Friday, February 19, 2021

February 19, 1971 - The First Warrant Is Issued to Search a Computer Storage Device

An intangible program in a computer which consists of a series of accessible electrical and/or magnetic impulses.

Fifty years ago today the first warrant to search a computer was issued through the San Jose-Milpitas district of the Santa Clara County Court through an affidavit made by an Oakland Police Department Sergeant attached to the fraud detail.  There was probable and reasonable cause to believe that evidence related to felony theft of trade secrets were contained on a data storage device.   The warrant commanded the search of personal property in the form of:

  1. Key Punch Computer Cards, punched with a proprietary remote plotting program
  2. Computer Printout sheets of a proprietary remote plotting program
  3. Computer memory bank and other data storage devices magnetically imprinted with the proprietary computer program.

The warrant reads that on February 4th, 1971 the President of a Information Systems company in Oakland, CA discovered a set of punch cards connected to a computer terminal.  The punch cards contained a program that allowed for remote plotting and was deemed a confidential trade secret.  The program was valued at $15,000.  

With the assistance of a special agent from the Pacific Telephone Corporation, telephone records linked a call from a number leased to a computer in Palo Alto.  A technician at the Palo Alto location, an expert at operating a UNIVAC 1108 computer, reported that the computer printed the confidential program during the time of the call.  

UNIVAC 1108 

It was later determined that a former employee of the company that owned the propriety program had the access code and site number.  The warrant specifies that the program was potentially in various forms including punch card form, print-out form, and as written, "an intangible form as a program in a computer which consists of a series of accessible electrical and/or magnetic impulses".  Also mentioned in the warrant is that these impulses can be disclosed only through interrogation of a computer and any data storage device.

Thus the first warrant to search a computer storage device was created.  Items seized during the search  included tapes and a directory of all files on Fastrand.  Fastrand was a magnetic drum mass storage system built by Sperry Rand Corporation for UNIVAC systems.

FASTRAND  magnetic drum storage

The search ultimately led to a conviction of theft of trade secrets and a new era of digital forensics.


  1. Link to warrant

Thursday, December 10, 2020

Apple Pattern of Life Lazy Output'er (APOLLO) on Windows


  • APOLLO - Apple Pattern of Life Lazy Output'er (APOLLO) by mac4n6  extracts and correlates data from numerous databases, then organizes it to show a detailed event log of application usage, device status, and many other pattern-of-life artifacts from Apple devices.
I do appreciate Apple computers and devices, but one can not always be afforded to work with one as a forensic workstation.  Therefore I intended to highlight the APOLLO tool for iOS and MacOS images/filesystems when working on Windows. 

APOLLO is a that tool queries unique macOS/iOS databases with custom built SQLite query based modules to build one consolidated APOLLO database, sql_json, or csv file.

SOME of the SQLite databases APOLLO will run against  
  • KnowledgeC.db: stores knowledge of user, application usage(interaction with and how long an app was used), apps in focus, chats, access to email, calendar, calls, web usage. (4 weeks retained).
  • Routined: Location tracking. Cache.db (ZRTCLLocationMo) for 7 days of location, speed
  • Netusage.db: App databases
  • InteractionC.db:  Contact interaction from phone, email, messages.
  • PowerLogs: Large database of logs, macOS, app usage, camera state, audio, airdrop. flashlight, battery levels.
  • Health databases: heart rate, health data, location, weather, calories burned.
  • Sms.db: iMessage, SMS, FaceTime
  • CallHistory.storedata: traces calling
  • History.db: Web history.  Shows if flagged as synced across devices with knowledge.C db(HW UUID).
  • Passes23.sqlite: Apple Wallet transactions and cc info.
  • cache_encryptedC.db: not encypted; contains a table "motion state history".  Showing movement steps count and floors

Builds a story about the user, pattern of life, and timeline.

To Install on Windows one way is to use Windows Subsystem for Linux (WSL):

Once installed, select the Windows key and type WSL

*if receiving "ModuleNotFoundError: No module named 'simplekml'"
  • sudo apt-get update
  • sudo apt install python3-pip
  • pip3 install simplekml


For testing I used the lab example Mac OS image from a great site for training and practice Cyber Defenders at "".

Name: FruitBook.E01
MD5 checksum:    7300f808f5046e8372c27854daf6d553
SHA1 checksum:   e629634283f2e5861a91847ec64042e240516da4 

After downloading the image, I next opened it in FTK imager and exported the APFS container to work with a file system folder directory to run against APOLLO.

Next step is to run APOLLO on the below exported folders:

APOLLO was ran with the following python3 command:

Banner to user reads:

==> Will lazily run APOLLO on 247 unique modules and 32 unique databases.

==> Searching for database files...this may take a hot minute...

Output with show the module(.txt file sqlite query) that ran, the database it ran against, and the number of records found.

The output of the tool produced a single database file named "apollo.db" in the tool directory.

Used the tool "db browser for sqlite" to view the db file. 

Selecting open database and opening apollo.db opens the database file that contains only one table "APOLLO".

The APOLLO table contains five (5) columns.
KEY(timestamp), Activity, Output(query output), Database(db queried), Module(.txt file that ran)

Filtering on columns or any column can be very useful

When selecting the output cell the text (mode = JSON) will populate in the text viewing window.

One of the questions for the CyberDefenders challenge is:

6.  Name the data URL of the quarantined item.

APOLLO can be used on this question by filtering on Activity for "Quarantine":

The output reads:

Below are some of the Activities the APOLLO modules will create and a can be filtered for on iOS and MacOS devices:


APOLLO is not too heavy or time consuming to process on Apple devices. And best of all it is free, which may be great for processing lots of iOS or Mac Devices at once to get a look at some possible useful activity information.  I am grateful to check it out and appreciative to the hard work Sarah Edwards puts into it.  

Please check out Sarah Edwards talk at OSDFCon

Wednesday, December 2, 2020

Belkasoft Evidence Center X - trial license


I recently signed up for a trial license to try out the new Belkasoft Evidence Center X tool.

Link at

The tool is described on the product page as a "Solution to accelerate Digital Forensics and Incident Response Investigations".  With the features that support the major data sets to Aquire(imaging including checkm8), Examine, Review & Analyze, and Report.

I spoke with friendly customer service reps from the company and they emailed over a trial exe with a readme file that wrote:


Belkasoft Evidence Center is a digital forensic software which makes it easy for an 
investigator to acquire, search, analyze, store and share digital evidence found inside 
computer and mobile devices, RAM and cloud. The toolkit will quickly extract digital 
evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps, 
iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will 
automatically analyze the data source and lay out the most forensically important artifacts 
for investigator to review, examine more closely or add to report.


Belkasoft Evidence Center can be installed on any computer running 
Windows 10, Windows 8, Windows 7 (including 64 bit), Windows Vista and Windows 2003.
Mac users can run the tool under bootcamp.


Run setup file and follow instructions of the installation program. It 
takes just a few minutes to get the product installed.

  • Ran the becu.trial.fixed.x64.exe to install
  • Was given an option to activate trial license online or offline which was nice if you forensic work station is on a segmented network.  
  • 30 days start when first installing.  Interesting caveat it was noted that when reporting with the trial version only 50% of random data makes it to the report.  Which makes sense for a trial license.
  • Dashboard interface opens for to name and create new case

  • Taking a look at the Options (settings)
        -can set CPU core and Memory cache number sizes

        -Picture recognition settings to assist examination and analysis.  There is a dropdown to detect 
        language and more/less false positives options for face and skin.

        -Malware detection with VirusTotal, which is nice
        -Allows for hashsets to be added and includes remote capabilities

  • Selected create and open for new case.  And the Add Data Source option opens:
        -Options for Adding Existing data source or Acquiring a new one

  • Added a Disk Image(Windows), Mobile Image (iOS), and Ram Image(Windows) I had made for practice.
  • Artifact selection menu opened:

  • Processing shows Dashboard of progress, and Task manager tab for tasks being ran on images

Bottom right corner shows progress bar

When processing I found it best to wait to let it finish all the tasks before opening artifact categories.
  • Processing finished (shown on Dashboard) about a little less than1hr for all 3 images

  • In case explorer shows device geometry for hard drive image only

  • In case Explorer the tree pane shows items analyzed

  • Overview tab is the analyzed count for all evidence items

  • Other tabs include one for Timeline, Bookmarks, Task maanger, Remote Aquisition, and Incident Investigations
  • The Incident Investigations tab categorizes the artifacts useful for intrusions and would seem to be useful for Incident Response cases (Downloads, Execution, Persistence, Recent, Eventlogs):

  • The remote acquisition tab allows for a package to be generated or deployed via GPO, WMI, or via a configurable IP/port.  Which would seem helpful for IR investigations.

  • Search function allows for multiple kinds of searches.  Results display properties if found in execution artifacts.

The tool also offers a timeline, hex, plist, registry, and sqlite view.


Overall I like Belkasoft's Evidence Center's ability to parse all kinds of data sources including disk, memory, and mobile and I believe it is a less expensive option than other industry tools.  However I don't believe it is quite at the caliber of mobile forensics as the leading mobile tools.  Belkasoft's strong suite, for me, is its ability to be deployable and used for Incident Response.  I like the ability to configure VirusTotal and parse Incident Investigation artifacts.  I believe it could be best used for a small to larger enterprise setting and deployed as such.  The tool also has some benefits in its acquisition capabilities for which the checkm8 jailbreak package is included with a licensed version.  

However may make a post on how to do that for free on windows with a bootable version linux and the checkm8 exploit from GitHub.

If your budget isn't has high as the other licensed tools go but you want a little more support than Autopsy (also a great tool) I would recommend giving the trial version of this tool a go to see if it gets what you are looking for.


Tuesday, September 22, 2020

Microsoft Teams artifacts and chat logs

 Take a look at location: 


On my workstation there is a folder at this location:

Looking at the *.log file at this location

Open the .log file in Notepad++ <download>

File--> Open--> Path to 


Open the .log file

Sample of the "000007.log" file in Notepad++

In Notepad++ with the .log file open --> Press "ctrl+F"

Searching for the value "renderContent" returned some messages logged from MS Teams.

Select Find All in Current Document

The find results show all lines containing the value "renderContent" followed by posted messages.

Sample recovered MS Teams messages

There are also other potential values of interest in this log including: 


"RichText/Html" (provided further chat and web content)


MESSAGE time values: "composetime", "originalarrivaltime" and "clientArrivalTime"

This is a sample of artifacts left on the workstation when not logged into MS Teams that could be of potential value in an examination.  Also recommending checking out a article written a few months back at cyberforensicator <link>.


Monday, September 21, 2020

Video and Image Analysis - Authentication

Video authentication 

Video authentication is a process that is used to obtain the trustworthiness of a digital video and to assure a video hasn't been altered or tampered.

Performing Authentication Examinations of Imagery and Videos

Review visible scene content:

  • Shadows
  • Lighting
  • Density
  • Texture/Patterns (skin and background pattern)
  • Gravity
  • Physical body details (hair, muscles, body curves)
  • Contact with other objects and body
  • Skin to skin contact
  • Imperfections on body
  • Consistencies/Inconsistencies

Visual scene content includes low-quality synthesized faces, visible splicing boundaries, color mismatch, visible parts of the original face, inconsistent synthesized face orientations.

Review non-scene content:
  • EXIF info (duration, GPS, software writer, codec)
  • Comparing signatures of camera to video/image in question 
  • Behavior of file type (compression type) 
  • Reviewing binary structures and sequence of bytes in the hex of the file
  • Evidence of being opened in a video editor 
Viewing the EXIF data of a file

Using structural analysis from the video forensic tool (link MEDEX forensics) showing a video editing tool was detected in the structure of the video file.