Ciofeca Forensics

TL;DR: iOS 15 brought more forensics-meaningful changes to Apple Notes than recent major version releases. Structural Changes Between iOS 14.8...

TL;DR: Week 12 of the #MagnetWeeklyCTF was a return to the browser that shalt not be named. Review Check out...

TL;DR: Week 11 of the #MagnetWeeklyCTF was a chance to check out rekall, mainly because I was completely fail-whaling on...

TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions. Review Check...

TL;DR: Week 9 of the #MagnetWeeklyCTF began a new case, this one involving a memory image. Review Check out the...

TL;DR: Week 8 of the #MagnetWeeklyCTF started down the side quest I was hoping to dig into, but only scratched...

TL;DR: Week 7 of the #MagnetWeeklyCTF tests your knowledge of the presence of a single file on a Linux machine....

TL;DR: Week 6 of the #MagnetWeeklyCTF was the beginning of what I can only hope is a good reverse engineering...

TL;DR: Week 5 of the #MagnetWeeklyCTF got a little sporty with the addition of a Linux image (yay) and Hadoop...

TL;DR: Breakdown of our answers to Tony Mederos’s questions from the Cellebrite 2020 CTF using only free, open source tools....

TL;DR: Breakdown of our answers to Ruth Langmore’s questions from the Cellebrite 2020 CTF using only free, open source tools....

TL;DR: Back on the command line horse again for Week 4 after dropping Week 3 of the #MagnetWeeklyCTF due to...

TL;DR: Breakdown of our answers to Rene Gade’s questions from the Cellebrite 2020 CTF using only free, open source tools....

TL;DR: Breakdown of our answers to Juan Mortyme’s questions from the Cellebrite 2020 CTF using only free, open source tools....

TL;DR: No need for any commercial tools in Cellebrite’s 2020 Forensics Capture the Flag event, just open source software and...

TL;DR: This post briefly explains how iOS implements MAC address randomization in iOS 14 and what it means for your...

TL;DR: This post looks at Apple CloudKit within the context of Apple Notes to help you understand how Apple stores...

TL;DR: Still no need for tools on the second week of the #MagnetWeeklyCTF, just access to the command line. Review...

TL;DR: No need for tools on the first week of the #MagnetWeeklyCTF, just access to the command line. Get the...

TL;DR: If you find this research or my code useful, you may want to consider supporting my work to enable...

TL;DR: This post explains portions of two protobufs used by Apple, one for the Note format itself and another for...

TL;DR: This post looks at changes to Apple Notes in iOS 14, most of which are look and feel-related, but...

TL;DR: Apple Notes allows users to encrypt note contents at rest and the Apple Cloud Notes Parser now supports parsing...

TL;DR: MacOS Catalina 10.15.6 shows a network connection as disconnected in settings while the network is still connected. Background I...

TL;DR: Proper preparation prevents poor performance in all areas. This post looks at the 2020 Metasploit Community CTF and how...

TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...

TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...

TL;DR: Embedded objects are really easy to do wrong when parsing Apple Notes, each type is like a snowflake, unique...

TL;DR: Apple iCLoud Notes are GZIP’d protobufs when stored and this updated program will decompress them for you and help...

TL;DR: If you ever write the same thing twice, especially in a console, you should automate it. MAGA (jokingly named...

TL;DR: Data hidden in SQLite may not be human-readable and SQLite Miner will help you find the hidden gems inside...

TL;DR: Apple iCLoud Notes are GZIP’d when stored and this script will decompress them for you. Background To set the...