might see on macOS, however notice the ‘Volatile’ column for these entries are set to a ‘1’ – meaning they are not being written to disk. These entries are removed after only a few minutes (less than 5 minutes in my experience). What you see in Console may not necessarily get written to disk. Some entries (like those for macOS) are written to disk but not necessarily kept for the entirety of unified logs themselves. Nothing lives forever!
There may be a time when the macOS logs rollover or you are looking at an iOS device where these entries are volatile. Fortunately, the TCC.db database keeps track of the last modified time for these entries. I’ve created an APOLLO module for macOS and iOS to extract this information. The example below is from my macOS user TCC.db database using the SQLite query from the APOLLO module.
This database can be found on macOS and iOS devices in the following paths:
macOS:
User: ~/Library/Application Support/com.apple.TCC/TCC.db
System: /Library/Application Support/com.apple.TCC/TCC.db
iOS (Backup acquisitions may differ slightly):
/private/var/mobile/Library/TCC.db