Settling into Relaxation

Leave a comment

What a whirlwind of a week! Most of this past week was spent traveling for work, which can be simultaneously exhilarating and exhausting. I love to travel and explore new places, even if I’ve previously been to the area. But coming home, it pulls the rug out from under me, and I tend to crash hard. Thankfully, I’M NOW ON VACATION!

This week is devoted to relaxation and getting things done around the house that have been put off for far too long (psst… cleaning my shower…). I’m really looking forward to putting my feet up, reading and finishing a book, maybe deep cleaning my house, and spending quality time with the pups.

Halloween is also a few days away. While I don’t really get into the horror side of things, including spiders, many people do. Does anyone have an awesome Halloween costume planned? Any fun parties? Share in a comment!

New Focus in Life

comments 2

Quite a lot has changed in the last 16 months since my previous blog post. I relocated from Chicago back to Ohio, have two Akitas, changed jobs briefly and then went back to my previous job, work full-time out of my house, and… I have lupus.

It’s crazy how fast life can hit you. What you could previously do without giving it a second thought – like waking up without pain and brain fog – is no longer possible. Every day is a new challenge. Some days are fantastic with minimal pain and excess energy; other days are burdened with hives, poor lung function, joints that feel as though they’re actively burning in a fire, and so on.

I may have lupus, but I am not lupus.

My focus in life has shifted. I try to focus less on the struggles and more on the achievements. That can be difficult, especially when you can no longer do things you once could. Years ago I could (and did) workout every day, but now working out depends on my pain level and whether I have time to recuperate from the muscle soreness and joint pain. For now, I am walking at least 30 minutes every day and closing all of my Activity rings on my Apple Watch. This new way of life is a weird balance, but I am slowly figuring it out.

#14 – Rest in Peace, DFIR Dog

comments 4
Digital Forensics / Incident Response

Today’s post is an incredibly tough one to write. This morning my buddy, my best friend, my DFIR Dog passed away. He lived a great life and was loved by so many. Whenever I would work from home, he would lovingly announce his presence on conference calls, show his face on video calls, and would stare at the computer screen helping me analyze evidence. He was to be the topic of my presentation for next year’s DFIR Summit. (Who knows, maybe I will still do the presentation — bring tissues!)

Cody was rescued at 3 years old and lived to be just shy of his 13th birthday. He enjoyed being goofy, helping people, going for walks, being my anxiety companion, and being loved on by the neighbor kids and my nieces and nephews. He was incredibly smart and knew exactly how to get his way, most days. He passed peacefully in my arms at home, surrounded by love and comfort. May he rest in peace and run wild and free. Mama loves you, buddy.

#13 – Exploring macOS

comment 1
Digital Forensics / Incident Response / Mac Artifacts

Per the recommendation of someone, I took a peek inside the macOS /private/var directory. If you have never examined the contents, I suggest you do.

Screen Shot 2018-06-28 at 22.39.27
/private/var Contents

For example, one of the directories contains logs. Hint: It’s the “log” directory.

Screen Shot 2018-06-28 at 22.44.49
/private/var/log Contents

Over the next few posts, I will explain some of these logs and files for you. Then we will back out of this directory and dive into another. Stay tuned!

#12 – Supporting Women in Tech

comment 1
Conferences / Digital Forensics / Incident Response

The Diana Initiative is hosting a two-day conference on August 9 and 10, during the week of Black Hat and DEFCON. The conference is FREE for attendees, and this year’s theme is “Hacker Family: Our Diversity Unifies Us.” According to their website, the organization was set up to:

  • Encourage diversity and support women who want to pursue careers in information security
  • Promote diverse and supportive workplaces
  • Help change workplace cultures

This year’s conference schedule has been posted, and there are some really amazing talks planned. The one I am looking forward to most is Amanda Berlin’s Friday evening keynote on mental health.

There are sponsor spots still open if you or your company would like to sponsor the event. Donations are also open! If you cannot afford to donate (and that’s okay!), consider being a volunteer for the event. Regardless, you should attend! Did I mention the conference is free? Hope to see you there!

#11 – When Things Go Awry

comments 7
Digital Forensics / Smartphone Forensics

Scenario: A user connects an iPhone to a Windows 7 computer. The computer prompts the user with options of how to view the contents, sync contents, etc. The user chooses to view the files, browses to the DCIM folder, and begins to copy the photos to the computer. A few minutes into the file copy, iTunes opens on the computer and interrupts the connection to begin creating a backup. The user stops the iTunes backup, closes iTunes, and ejects the iPhone. The user unplugs the iPhone from the computer and plugs it back in to restart the DCIM file copy. Oddly, there are no photos to copy. On the iPhone, the Photos folder is empty, and there are no Recently Deleted photos. Add to this, iCloud Photo Sharing and iCloud Sync are disabled, and Photo Stream is turned off. What would you do to recover the photos?

This is what I tried when presented with this problem.

  1. Create a forensic image of the iPhone. I used Cellebrite Physical Analyzer, Method 1 and Method 2, to capture the contents. Jailbreaking the iPhone was not an option due to MDM settings (and I wasn’t going to risk losing everything).
  2. Carve for images. I again used Cellebrite Physical Analyzer for this. This method located 595 images, with all but two recovered images being junk portions of possible images. The two recovered images were application thumbnails and not the missing photos.
  3. Create a forensic image of the memory on the Windows 7 computer. I used FTK Imager for this because it was already installed on the machine. It made a copy of the pagefile.sys and created a memdump.mem file. I analyzed both of these with X-Ways — still no missing photos.
  4. Create a forensic image of the hard drive from the Windows 7 computer. I used a Logicube Falcon for the image creation, decrypted the image with EnCase, then analyzed the image in X-Ways. After carving for photos, no such luck.

What else would you have tried?

#10 – APFS

comment 1
APFS / Digital Forensics

My original post tonight was scrapped, mostly because I ran across APFS goodness on Twitter. Jonas Plum tweeted about releasing an open source file recovery tool for APFS volumes. Holy monkeys, y’all. Open source file recovery tool for APFS volumes! I’m excited! All the APFS tingly feelings.

Download afro here. I plan to test this tomorrow over a couple base APFS images and will blog about the findings. Stay tuned!

In the meantime, if anyone has APFS tools they would like tested, feel free to contact me. I would be happy to provide feedback.

#9 – Manifest.db BLOBs

comment 1
Digital Forensics / iOS Artifacts / Smartphone Forensics

Yesterday I mentioned extracting BLOB data from Manifest.db, which would be a painful process to do manually. Thankfully, Adrian Leong (@Cheeky4n6Monkey) wrote a python script to automate BLOB extractions from SQLite databases. It is a fairly simple script and will work on any SQLite databases, not just the Manifest.db.

An example of the script is below:

python targetdb.sqlite tablename outputdir

Test it out. Let him know what you think or submit a pull request with your updates.

#8 – iTunes Backup Manifest.db

comment 1
Digital Forensics / iOS Artifacts / Smartphone Forensics

The Manifest.db is a SQLite database storing information about the iTunes backup. When opened with DB Browser for SQLite, switch to the Browse Data tab to preview the contents of the tables.


In the above photo, you can see the table’s contents on the left side. When you see BLOB as the content, you will likely want to export the data to view in another application. To see the content in SQLite, on the right side, change the Mode to Binary. This will show you the BLOB content, which in this case is an embedded binary plist. (Welcome to iOS and macOS! You will quickly get used to seeing embedded binary plists, double embedded plists, and so on. It is plist Inception!)

To export the binary plist, click on Export and save the file to a new location. Change the file extension to plist and open with your plist viewer of choice. (On macOS, you can view these natively or use Xcode. On Windows, try Paul Sanderson’s BPList Viewer.)

Screen Shot 2018-06-23 at 23.05.01.png
Exported Binary Plist

The exported plist will include file information and dates, depending on which binary plist you exported. The highlighted item “LastStatusChange” is actually a date value of Unix Epoch. If you see a number starting with 14 or 15, count on it being a Unix Epoch date.

Unix Epoch Converter

In the above example, the Unix Epoch value “1527733038” has been converted to a human-readable date. is a great, free resource for converting date values and allows batch conversions of dates. Other popular conversion tools are Dcode, DateDecode, Unix Timestamp, and my personal favorite

#7 – iTunes Backup Manifest.plist

comment 1
Digital Forensics / Smartphone Forensics

The Manifest.plist is another file in the root of the iTunes backup folder.



Like the other plists, this one lists the device name, serial number, and Unique Device ID. Some of the additional values included are identifying if the backup is encrypted, syncing to iCloud, if there is a passcode set on the device (different from backup encryption), WiFi sync capabilities, and any accessibility features enabled.

A note about the This is not indicating whether or not the device has WiFi enabled. This key shows whether iTunes can be synced over WiFi.

Screen Shot 2018-06-22 at 21.36.44

iTunes Sync Options

Also note (unrelated to the Manifest.plist), if you want to prevent the phone from automatically syncing when it is plugged into your computer, uncheck the box “Automatically sync when this iPhone is connected.”