I do appreciate Apple computers and devices, but one can not always be afforded to work with one as a forensic workstation. Therefore I intended to highlight the APOLLO tool for iOS and MacOS images/filesystems when working on Windows.
APOLLO is a that tool queries unique macOS/iOS databases with custom built SQLite query based modules to build one consolidated APOLLO database, sql_json, or csv file.
SOME of the SQLite databases APOLLO will run against
- KnowledgeC.db: stores knowledge of user, application usage(interaction with and how long an app was used), apps in focus, chats, access to email, calendar, calls, web usage. (4 weeks retained).
- Routined: Location tracking. Cache.db (ZRTCLLocationMo) for 7 days of location, speed
- Netusage.db: App databases
- InteractionC.db: Contact interaction from phone, email, messages.
- PowerLogs: Large database of logs, macOS, app usage, camera state, audio, airdrop. flashlight, battery levels.
- Health databases: heart rate, health data, location, weather, calories burned.
- Sms.db: iMessage, SMS, FaceTime
- CallHistory.storedata: traces calling
- History.db: Web history. Shows if flagged as synced across devices with knowledge.C db(HW UUID).
- Passes23.sqlite: Apple Wallet transactions and cc info.
- cache_encryptedC.db: not encypted; contains a table "motion state history". Showing movement steps count and floors
Builds a story about the user, pattern of life, and timeline.
To Install on Windows one way is to use Windows Subsystem for Linux (WSL):
Once installed, select the Windows key and type WSL
*if receiving "ModuleNotFoundError: No module named 'simplekml'"
try:
- sudo apt-get update
- sudo apt install python3-pip
- pip3 install simplekml
-----------------------------------------------------------------------------------------------------------------------------
EXAMPLE:
For testing I used the lab example Mac OS image from a great site for training and practice Cyber Defenders at "https://cyberdefenders.org/labs/34".
Name: FruitBook.E01
MD5 checksum: 7300f808f5046e8372c27854daf6d553
SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4
SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4
Password: cyberdefenders.org
After downloading the image, I next opened it in FTK imager and exported the APFS container to work with a file system folder directory to run against APOLLO.
Next step is to run APOLLO on the below exported folders:
APOLLO was ran with the following python3 command:
Banner to user reads:
==> Will lazily run APOLLO on 247 unique modules and 32 unique databases.
==> Searching for database files...this may take a hot minute...
Output with show the module(.txt file sqlite query) that ran, the database it ran against, and the number of records found.
The output of the tool produced a single database file named "apollo.db" in the tool directory.
Used the tool "db browser for sqlite" to view the db file.
Selecting open database and opening apollo.db opens the database file that contains only one table "APOLLO".
The APOLLO table contains five (5) columns.
KEY(timestamp), Activity, Output(query output), Database(db queried), Module(.txt file that ran)
Filtering on columns or any column can be very useful
When selecting the output cell the text (mode = JSON) will populate in the text viewing window.
One of the questions for the CyberDefenders challenge is:
6. Name the data URL of the quarantined item.
APOLLO can be used on this question by filtering on Activity for "Quarantine":
The output reads:
Below are some of the Activities the APOLLO modules will create and a can be filtered for on iOS and MacOS devices:
Conclusion:
APOLLO is not too heavy or time consuming to process on Apple devices. And best of all it is free, which may be great for processing lots of iOS or Mac Devices at once to get a look at some possible useful activity information. I am grateful to check it out and appreciative to the hard work Sarah Edwards puts into it.
Please check out Sarah Edwards talk at OSDFCon
https://www.youtube.com/watch?v=xPebuGJF7Gk
https://github.com/mac4n6/APOLLO
No comments:
Post a Comment