Author: Phill Moore

I am a digital forensics analyst. I have a couple of blogs - This Week In 4n6 and Think DFIR I go by randomaccess (or variations of) on a number of DFIR social channels.

Playing with the iOS Powerlog

2_Man-Caraves-Arsdgdsgnold-Schwarzenegger-From-Oak.jpg

I have recently started looking at the wealth of data that can be obtained from file system iPhone extractions; a lot of which has already been explored by Sarah Edwards in her iOS of Sauron presentation, and also recently in her post on the KnowledgeC database.

Based on that I decided to take a look at the powerlog PLSQL SQLite databases on a jailbroken iPhone running iOS 10.2. I would have to double check, but I don’t think this file will get exported from a standard backup, and as a result you’ll have to jail break the device to get at this file. (more…)

Zone Identifier == kMDItemWhereFroms?

A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.

Finally decided to do a little bit more digging!

For background on Zone Identifiers, you can see the paper by Paul Sanderson here.

(more…)

Word Document Metadata Bugs and Verification

I got a question from a colleague a few weeks ago about a potential bug in ExifTool, a fantastic tool and library by Phil Harvey for parsing EXIF data. I had a few minutes this evening, so thought I’d share the digging

We made a couple of word documents, and ran them through ExifTool, to take a look at the ‘Word Count’ field, and later I recreated them at home.

(more…)