Notes in iOS 15
TL;DR: iOS 15 brought more forensics-meaningful changes to Apple Notes than recent major version releases. Structural Changes Between iOS 14.8...
Magnet CTF Week 12: Merry Hacksmas
TL;DR: Week 12 of the #MagnetWeeklyCTF was a return to the browser that shalt not be named. Review Check out...
Magnet CTF Week 11: I Can't Rekall How To Insta...
TL;DR: Week 11 of the #MagnetWeeklyCTF was a chance to check out rekall, mainly because I was completely fail-whaling on...
Magnet CTF Week 10: Time To Focus
TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions. Review Check...
Magnet CTF Week 9: ReMEMORYing How To Do This
TL;DR: Week 9 of the #MagnetWeeklyCTF began a new case, this one involving a memory image. Review Check out the...
Magnet CTF Week 8: Short Side Quest
TL;DR: Week 8 of the #MagnetWeeklyCTF started down the side quest I was hoping to dig into, but only scratched...
Magnet CTF Week 7: /etc/network/interfaces
TL;DR: Week 7 of the #MagnetWeeklyCTF tests your knowledge of the presence of a single file on a Linux machine....
Magnet CTF Week 6: ELFant hunting
TL;DR: Week 6 of the #MagnetWeeklyCTF was the beginning of what I can only hope is a good reverse engineering...
Magnet CTF Week 5: I'm sorry, what?
TL;DR: Week 5 of the #MagnetWeeklyCTF got a little sporty with the addition of a Linux image (yay) and Hadoop...
Cellebrite CTF 2020: Tony Mederos #WrongAnswers...
TL;DR: Breakdown of our answers to Tony Mederos’s questions from the Cellebrite 2020 CTF using only free, open source tools....
Cellebrite CTF 2020: Ruth Langmore
TL;DR: Breakdown of our answers to Ruth Langmore’s questions from the Cellebrite 2020 CTF using only free, open source tools....
Magnet CTF Week 4: Back on the Horse Again
TL;DR: Back on the command line horse again for Week 4 after dropping Week 3 of the #MagnetWeeklyCTF due to...
Cellebrite CTF 2020: Rene Gade
TL;DR: Breakdown of our answers to Rene Gade’s questions from the Cellebrite 2020 CTF using only free, open source tools....
Cellebrite CTF 2020: Juan Mortyme
TL;DR: Breakdown of our answers to Juan Mortyme’s questions from the Cellebrite 2020 CTF using only free, open source tools....
Cellebrite CTF 2020: Introduction
TL;DR: No need for any commercial tools in Cellebrite’s 2020 Forensics Capture the Flag event, just open source software and...
Apple Private Wi-Fi Addresses
TL;DR: This post briefly explains how iOS implements MAC address randomization in iOS 14 and what it means for your...
Revisiting Apple Notes (7): Cloudkit Data
TL;DR: This post looks at Apple CloudKit within the context of Apple Notes to help you understand how Apple stores...
Magnet CTF Week 2: We Don't Need No Stinking Tools
TL;DR: Still no need for tools on the second week of the #MagnetWeeklyCTF, just access to the command line. Review...
Magnet CTF Week 1: No Tools Required
TL;DR: No need for tools on the first week of the #MagnetWeeklyCTF, just access to the command line. Get the...
Sponsorship
TL;DR: If you find this research or my code useful, you may want to consider supporting my work to enable...
Revisiting Apple Notes (6): The Protobuf
TL;DR: This post explains portions of two protobufs used by Apple, one for the Note format itself and another for...
Notes in iOS 14
TL;DR: This post looks at changes to Apple Notes in iOS 14, most of which are look and feel-related, but...
Revisiting Apple Notes (5): Encrypted Notes
TL;DR: Apple Notes allows users to encrypt note contents at rest and the Apple Cloud Notes Parser now supports parsing...
Never Trust Apple: Network Connections
TL;DR: MacOS Catalina 10.15.6 shows a network connection as disconnected in settings while the network is still connected. Background I...
Proper Preparation Prevents Poor Performance
TL;DR: Proper preparation prevents poor performance in all areas. This post looks at the 2020 Metasploit Community CTF and how...
Revisiting Apple Notes (4): Gallery Objects
TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...
Revisiting Apple Notes (3): Embedded Tables
TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...
Revisiting Apple Notes (2): Easy Embedded Objects
TL;DR: Embedded objects are really easy to do wrong when parsing Apple Notes, each type is like a snowflake, unique...
Revisiting Apple Notes (1): Improved Note Parsing
TL;DR: Apple iCLoud Notes are GZIP’d protobufs when stored and this updated program will decompress them for you and help...
Make Analysis Great Again (or never type the sa...
TL;DR: If you ever write the same thing twice, especially in a console, you should automate it. MAGA (jokingly named...