本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
FORENSIC ANALYSIS
Oleg Afonin at Elcomsoft
Approaching iOS Extractions: Choosing the Right Acquisition MethodCloud Forensics: Obtaining iCloud Backups, Media Files and Synchronized DataAdvanced Logical Extraction with iOS Forensic Toolkit 8: Cheat SheetiOS Backups: Leftover Passwordscheckm8 Extraction Cheat Sheet: iPhone and iPad DevicesHow to Put Apple TV 3 (2012-2013), Apple TV 4/HD (2015) and Apple TV 4K (2017) into DFUiOS 16: SEP Hardening, New Security Measures and Their Forensic ImplicationsiOS 16: Extracting the File System and Ke...
Joe T. Sylve, Ph.D.
2022 APFS Advent Challenge Day 18 - Decryption Monday, December 26, 2022 Now that we know how to parse the File System Tree, Analyze Keybags, and Unwrap Decryption Keys, it’s time to put it all together and learn how to decrypt file system metadata and file data on encrypted volumes in APFS. Tweaks All encryption in APFS is based on the XTS-AES-128 cipher, which uses a 256-bit key and a 64-bit “tweak” value. This tweak value is position dependent. It allows the same plaintext to be encrypted and...
2022 APFS Advent Challenge Day 20 - Snapshot Metadata Wednesday, December 28, 2022 Our previous discussion discussed how Object Maps facilitate the implementation of point-in-time Snapshots of APFS file systems by preserving File System Tree Nodes from earlier transactions. In that discussion, I outlined the on-disk structure of the Object Map Snapshot Tree and how it can be used to enumerate the transaction identifiers of each Volume Snapshot. Today, we will briefly discuss two other sources of...
2022 APFS Advent Challenge Day 21 - Fusion Containers Thursday, December 29, 2022 As we discussed in an earlier post, Apple’s Fusion Drives combine the storage capacity of a hard disk drive (HDD) with the faster access speed of a solid state drive (SSD). The HDD is the primary storage device, and the SSD acts as a cache for recently accessed data. However, the Fusion Drive does not have built-in caching logic, and the operating system treats the two drives as separate storage devices. Apple crea...
2022 APFS Advent Challenge Day 22 - Retrospective Friday, December 30, 2022 As 2022 ends, so does my APFS Advent Challenge. Deciding at the last minute to write this series of blogs turned out to be even more challenging than expected. Life tends to find a way to complicate things, and December was no exception for me this year. I am glad I stuck with the challenge and hope that the information provided in the series was of some value to you. Donations To help keep me honest and support a worthy...
Joshua Hickman at ‘The Binary Hick’
Relays in the Apple Ecosystem. Passing the Baton Binary Hick Apple, Desktop, iOS, Mac, Mobile 2022-12-282022-12-28 8 Minutes The hand off. So I lied…one more blog post for the year. 🙂 Right before the Christmas holiday I received another really great question and I did not know the answer. My Google-Foo and phone-a-friend option went nowhere, so, as is customary, I grabbed my personal iPhone and iPad and started looking for the answer in my own data. The question was which artifact shows a phone...
MII Cyber Security
Cites from the website, Captured by Cado is a Capture the Flag (CTF) challenge series designed to educate incident responders on how to investigate attacks on cloud-based systems. This challenge is specifically focused on investigating three attack scenarios in Lambda serverless functions and ECS container systems. (Cado, 2022).Pre-RequisitesBasic Knowledge of Cloud Computing (and basic how to use AWS)Basic Knowledge of Forensic InvestigationBasic Knowledge of LinuxAws Free Tier AccountOverview ...
I am using this blog post as a reminder if i have the similar case in the future regarding database forensic. There is a company contacted by attacker (this attacker is ‘you-can-say’ the hacker) and shows that he has confidential information about this company and shows several information about this confidential information. The information provided was very convincing and indicates that the information is data from the company stored in their database.This company use nginx as their web server...
Thomas Roccia at SecurityBreak
Investigation of a targeted attack in the CryptoCurrency industryPhoto by André François McKenzie on UnsplashI investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. This thread was originally posted on Twitter and saved here!DEV-0139 launches targeted attacks against the cryptocurrency industry - Microsoft Security BlogOver the past several years, the cryptocurrency market has considerably expanded, gaining the interest of inves...
Tawan S. at Skynet_Cyber
By Meeeeeeeeee 😊The bits and pieces that is made up to be what’s known as “the internet” are in actuality many devices, infrastructure, and network devices all interconnected and delivered to what you see in front of your screen. It’s much more complicated than that but that is the overview of the internet. In the distant past, network communication reached its destination by passing through devices such as switches, hubs, and routers. In modern times, devices like firewalls, IPS/IDS, Proxy, EDR...
The Security Noob.
Posted on 29/12/202229/12/2022 Following on from the previous [DFIR TOOLS] posts. [DFIR TOOLS] Timeline Explorer, what is it & how to use! [DFIR TOOLS] AmcacheParser, what is it & how to use [DFIR TOOLS] AppCompatCacheParser, what is it & how to use! [DFIR TOOLS] bstrings, what is it & how to use! This time we we are going to talk about one of my favourite tools EvtxECmd. So, what does Mr Zimmerman say about it:- But it is way more than just that, coupled with ‘Timeline Explorer’ it is a ridicul...
