Author: Stacey Randolph

New Focus in Life

comment 1
Uncategorized

Quite a lot has changed in the last 16 months since my previous blog post. I relocated from Chicago back to Ohio, have two Akitas, changed jobs briefly and then went back to my previous job, work full-time out of my house, and… I have lupus. It’s crazy how fast life can hit you. What you could previously do without giving it a second thought – like waking up without pain and brain fog – […]

#14 – Rest in Peace, DFIR Dog

comments 4
Digital Forensics / Incident Response

Today’s post is an incredibly tough one to write. This morning my buddy, my best friend, my DFIR Dog passed away. He lived a great life and was loved by so many. Whenever I would work from home, he would lovingly announce his presence on conference calls, show his face on video calls, and would stare at the computer screen helping me analyze evidence. He was to be the topic of my presentation for next […]

#13 – Exploring macOS

comment 1
Digital Forensics / Incident Response / Mac Artifacts

Per the recommendation of someone, I took a peek inside the macOS /private/var directory. If you have never examined the contents, I suggest you do. For example, one of the directories contains logs. Hint: It’s the “log” directory. Over the next few posts, I will explain some of these logs and files for you. Then we will back out of this directory and dive into another. Stay tuned!

#12 – Supporting Women in Tech

comment 1
Conferences / Digital Forensics / Incident Response

The Diana Initiative is hosting a two-day conference on August 9 and 10, during the week of Black Hat and DEFCON. The conference is FREE for attendees, and this year’s theme is “Hacker Family: Our Diversity Unifies Us.” According to their website, the organization was set up to: Encourage diversity and support women who want to pursue careers in information security Promote diverse and supportive workplaces Help change workplace cultures This year’s conference schedule has […]

#11 – When Things Go Awry

comments 7
Digital Forensics / Smartphone Forensics

Scenario: A user connects an iPhone to a Windows 7 computer. The computer prompts the user with options of how to view the contents, sync contents, etc. The user chooses to view the files, browses to the DCIM folder, and begins to copy the photos to the computer. A few minutes into the file copy, iTunes opens on the computer and interrupts the connection to begin creating a backup. The user stops the iTunes backup, […]

#10 – APFS

comment 1
APFS / Digital Forensics

My original post tonight was scrapped, mostly because I ran across APFS goodness on Twitter. Jonas Plum tweeted about releasing an open source file recovery tool for APFS volumes. Holy monkeys, y’all. Open source file recovery tool for APFS volumes! I’m excited! All the APFS tingly feelings. Download afro here. I plan to test this tomorrow over a couple base APFS images and will blog about the findings. Stay tuned! In the meantime, if anyone […]

#9 – Manifest.db BLOBs

comment 1
Digital Forensics / iOS Artifacts / Smartphone Forensics

Yesterday I mentioned extracting BLOB data from Manifest.db, which would be a painful process to do manually. Thankfully, Adrian Leong (@Cheeky4n6Monkey) wrote a python script to automate BLOB extractions from SQLite databases. It is a fairly simple script and will work on any SQLite databases, not just the Manifest.db. An example of the script is below: python sqlite-blob-dumper.py targetdb.sqlite tablename outputdir Test it out. Let him know what you think or submit a pull request […]

#8 – iTunes Backup Manifest.db

comment 1
Digital Forensics / iOS Artifacts / Smartphone Forensics

The Manifest.db is a SQLite database storing information about the iTunes backup. When opened with DB Browser for SQLite, switch to the Browse Data tab to preview the contents of the tables. In the above photo, you can see the table’s contents on the left side. When you see BLOB as the content, you will likely want to export the data to view in another application. To see the content in SQLite, on the right […]

#7 – iTunes Backup Manifest.plist

comment 1
Digital Forensics / Smartphone Forensics

The Manifest.plist is another file in the root of the iTunes backup folder. Like the other plists, this one lists the device name, serial number, and Unique Device ID. Some of the additional values included are identifying if the backup is encrypted, syncing to iCloud, if there is a passcode set on the device (different from backup encryption), WiFi sync capabilities, and any accessibility features enabled. A note about the com.apple.mobile.wireless_lockdown. This is not indicating […]

#6 – iTunes Backup Status.plist

comment 1
Digital Forensics / Smartphone Forensics

Yesterday I mentioned there were a few plists and a database in the root of the backup folder. I explained the Info.plist, but today wanted to explain the Status.plist. In some scenarios, you will only have a limited amount of time with a device, and you want to ensure you have everything you need. This plist is a quick way to check. The Status.plist will display if a backup has fully completed, if it is a […]