Posts

Showing posts from 2020

Checkra1n Era - Ep 6 - Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes)

Image
Over the last months, a lot of research based on the checkm8 exploit was done.
On data acquisition:
BelkasoftCellebrite and MSAB developed a "forensic-oriented" implementation of the checkm8 exploitElcomsoftOxygen and Magnet Forensics support a full file system extraction of a

BYOM - Build Your Own Methodology (in Mobile Forensics)

Image
Last Friday I had the honour to present at "Life has no CTRL+ALT+DEL", a DFIR online meetup organized by Heather Mahalik in this crazy COVID-19 period.

I delivered a presentation titled "BYOM - Build Your Own Methodology (in Mobile Forensics)".

If you are interested in taking a look at the presentation, it is available here

https://www.dropbox.com/s/kxnhqyyyr8yk1h5/BYOM_Forensic.pdf?dl=0

During the presentation I shared some concepts I consider as "fundamentals" if you are working in this field.


For each category, I provided some resources that can help building or improving your methodology.

I decided then to share these resources in a blog post, with the hope that it could be a useful "starting point" for reading and studying, especially in this period.
KNOWLEDGE

Mobile OS Architecture and Security books
TitleAuthorsURLAndroid InternalsJonathan Levinhttp://newandroidbook.com/MacOS and iOS InternalsJonathan Levinhttp://www.newosxbook.com/Android Se…

teleparser

Image
Sometimes you need something open... This post briefly introduces the teleparser script, whose goal is to parse the Telegram cache4.db. Honestly speaking, I would have done something else, but the coding (better, decoding) job was born with a real case few months ago.
Suppose you have a truly important cache4.db, a file containing every non-deleted and synced chat of the suspect, together with his encrypted p2p chats. Suppose that all the major well known commercial solutions are unable to properly parse that database: or, if able, they provide slightly different results. Again, the db content represents a crucial evidence. On which tools' outputs, if any, would you rely on to report evidences?
That's a classical example where the digital investigator must be able to explain every single bit there (theoretically, he should always be). Point is, the cache4.db is not just a simple SQLite database, but it's a SQLite database containing a lotof binaries blobs. Guess what? All …