Apple Pattern of Life Lazy Output’er (APOLLO)
Sarah Edwards presented a new tool called APOLLO or Apple Pattern of Life Lazy Output’er. The tool was presented at Ob…
Beyond good ol’ LaunchAgent – part 0
Pasquale Stirparo has started a post series about macOS persistense mechanisms titled “Beyond good ol’ LaunchAge…
Join our Telegram DFIR group!
Guys, we have created a Telegram group, where we will do our best to answer all your questions. We will be very happy if you…
Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
Sarah Edwards has posted her research of knowledgeC.db database. This database can be found on macOS and iOS devices. On Mac…
afro (APFS file recovery)
afro can parse APFS images. It not only extracts the latest data but also older versions of the files. Learn more about the …
Epochalypse: Utility to Convert Epoch Timestamps
Epochalypse utility by Pasquale Stirparo has been updated. Now it supports APFS timestamps. You can download this Python scr…
Parsing APFS with Magnet AXIOM
Despite the fact APFS isn’t currently supported by AXIOM, the author of “The Swanepoel Method” blog ran a …
Apple File System (APFS) – Acquisition, Decryption and Analysis
During this webinar BlackBag Technologies representatives will show you how to acquire, decrypt and analyze APFS volumes: …
44 New OS X Profiles Were Just Added to Volatility
If you are doing macOS memory forensics often enough, we have great news for you – 44 new OS X profiles have been just…
Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app
Sarah Edwards has found a very usefull bug in macOS High Sierra – unified logs show plaintext password for APFS encryp…
