D20 Forensics: Rooting Samsung devices (2020) with Magisk [RESEARCH]
Oh Samsung. Truly if any device has ever been the bane of my existence in mobile forensics, it's Samsung devices. From the "latest and grea...| blog.d204n6.com
In this post within the "Breaking Down the Biomes" series we're going to take a dive into Siri driven artifacts. Previously we could track some Siri data within KnowledgeC.db but it's now a mixed bag as some of those points have moved out to the biome data. Siri has made it difficult in the past to figure out how it was used as the conversion from the voice data to text data is performed on Apple's end not on device. | D20 Forensics
Oh Safari, I once thought your worst change was moving the navigation bar to the bottom of the screen. Turns out you said "Hold My Beer" with iOS 16 and decided to throw some switcharoos on us. To be honest, Safari has always been an interesting albeit annoying browser for iOS. It has some pretty strict limits when it comes to storing data including keeping history for only 30 days and downloads for 24 hours. It also mimics its history over into the KnowledgeC database which is great when you...| D20 Forensics
CarPlay is Apple's attempt to make driving your car and using your phone at the same time safer. In order to do this, Apple has basically created a screen mirroring service which allows for your in-car infotainment system to stream data from your mobile device. This is great for listening to your favorite podcasts and use Siri to send/receive messages while driving. There's been some great research done previously on CarPlay and forensics including the talk by Heather Mahalik and Sarah Edward...| D20 Forensics
In my previous post in the "Breaking Down the Biome" series, I covered the basic structure of biome data in iOS as well as mentioned how several things went missing from KnowledgeC in iOS 16. In this post I'm going to cover one of those that went missing, Application Installs, as well as some data that can correlate as well as still exists in the KnowledgeC.db (but might not always). Something I've noticed in my testing of iMessages for this year's SANS DFIR Summit is that when a message is...| D20 Forensics
With the release of iOS 16, I did what I always do-get as many images as I can from my test phones and start ripping them apart to see what is and isn't there anymore. While quick images (iTunes-style backups) were pretty straightforward minus some enhancements to Messages and Safari (here if you're interested), filesystem images have been a bit different. Buckle up folks because this one is going to be a bit long. If you're looking for the TL;DR, scroll to the bottom to get a quick review of...| D20 Forensics
With the release of iOS 16, there have been a lot of people talking about Apple's decision to allow for iMessage users to either unsend or edit a message. There are a lot of potential nefarious uses for this data, but what does all of this mean for forensics? | D20 Forensics
This is the accompanying blogpost to the Magnet User Summit 2022 talk: [Air]Tag You're It!| D20 Forensics
In this multi-part series of blogs on tracking device migration, we're going to take a look at some of the core artifacts one might be able to track on Android devices. Android devices will likely not have local backups restored from computers like iOS, however, device-to-device and Gdrive/Cloud backups will allow users to transition data from one device to another. This doesn't just include Android to Android but can include iOS to Android too!| D20 Forensics
This week I got some huge news! This blog was nominated for a 4:cast award for Blog of the Year! I'm incredibly honored for this nomination! It also spurred me to remember I had a bunch of posts I wanted to work on but the last few weeks have been packed with teaching and work. Today I'm going to talk about a methodology for how to track files that have been downloaded from the Safari browser on iOS or macOS. | D20 Forensics
Well it's a bit since I've been able to update, so I thought I'd change that. I've been working on some new research for a class I'm building and it's been giving me a chance to deep dive into some fun stuff for both iOS and Android. I'm usually very interested to figure out preferences, permissions, and default applications on platforms as it can help shape the user's behavioral patterns. Because of this, I want to talk about where you can go look for this information in Android as it's be...| D20 Forensics
In iOS, one of the more vexing things I've found when working through data or helping a student with questions usually comes back to tracking what application is responsible for putting data in a specific place. With some of the fantastic work done by others including Alexis Brignoni (link here) on the ApplicationState.db as part of the FrontBoard directory, it has always become one of my first go-to spots to build a "treasure map" of applications to deal with those annoying AppGUIDs that App...| D20 Forensics
iOS 14 brought a couple of new features I've been wanting to test. In past years I've evaluated Android's "Instant Apps" feature and of course when Apple added this with iOS 14's App Clips I had to see what was being stored. | D20 Forensics
After diving into some basic stuff of iOS 14 in the last post I wanted to see if I could track any of the new features to iMessage. Both inline replies to messages and mentions didn't really stand out to me when I was doing initial testing because the schema looked mostly the same. Sneaky Apple decided to imbed some of this data as well as create some new columns at the far end of our tables. | D20 Forensics
Well, I thought I was going to take a break this week from mobile but Apple decided that wouldn't be the case. It dropped iOS 14 this week on us after its big announcement event on Tuesday. While we didn't get any new iPhones, they did announce some swanky new watches and iPads. They also announced that iOS 14 would be dropped the following day. Obviously I had to take a look. | D20 Forensics
Apple is about to release two new OS upgrades in the form of iOS 14 and macOS 11 (whoa, that's weird to say) this fall. With new OS versions is always going to come a lot of new artifact testing. I've always been fascinated with tracking browser preferences and due to the nature of how Safari operates, I feel that it's one of the most important browsers to track and understand the preferences of. | D20 Forensics
In the first post of this week I detailed a lot of the paths you might want to use if you're using a full filesystem image of an iOS device. I also detailed several ways to find this information using a live test device. In this post I want to circle around and talk about what you can hope to find from the Files app in the more common "Quick" image format or the iTunes-backup formatted image type. A lot of the same areas are going to be there, just under some different names. | D20 Forensics
I've been working on a new set of applications but before I begin those, I wanted to take a detour around an application that we've all probably come across from time to time, but had often confused me on where and how it stored its data. This application is the "Files" app that Apple added in iOS 11. With iOS 13 (and iPadOS 13) there were several additional features including the downloads directory. Files has also added abilities to generate iCloud share links and collaborate on files on ap...| D20 Forensics
After the earlier post this week about Tile for iOS, I wanted to circle around and provide some custom artifacts and SQLite queries. It also gave me a chance to work with a good friend and colleague of mine, Alexis Brignoni (@AlexisBrignoni). Let's start with the databases. There are two databases of value held within the Shared data folder: | D20 Forensics
Last year I posted about the Tile for Android app here that I felt was tracking a lot of information for just a few days worth of data gen. Over the past year, I've kept the Tile application running on my iOS app to see what would come about it. Oooooo boy was I surprised at how much data this application is collecting AND storing locally on its users. | D20 Forensics
I'm always interested in location data that is available on iOS and Android devices. Especially if that data is generated not by the core system and is instead generated by a third party application. Often times our third party apps are collecting location data but according to Apple's policy it's supposed to be passing through them. But what if the application is collecting it for their purpose too and transmitting it back to their servers? Maybe there are files left behind in the applicatio...| D20 Forensics
If you saw the other post on DJI Fly for iOS (link) I felt like I had to strap in my test Android and see if there was any major differences. To be honest from an app perspective, it's pretty much the same. At least for the good bits. | D20 Forensics
Of course you had to know it was coming if you follow me on twitter. As soon as I got a drone you should know that one of two things is inevitable: | D20 Forensics
Oh Samsung. Truly if any device has ever been the bane of my existence in mobile forensics, it's Samsung devices. From the "latest and grea...| blog.d204n6.com
Recently I was trying to set up an Android device to run some testing on and I just happened to pick a Samsung this time around. I needed s...| blog.d204n6.com
Sometimes I get the privilege of helping someone with a case and it really puts me down a rabbit hole of research. This is that situation. A...| blog.d204n6.com
