Initialization vectors: January 2020

Saturday, January 11, 2020

Awesome Friends!

iLEAPP wouldn't be possible without the assist of some awesome friends. Heck, they go beyond awesome. They truly are....

I'm the doggo. :-)
From research, coding, and being innovators to listening and discussing all things #DFIR and beyond, the following folks are truly heroic. I owe them a debt of gratitude for all the help and support I've been given. The list is not complete and I will be adding more soon. This blog post will be a link in the main iLEAPP report webpage. Without further ado:


Sarah Edwards
Sarah Edwards

Researcher: iOS Jedi Council Master in KnowledgeC, Powerlog, and literal tons of other relevant databases and artifacts. No iLEAPP without her monumental work.
Coder: Apollo Framework. THE best pattern of life analysis tool anywhere for iOS devices. Period.
Twitter: https://twitter.com/iamevltwin
Blog: https://www.mac4n6.com/
Github: https://github.com/mac4n6




Jessica Hyde
Jessica Hyde

Researcher: UsageStats in Android, IoT Forensics, and the best and most energetic presenter in the multiverse. Her ideas, DFIR philosophy, and suggestions for improvement have been and will continue to be key in the field and to me personally. She is an educator extraordinaire.

Phill Moore
Phill Moore

Researcher: As the person responsible for This Week in 4n6 he needs no intro. Truly my Australian brother from another mother. His GSERPent parser opened my eyes to the importance of applied research that screams to be shared. This is something i've tried to emulate. Lucky enough to work on joint projects and steal find inspiration in his code. 
Coder: KnowledgeC Struct Metadata script now in iLEAPP.

Heather Mahalik
Heather Mahalik

Researcher: World class Grandmaster mobile forensics Sensei. Renowned investigator known for dragging a body across the floor for science she is always at the forefront of the newest iOS artifacts and related forensic techniques. Her work is also an integral part of iLEAPP. Fortunate enough to have been, and to continue being, her student. Osu!!
Twitter: https://twitter.com/HeatherMahalik
Web: https://smarterforensics.com/
Blog: https://smarterforensics.com/blog/



Mattia Epifani
Mattia Epifani

Researcher: iLEAPP leverages TONS of artifacts that come straight from Mattia's research. His blog posts are INDISPENSABLE reading for all things iOS. Hope to meet him in person in a not too distant future. It will be an honor.
Twitter: https://twitter.com/mattiaep
Blog: https://blog.digital-forensics.it/

Geraldine Blay

Researcher: Until not too long ago my DFIR padawan she has now graduated to full, all awards, master. Couldn't be more proud of her work and her tangible results. She is mom to Siri, the best electronic sniffing canine this side of the Mississippi. You both are the best.
Tester: Hope your patience dealing with by buggy beta code doesn't run out any time soon.
Twitter: https://twitter.com/i_am_the_gia
Blog: https://gforce4n6.blogspot.com/

Mike Williamson
Mike Williamson

Researcher: My Canadian brother from another mother. I hope to one day have 1/2 of your skills. Heck 1/4 and I'm set for life. Reverse engineer, mission focused, lucky I can call him friend.
Coder: Yes, yes, yes. I learn and say thanks.
Twitter: https://twitter.com/forensicmike1
Blog: https://forensicmike1.com/

Christopher Vance

Researcher: If you haven't taken a course with Chris you are missing out for real. I will never be able to repay him for letting me complement his deleted apps research that gained us a DFIR Summit 2019 speaking slot. His iOS notifications research has been applied in iLEAPP. I don't know of any other tool that applies it yet.
Twitter: https://twitter.com/cScottVance
Blog: https://blog.d204n6.com/



Brooke
Brooke

Tester: Thank you so much for debugging that unicode error! You are awesome and I have lots of respect for you and the essential work you support. I don't know how you do so much work day in and day out. Much appreciated.
Twitter: https://twitter.com/xbrookego







Jack Farley
Jack Farley
Researcher: Thank you so much for letting me use your connected devices code in iLEAPP. Wish I could code as concise and precise as you.
Coder: Best iTunes Backup Analyzer blog and script I've seen. If you want to understand how these backups work in detail and understandable English his blog IS a must read. Check it out.
Twitter: https://twitter.com/JackFarley248
Web: http://farleyforensics.com/





Shafik Punja
Shafik Punja
Tester: Thank you for making iLEAPP accessible without a magnifying glass. Testing is so important. Thank you for giving some of your time.
Twitter: https://twitter.com/qubytelogic










Cheeky4N6monkey
Cheeky4N6monkey
Researcher: The one and only Cheeky4n6Monkey has been around for quite awhile making the world easier for digital evidence examiners. His work is always a must read and his code is super useful.
Coder: I took a bunch of his code and implemented it in iLEAPP. Attribution as comments in code. Check the out the github. Highly recommended.
Twitter: https://twitter.com/Cheeky4n6Monkey
Githubhttps://github.com/cheeky4n6monkey
Bloghttps://cheeky4n6monkey.blogspot.com/




Edward Greybeard
Contributor: Mysterious, efficient, generous with his time and skills. That's all you need to know.
Github: https://github.com/edward-greybeard









Douglas Kein

Tester: Breaker of code extraordinaire, which is precisely what is needed. Your testing has made the code way more resilient and useful. Thank you so much!!! It helps a ton.

Thursday, January 9, 2020

iLEAPP latest updates for 01/09/2020

iLEAPP download: https://github.com/abrignoni/iLEAPP

The iOS Logs, Events, And Properties Parser has been updated by adding the following artifacts:
  • Photos.sqlite
    • Metadata about media files to include deletion timestamps.
    • Thanks to Heather Mahalik for the query.
  • Medialibrary.sqlite
    • Multimedia file list and metadata.
  • Accounts3.sqlite
    • System accounts.
  • Zliveusage & zliveprocess data.
  • Device screen auto lock history.
Fixes:
  • Unicode support for artifact reports.
    • Thanks to @xbrookego for testing and helping debug
  • Error handling for databases that lack tables.
  • Alternating report background row color for readability.
Any errors encountered during usage or request to support additional artifacts please report via Twitter @AlexisBrignoni and/or email 4n6[at]abrignoni[dot]com.

Sunday, January 5, 2020

iLEAPP latest updates for 01/05/2020

iLEAPP download: https://github.com/abrignoni/iLEAPP

The iOS Logs, Events, And Properties Parser has been updated by adding the following iOS 12 & 13 artifacts:

  • KnowledgeC
    • Application Usage
    • Application in Focus
    • Application Activity
    • Battery Level
    • Applications Installed
    • Device Locked
    • Plugged In
  • Call History
  • SMS
    • SMS Chat
    • SMS Read
    • SMS Delivered
  • Safari History
  • Query Predictions
  • Powerlog
    • Mobile Backups
    • WIFI Properties
    • Paired Device Configuration
Fixes:
  • Proper report URL pathing. The iLEAPP report can be copied/moved to any directory and the HTML reports work as expected.
  • Added a "temp" directory at the root of the report folder that contains a copy of the data sources used by the scripts. The temp folder is created on .tar and .zip processing reports only.
Any errors encountered during usage or request to support additional artifacts please report via Twitter @AlexisBrignoni and/or email 4n6[at]abrignoni[dot]com.