I use and abuse my Notes application with random commands and ways to accomplish certain tasks in Terminal that I know I will want to recall sometime in the future. Now it is pinned to the Dock on every Mac I use, but I still struggle at times and that is okay! The internet provides plenty of support to help me along when I just can’t make something work. Forced me out of my comfort zone a few years ago and opened my eyes to the power of Terminal (command prompt on Mac). □□Command line interface (CLI) isn’t for everyone. I’ve got more updates planned, however I still need to tweak, research, and test before I release.You can see the new workings of the tool in my OSDFCon presentation - “ Go for Launch: Getting Started with Practical APOLLO Analysis”And for pure fun(!) a bonus Halloween themed presentation with “ Getting Spooky with Apollo” that I did for a Fortego F-Con Lightning Talk. The app and included databases each weigh in about 150 mb for 300 Mb of disk space.‘gather_macos’ - Automagically finds and collects database files on macOS using modules.‘gather_ios’ - Automagically finds and collects database files on jailbroken iOS devices using modules.‘extract’ - Nearly the same as before, rips through all the databases and extracts data via the SQL queries in the modules.I’ve also updated many modules for iOS 14 and macOS 11.Terminal (CLI)We are going to use it but you don’t have to understand everything we are doing to still achieve the desired outcome. I tried to bold exactly the text you need to type or to highlight a key combination you need to press to grab your eye as you scan this article. As with anything else, proceed at your own risk but nothing we are doing here is dangerous for your machine if done correctly. Following these instructions worked for me and will work for you too. I figured I would write a set of current instructions on how I setup my Mac, and do so in a way that someone unfamiliar with Terminal can follow along without issues.DISCLAIMER.The screenshot below contains some AirDrop activity from this device. Not every interaction will have attachments associated with them. Some that I’ve seen in my data include:Com.apple.ScreenshotServicesService - ScreenshotsFor another example, let’s take a look at some interactions for the Photos app (com.apple.mobileslideshow). I choose to pin it in my dock because I use it every day, you might want to do the same.Select Terminal application and it will openRight click Terminal in your Dock, mouse up to Options and over to ‘Keep in Dock’ and select it.This data is not just for Messages and may include other application bundle IDs. Type ‘ terminal’ and select the application from the results.Naturally I thought it would be quick, but it turned into quite an extensive update. It seems not every image will have this attachment ID.While helping some investigators out I realized that my some of my APOLLO knowledgeC modules needed a bit of updating. This is a hex representation of the UUID for the image. It also shows the contact information to whom it was sent - helpful!Some of these attachments have a type associates with them in the UTI column (HEIC/PNG), the other has an associated attachment ID, show in hex (0x DCCB49C2FC74461EAD90DAB0C537DBF7).
![]() App For Attributing Images From Flickr In Blog Mac I Use![]() I’ve even seen where there is no AirDrop ID in this plist due to AirDrop inactivity. One thing I’ve discovered since my last analysis was that the AirDrop ID is not consistent for the life of the device, it changes all the time! The last (current) AirDrop ID can be found in the /private/var/mobile/Library/Preferences/com.apple.sharingd.plist on iOS devices. For macOS you will likely have to add -info to these queries to acquire similar information.Starting with the AirDrop basics – we need to determine the AirDrop ID for each user. Many schools have been receiving bomb threats via AirDrop, I want to see if there is a way to discover where they originated from.In my testing you will see artifacts from two iOS devices:Note: This article focuses on iOS. For this scenario I want to test what certain items might look like when they are AirDrop’ed from an unknown source. All the while, playing around with the Unc0ver Jailbreak (science.xnu.undecimus).I’ve written about this before in this article but wanted to revisit it for this series. Turbo tax 2017 mac osx requirementThis particular device is a test device with no contacts therefore none were suggested.The items highlighted in purple and blue show the Share and Action activities that the user should see in the ShareSheet view.In green, the “performing activity” message shows that AirDrop was selected by the user.In pink, messages that start with “Item:” and have a GUID show that photos need a bit more preparation (file conversion, thumbnail creation, etc.). A connection will be made with the specific app that is to be shared from, in this example com.apple.mobileslideshow (Photos).The items highlighted in red are looking for people to share with. Log show system_logs.logarchive -predicate 'eventMessage contains "AirDrop ID"'Starting at the top, a good indicator that something is about to be shared is to look for the message ‘Activating com.apple.sharing.sharesheet’.
0 Comments
Leave a Reply. |
AuthorRebecca ArchivesCategories |