presentation
I’ve uploaded my presentation that I gave at the lovely Sikkerhetsfestivalen 2024 in Lillehammer, Norway.
This presentation goes through some pattern-of-life (APOLLO-ish) investigative scenarios.
I’ve been working hard on a big update to improve core functionality of APOLLO to include methods to gather up the database files needed so they can be extracted from using the APOLLO modules.
New APOLLO Functions:
‘gather_macos’ - Automagically finds and collects database files on macOS using modules.
Any directory, mounted volume, etc.
Ability to ignore certain directories
‘gather_ios’ - Automagically finds and collects database files on jailbroken iOS devices using modules.
IP and Port Required
Ability to ignore certain directories
‘extract’ - Nearly the same as before, rips through all the databases and extracts data via the SQL queries in the modules.
Improved CSV output
New JSON output within SQLite database
I’ve also updated many modules for iOS 14 and macOS 11. I’ve got more updates planned, however I still need to tweak, research, and test before I release.
You can see the new workings of the tool in my OSDFCon presentation - “Go for Launch: Getting Started with Practical APOLLO Analysis”
And for pure fun(!) a bonus Halloween themed presentation with “Getting Spooky with Apollo” that I did for a Fortego F-Con Lightning Talk. 👻🎃
This was presented yesterday at Objective by the Sea 3.0 in beautiful Maui. Official macOS support and modules are coming to APOLLO!
Slides and video are available here. I hope to update the APOLLO GitHub with updated script/modules next week. I’ll be sure to post here when I do.
I had the wonderful opportunity to present this presentation at two great conferences in October; Jailbreak Security Summit and BSides NoLA. Unfortunately I was going on an extended vacation almost immediately after so I forgot to post this to the site. I had a strict self imposed no-laptop policy for this vacation so it would just have to wait. FWIW: Everyone should take a vacation that is [mostly] offline, very refreshing!
The presentation is here, and the video of the presentation from the Jailbreak summit is here. Both of these links are also available in the Resources section of this website.
While I was off exploring Southeast Asia (see my twitter feed for those updates), there has been some major updates to iOS Jailbreaking that are worth a mention with this posting. The Checkm8 exploit was one of the major points of discussion during this presentation, as it was going to be a game changer for this type of analysis.
While I was drinking fruity drinks with umbrellas in them, the public jailbreak came out - Checkra1n. I almost broke my no-laptop policy when this happened, but I held back - someone else would write about it. Fortunately my good friend Mattia Epifani has written some fantastic blogs about using this in the forensic realm. I highly recommend reading through these.
iOS Device Acquisition with checkra1n Jailbreak [Elcomsoft & Mattia]
Checkm8, Checkra1n and the new "golden age" for iOS Forensics [Mattia]
Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?") [Mattia]
Heather Mahalik and I teamed up again this year at the SANS DFIR Summit to present on iOS CarPlay and Android Auto.
Presentation is here. Will post a link to the video when it’s available.
Always a good time and love seeing friends every year. Still one of my favorite conferences! It was a nice surprise winning a couple of Forensic 4cast awards too! Thank for your votes! ☺️
