Thursday, December 10, 2020

Apple Pattern of Life Lazy Output'er (APOLLO) on Windows

 


  • APOLLO - Apple Pattern of Life Lazy Output'er (APOLLO) by mac4n6  extracts and correlates data from numerous databases, then organizes it to show a detailed event log of application usage, device status, and many other pattern-of-life artifacts from Apple devices.
I do appreciate Apple computers and devices, but one can not always be afforded to work with one as a forensic workstation.  Therefore I intended to highlight the APOLLO tool for iOS and MacOS images/filesystems when working on Windows. 

APOLLO is a that tool queries unique macOS/iOS databases with custom built SQLite query based modules to build one consolidated APOLLO database, sql_json, or csv file.




SOME of the SQLite databases APOLLO will run against  
  • KnowledgeC.db: stores knowledge of user, application usage(interaction with and how long an app was used), apps in focus, chats, access to email, calendar, calls, web usage. (4 weeks retained).
  • Routined: Location tracking. Cache.db (ZRTCLLocationMo) for 7 days of location, speed
  • Netusage.db: App databases
  • InteractionC.db:  Contact interaction from phone, email, messages.
  • PowerLogs: Large database of logs, macOS, app usage, camera state, audio, airdrop. flashlight, battery levels.
  • Health databases: heart rate, health data, location, weather, calories burned.
  • Sms.db: iMessage, SMS, FaceTime
  • CallHistory.storedata: traces calling
  • History.db: Web history.  Shows if flagged as synced across devices with knowledge.C db(HW UUID).
  • Passes23.sqlite: Apple Wallet transactions and cc info.
  • cache_encryptedC.db: not encypted; contains a table "motion state history".  Showing movement steps count and floors


Builds a story about the user, pattern of life, and timeline.


To Install on Windows one way is to use Windows Subsystem for Linux (WSL):
How to install WSL on Windows 10

Once installed, select the Windows key and type WSL






*if receiving "ModuleNotFoundError: No module named 'simplekml'"
try:
  • sudo apt-get update
  • sudo apt install python3-pip
  • pip3 install simplekml
-----------------------------------------------------------------------------------------------------------------------------


EXAMPLE:

For testing I used the lab example Mac OS image from a great site for training and practice Cyber Defenders at "https://cyberdefenders.org/labs/34".

Name: FruitBook.E01
MD5 checksum:    7300f808f5046e8372c27854daf6d553
SHA1 checksum:   e629634283f2e5861a91847ec64042e240516da4 
Password: cyberdefenders.org

After downloading the image, I next opened it in FTK imager and exported the APFS container to work with a file system folder directory to run against APOLLO.





Next step is to run APOLLO on the below exported folders:




APOLLO was ran with the following python3 command:





Banner to user reads:

==> Will lazily run APOLLO on 247 unique modules and 32 unique databases.

==> Searching for database files...this may take a hot minute...

Output with show the module(.txt file sqlite query) that ran, the database it ran against, and the number of records found.



The output of the tool produced a single database file named "apollo.db" in the tool directory.



Used the tool "db browser for sqlite" to view the db file. 
Download link


Selecting open database and opening apollo.db opens the database file that contains only one table "APOLLO".

The APOLLO table contains five (5) columns.
KEY(timestamp), Activity, Output(query output), Database(db queried), Module(.txt file that ran)

Filtering on columns or any column can be very useful




When selecting the output cell the text (mode = JSON) will populate in the text viewing window.








One of the questions for the CyberDefenders challenge is:

6.  Name the data URL of the quarantined item.


APOLLO can be used on this question by filtering on Activity for "Quarantine":

The output reads:





Below are some of the Activities the APOLLO modules will create and a can be filtered for on iOS and MacOS devices:




Conclusion:

APOLLO is not too heavy or time consuming to process on Apple devices. And best of all it is free, which may be great for processing lots of iOS or Mac Devices at once to get a look at some possible useful activity information.  I am grateful to check it out and appreciative to the hard work Sarah Edwards puts into it.  

Please check out Sarah Edwards talk at OSDFCon 
“Go for Launch: Getting Started with Practical APOLLO Analysis”
https://www.youtube.com/watch?v=xPebuGJF7Gk

APOLLO github
https://github.com/mac4n6/APOLLO



























Posted by at No comments:

Wednesday, December 2, 2020

Belkasoft Evidence Center X - trial license


 









I recently signed up for a trial license to try out the new Belkasoft Evidence Center X tool.

Link at https://belkasoft.com/get



The tool is described on the product page as a "Solution to accelerate Digital Forensics and Incident Response Investigations".  With the features that support the major data sets to Aquire(imaging including checkm8), Examine, Review & Analyze, and Report.



I spoke with friendly customer service reps from the company and they emailed over a trial exe with a readme file that wrote:

INTRODUCTION

Belkasoft Evidence Center is a digital forensic software which makes it easy for an 
investigator to acquire, search, analyze, store and share digital evidence found inside 
computer and mobile devices, RAM and cloud. The toolkit will quickly extract digital 
evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps, 
iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. Evidence Center will 
automatically analyze the data source and lay out the most forensically important artifacts 
for investigator to review, examine more closely or add to report.

SYSTEM REQUIREMENTS

Belkasoft Evidence Center can be installed on any computer running 
Windows 10, Windows 8, Windows 7 (including 64 bit), Windows Vista and Windows 2003.
Mac users can run the tool under bootcamp.

HOW TO INSTALL

Run setup file and follow instructions of the installation program. It 
takes just a few minutes to get the product installed.

  • Ran the becu.trial.fixed.x64.exe to install
  • Was given an option to activate trial license online or offline which was nice if you forensic work station is on a segmented network.  
  • 30 days start when first installing.  Interesting caveat it was noted that when reporting with the trial version only 50% of random data makes it to the report.  Which makes sense for a trial license.
  • Dashboard interface opens for to name and create new case

  • Taking a look at the Options (settings)
        -can set CPU core and Memory cache number sizes



        -Picture recognition settings to assist examination and analysis.  There is a dropdown to detect 
        language and more/less false positives options for face and skin.

    
        -Malware detection with VirusTotal, which is nice
        
        -Allows for hashsets to be added and includes remote capabilities

  • Selected create and open for new case.  And the Add Data Source option opens:
        -Options for Adding Existing data source or Acquiring a new one



  • Added a Disk Image(Windows), Mobile Image (iOS), and Ram Image(Windows) I had made for practice.
  • Artifact selection menu opened:

  • Processing shows Dashboard of progress, and Task manager tab for tasks being ran on images


Bottom right corner shows progress bar

When processing I found it best to wait to let it finish all the tasks before opening artifact categories.
  • Processing finished (shown on Dashboard) about a little less than1hr for all 3 images


  • In case explorer shows device geometry for hard drive image only

  • In case Explorer the tree pane shows items analyzed

  • Overview tab is the analyzed count for all evidence items

  • Other tabs include one for Timeline, Bookmarks, Task maanger, Remote Aquisition, and Incident Investigations
  • The Incident Investigations tab categorizes the artifacts useful for intrusions and would seem to be useful for Incident Response cases (Downloads, Execution, Persistence, Recent, Eventlogs):

  • The remote acquisition tab allows for a package to be generated or deployed via GPO, WMI, or via a configurable IP/port.  Which would seem helpful for IR investigations.

 
  • Search function allows for multiple kinds of searches.  Results display properties if found in execution artifacts.





The tool also offers a timeline, hex, plist, registry, and sqlite view.









CONCLUSION:

Overall I like Belkasoft's Evidence Center's ability to parse all kinds of data sources including disk, memory, and mobile and I believe it is a less expensive option than other industry tools.  However I don't believe it is quite at the caliber of mobile forensics as the leading mobile tools.  Belkasoft's strong suite, for me, is its ability to be deployable and used for Incident Response.  I like the ability to configure VirusTotal and parse Incident Investigation artifacts.  I believe it could be best used for a small to larger enterprise setting and deployed as such.  The tool also has some benefits in its acquisition capabilities for which the checkm8 jailbreak package is included with a licensed version.  

However may make a post on how to do that for free on windows with a bootable version linux and the checkm8 exploit from GitHub.

If your budget isn't has high as the other licensed tools go but you want a little more support than Autopsy (also a great tool) I would recommend giving the trial version of this tool a go to see if it gets what you are looking for.



 

Posted by at No comments:
Subscribe to: Posts (Atom)