New FOR518: Mac and iOS Forensic Analysis Poster Update

The updated Digital Forensics and Incident Response Poster adds new sections and enhancements for macOS 15 and iOS 18 from Sarah Edwards' SANS FOR518 course research.

The latest updates to the Digital Forensics and Incident Response Poster bring a wealth of new sections and enhancements, including significant changes to artifacts in the latest versions of macOS and iOS. These updates are based on cutting-edge research conducted by Sarah Edwards during her work on the SANS FOR518: Mac and iOS Forensic Analysis and Incident Response course, covering macOS 15 and iOS 18.

Download the new update here.

So, what are some of the key updates? While there are too many to cover them all, here are a few highlights:

1 Biomes: A New Activity Tracking System

Biomes are gradually replacing the traditional KnowledgeC and InteractionC databases for tracking user activity. This new format uses protobuf-encoded data to track app usage times and transitions across devices.

• Why It Matters: Tools that only parse the KnowledgeC and InteractionC databases might miss key information stored in Biome data, leading to incomplete analysis.

2 CarPlay Activity

This feature tracks device interactions with CarPlay-enabled vehicles, logging activities such as navigation, media playback, and calls.

• Why It Matters: As connected car technology grows, CarPlay activity data helps investigators analyze in-vehicle activities for forensic purposes.

3 Spotlight Data for File Sharing Evidence

Spotlight indexes a system to help users search for files by indexing metadata, extended attributes, and even some file content. This can reveal what files a user has searched for and shared.

• Why It Matters: Spotlight data allows investigators to trace user actions and file-sharing activities, making it easier to reconstruct events.

4 AirDrop Activity

AirDrop transfers are logged in Unified Logs, recording both accepted and declined transfers, along with file types and the devices involved.

• Why It Matters: AirDrop activity is essential for tracking device-to-device file transfers, bypassing traditional cloud or email systems.

5 Contact Interactions

This section covers how devices log interactions between users through apps like Messages, Mail, and Phone, helping to track communication patterns.

• Why It Matters: Investigators can examine relationships between users and their devices, offering insight into communication behaviors.

6 Application Permissions – Transparency, Consent, and Control (TCC)

The Transparency, Consent, and Control (TCC) database logs sensitive app permissions, such as access to location, contacts, and the microphone, along with timestamps of when permissions were granted.

• Why It Matters: Tracking app permissions helps highlight apps that may have accessed sensitive data, revealing potential security or privacy concerns.

7 Files Quarantined by XProtect

This section explains how Apple’s XProtect antivirus system quarantines potentially harmful files, giving investigators access to information on flagged files and the reasons behind the quarantine.

• Why It Matters: XProtect provides insights into potentially malicious files already identified on a system.

8 Health Data

This section details how health metrics like steps, heart rate, and other fitness data that might be available to an investigator and analyzed using forensic tools like APOLLO.

• Why It Matters: Physical activity data can be vital in investigations involving movement or location tracking.

9 Bluetooth Devices

This updated section offers insights into Bluetooth interactions, including timestamps for device connections and nearby devices.

• Why It Matters: Tracking Bluetooth activity can help trace interactions with wearable tech and other nearby devices, which may play a key role in investigations.

10 Apple File System (APFS) Snapshot Mounting

A new section on 10. Apple File System (APFS) snapshot mounting explains how to retrieve data from specific points in time, enhancing forensic capabilities when analyzing system changes or historical data.

• Why It Matters: Snapshot mounting allows investigators to recover historical data, offering a snapshot of the file system at any given moment.

The updated Digital Forensics Poster equips investigators with cutting-edge knowledge and tools to navigate the ever-evolving Apple ecosystem. From CarPlay interactions to more granular tracking with Biomes and APFS snapshots, these updates provide deep insights into user activities and device interactions across macOS and iOS platforms. Staying current with these advancements is essential for maximizing the potential of forensic investigations on Apple devices.

Please note that to make room for these updates, we’ve removed some older information related to the HFS+ file system and earlier versions of macOS and iOS. If you expect to work with older systems, you may want to hold on to previous versions of the poster!

Equip yourself with the latest forensic insights for macOS and iOS investigations! Download the updated Digital Forensics and Incident Response Poster now and stay ahead with new tools and techniques to uncover vital evidence across Apple devices.