Ciofeca Forensics

Monday Morning Solutions

Mobile
Apple Notes in iOS 18

Apple Notes in iOS 18

TL;DR: iOS 18 brought far less changes to Apple Notes than many recent releases which is a good thing because...

Mobile   Apple Notes
Notes in iOS 15

Notes in iOS 15

TL;DR: iOS 15 brought more forensics-meaningful changes to Apple Notes than recent major version releases. Structural Changes Between iOS 14.8...

CTF
Magnet CTF Week 12: Merry Hacksmas

Magnet CTF Week 12: Merry Hacksmas

TL;DR: Week 12 of the #MagnetWeeklyCTF was a return to the browser that shalt not be named. Review Check out...

CTF
Magnet CTF Week 11: I Can't Rekall How To Install Plugins

Magnet CTF Week 11: I Can't Rekall How To Insta...

TL;DR: Week 11 of the #MagnetWeeklyCTF was a chance to check out rekall, mainly because I was completely fail-whaling on...

CTF
Magnet CTF Week 10: Time To Focus

Magnet CTF Week 10: Time To Focus

TL;DR: Week 10 of the #MagnetWeeklyCTF was a healthy dose of humility towards the end of the questions. Review Check...

CTF
Magnet CTF Week 9: ReMEMORYing How To Do This

Magnet CTF Week 9: ReMEMORYing How To Do This

TL;DR: Week 9 of the #MagnetWeeklyCTF began a new case, this one involving a memory image. Review Check out the...

CTF
Magnet CTF Week 8: Short Side Quest

Magnet CTF Week 8: Short Side Quest

TL;DR: Week 8 of the #MagnetWeeklyCTF started down the side quest I was hoping to dig into, but only scratched...

CTF
Magnet CTF Week 7: /etc/network/interfaces

Magnet CTF Week 7: /etc/network/interfaces

TL;DR: Week 7 of the #MagnetWeeklyCTF tests your knowledge of the presence of a single file on a Linux machine....

CTF
Magnet CTF Week 6: ELFant hunting

Magnet CTF Week 6: ELFant hunting

TL;DR: Week 6 of the #MagnetWeeklyCTF was the beginning of what I can only hope is a good reverse engineering...

CTF
Magnet CTF Week 5: I'm sorry, what?

Magnet CTF Week 5: I'm sorry, what?

TL;DR: Week 5 of the #MagnetWeeklyCTF got a little sporty with the addition of a Linux image (yay) and Hadoop...

CTF
Cellebrite CTF 2020: Tony Mederos #WrongAnswersOnly

Cellebrite CTF 2020: Tony Mederos #WrongAnswers...

TL;DR: Breakdown of our answers to Tony Mederos’s questions from the Cellebrite 2020 CTF using only free, open source tools....

CTF
Cellebrite CTF 2020: Ruth Langmore

Cellebrite CTF 2020: Ruth Langmore

TL;DR: Breakdown of our answers to Ruth Langmore’s questions from the Cellebrite 2020 CTF using only free, open source tools....

CTF
Magnet CTF Week 4: Back on the Horse Again

Magnet CTF Week 4: Back on the Horse Again

TL;DR: Back on the command line horse again for Week 4 after dropping Week 3 of the #MagnetWeeklyCTF due to...

CTF
Cellebrite CTF 2020: Rene Gade

Cellebrite CTF 2020: Rene Gade

TL;DR: Breakdown of our answers to Rene Gade’s questions from the Cellebrite 2020 CTF using only free, open source tools....

CTF
Cellebrite CTF 2020: Juan Mortyme

Cellebrite CTF 2020: Juan Mortyme

TL;DR: Breakdown of our answers to Juan Mortyme’s questions from the Cellebrite 2020 CTF using only free, open source tools....

CTF
Cellebrite CTF 2020: Introduction

Cellebrite CTF 2020: Introduction

TL;DR: No need for any commercial tools in Cellebrite’s 2020 Forensics Capture the Flag event, just open source software and...

Mobile
Apple Private Wi-Fi Addresses

Apple Private Wi-Fi Addresses

TL;DR: This post briefly explains how iOS implements MAC address randomization in iOS 14 and what it means for your...

Mobile   Apple Notes   Cloud
Revisiting Apple Notes (7): Cloudkit Data

Revisiting Apple Notes (7): Cloudkit Data

TL;DR: This post looks at Apple CloudKit within the context of Apple Notes to help you understand how Apple stores...

CTF
Magnet CTF Week 2: We Don't Need No Stinking Tools

Magnet CTF Week 2: We Don't Need No Stinking Tools

TL;DR: Still no need for tools on the second week of the #MagnetWeeklyCTF, just access to the command line. Review...

CTF
Magnet CTF Week 1: No Tools Required

Magnet CTF Week 1: No Tools Required

TL;DR: No need for tools on the first week of the #MagnetWeeklyCTF, just access to the command line. Get the...

Sponsorship

Sponsorship

TL;DR: If you find this research or my code useful, you may want to consider supporting my work to enable...

Mobile   Apple Notes

Revisiting Apple Notes (6): The Protobuf

TL;DR: This post explains portions of two protobufs used by Apple, one for the Note format itself and another for...

Mobile   Apple Notes
Notes in iOS 14

Notes in iOS 14

TL;DR: This post looks at changes to Apple Notes in iOS 14, most of which are look and feel-related, but...

Mobile   Apple Notes
Revisiting Apple Notes (5): Encrypted Notes

Revisiting Apple Notes (5): Encrypted Notes

TL;DR: Apple Notes allows users to encrypt note contents at rest and the Apple Cloud Notes Parser now supports parsing...

MacOS
Never Trust Apple: Network Connections

Never Trust Apple: Network Connections

TL;DR: MacOS Catalina 10.15.6 shows a network connection as disconnected in settings while the network is still connected. Background I...

CTF
Proper Preparation Prevents Poor Performance

Proper Preparation Prevents Poor Performance

TL;DR: Proper preparation prevents poor performance in all areas. This post looks at the 2020 Metasploit Community CTF and how...

Mobile   Apple Notes
Revisiting Apple Notes (4): Gallery Objects

Revisiting Apple Notes (4): Gallery Objects

TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...

Mobile   Apple Notes
Revisiting Apple Notes (3): Embedded Tables

Revisiting Apple Notes (3): Embedded Tables

TL;DR: Apple Notes has a few bespoke embedded objects which are messier than the Easy Embedded Objects previously explained. This...

Mobile   Apple Notes
Revisiting Apple Notes (2): Easy Embedded Objects

Revisiting Apple Notes (2): Easy Embedded Objects

TL;DR: Embedded objects are really easy to do wrong when parsing Apple Notes, each type is like a snowflake, unique...

Solutions   Mobile   Apple Notes
Revisiting Apple Notes (1): Improved Note Parsing

Revisiting Apple Notes (1): Improved Note Parsing

TL;DR: Apple iCLoud Notes are GZIP’d protobufs when stored and this updated program will decompress them for you and help...

Solutions   Windows
Make Analysis Great Again (or never type the same thing twice)

Make Analysis Great Again (or never type the sa...

TL;DR: If you ever write the same thing twice, especially in a console, you should automate it. MAGA (jokingly named...

Solutions   Mobile
Mining Hidden Gems With SQLite Miner

Mining Hidden Gems With SQLite Miner

TL;DR: Data hidden in SQLite may not be human-readable and SQLite Miner will help you find the hidden gems inside...

Solutions   Mobile   Apple Notes
There's Gold in Them There Blobs

There's Gold in Them There Blobs

TL;DR: Apple iCLoud Notes are GZIP’d when stored and this script will decompress them for you. Background To set the...