Every Breath You Take, Every Swipe You Make—Your iPhone’s Logging It

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:18):
Welcome to the Digital Forensics Now podcast.
Today is Thursday, may 15th2025.
Now podcast today's thursdaymay 15 2025.
My name is alexis briggsbrignoli and I'm accompanied by
the sleeping beauty that doesn'twork sleeping and anything else
when need be, because she workshard.

(00:39):
The early riser to work.
The queen of all things applelogs, as you will see during the
show, the one, the inimitableand only Heather Chapartier.
The music is Hire Up by ShaneIvers and can be found at
supermansoundcom.
Yeah, what's my mouse do?

(01:02):
There we go.

Speaker 2 (01:08):
Sleepy.

Speaker 1 (01:09):
Yeah, I mean you work hard.
So you know you work hard, youget tired and you have to sleep
a lot Like at four o'clock inthe afternoon.
You know it's hard.

Speaker 2 (01:17):
A way to tell on me.
Way to tell on me.

Speaker 1 (01:20):
I mean I do the same thing.
Not as often as you, but justkidding, just kidding you are
the queen of the logs and we'regoing to demonstrate that today,
people, that she's the queen ofthe logs.
So yeah, so what's going on?
What's happening since lastweek?

Speaker 2 (01:37):
Last week we were in Florida.
Well, you live in Florida, butI was in Florida for IASIS and
that's why I'm sleeping so much.
I'm catching up.

Speaker 1 (01:46):
Yeah, that's true.
There's a lot of work, you know, keeping up with the class at
night, no partying whatsoever,right, no, no, none of that,
just playing work the whole time.

Speaker 2 (01:56):
Maybe a day or two Now.

Speaker 1 (01:57):
the first week was like really business, but the
second week is more slow becauseyou kind of got it down, got it
down from getting kind of linedup from the first week.

Speaker 2 (02:06):
Yes, and then?

Speaker 1 (02:07):
you can kind of relax a little bit in the afternoons.

Speaker 2 (02:09):
Yeah, yeah.
So I have some pictures to showfrom IASIS, from week one.
We have our lovely instructor'spicture with Chris Currier,
myself, you, bill Aycock andJohn Hyla and, of course, hannah
, who did not cooperate for thispicture, and look at the camera

(02:29):
.

Speaker 1 (02:30):
Look, she was giving you her best side to the picture
.
You have to understand thatthat's her best side.

Speaker 2 (02:36):
She probably saw a treat or something, fire,
hydrant, squirrel.
Yeah, pretty much I got it.
I got that reference only oh,from a commercial though.

Speaker 1 (02:50):
Oh, you got that reference like captain, america.

Speaker 2 (02:52):
Anyways, go ahead I did, I did and then of course,
our wonderful, our wonderfulstudents from week one week one
had some pretty smart studentsyeah, yeah, I just to begin with
.

Speaker 1 (03:07):
So if you go from the left the one to a third person
there, that hoodie that lookskind of white, but it's got I
think it's gray or somethinglike that.
It's the one and only johan,which is like dude, what am I
gonna teach you?
Like, are you kidding me?
You should stand up and teach.
But he did learn something inclass, so that's exciting.

Speaker 2 (03:26):
He did, he did.
Let me throw up.
And then week two, we had alittle change of instructors.
We have Princessa and then therest of us, obviously, that were
already there.
Hannah cooperated for this one.

Speaker 1 (03:40):
Yeah, she's just tired of coming.
You take so many pictures of me.
Leave me alone.

Speaker 2 (03:44):
All the wonderful instructors, and then our week
two students who are just asamazing as the week one students
.

Speaker 1 (03:51):
See, look, I organized this picture.
Everybody's like taking a kneeat the front.
It's a better picture.

Speaker 2 (03:57):
I'm just saying yeah, your picture is definitely more
organized than mine.

Speaker 1 (04:01):
It has a ponky in the back as opposed to the doors on
the left.
It's a beautiful door.
Sure, if you're into that sortof thing, you're into doors.
I mean, there's people that areinto doors.
Hey, look at that.

Speaker 2 (04:15):
And then our class mascot just chilling waiting for
somebody to come rub her belly.

Speaker 1 (04:22):
Oh, maybe I should do that too in class there's
nobody going to rub your belly.
They're just kicking me in theribs.
Get up.
Well, that's awesome.
That's awesome.
Well, we both enjoyed that timein IASIS, just teaching and
spending time with the studentsand other folks that are at the
event.
Iasis is an organization that'svoluntary driven, so all the

(04:46):
people there is volunteer workbecause we're really passionate
about education and educationspecifically in the field of
digital forensics.
Right, and it's a blessing,it's an honor to be part of the
organization and able to givethat that way.
So looking forward to be therenext year.

Speaker 2 (05:04):
Yeah, absolutely, and you don't have to wait till
next year.
Well, you kind of do nevermindJanuary of 2026, not in Florida,
but if anybody is looking totake some classes from IASIS,
there's going to be aspecialized event in Reno,
nevada, so it will be January12th through the 16th at the.

Speaker 1 (05:41):
Did you lose me?
I don't know if it's you orit's me.
I don't know if somebody in thechat can tell me if she's
breaking up or not.
To make sure that maybe I'm notthe problem, let me see.
If Kevin is around, you can putin the chat if he is around, if
she's breaking up.
If not, it's me, and then youcan carry on.
Somebody needs to tell me ifI'm breaking up.
Let me see.

(06:02):
Christian says that you'rebreaking up.

Speaker 2 (06:04):
Okay, christian, it's up, it's his.

Speaker 1 (06:11):
it's what, midnight his time yeah, great christian
is a trooper you could havewatched the rerun later well,
but he supports yeah.
Yeah, you're glitching out, solet me repeat that part.
There is the special event inreno at the Sierra Resort right.

Speaker 2 (06:24):
Yeah, yep, so it's going to have all the classes,
not the BSCFE, though it's goingto be all the specialized
classes.
So the Advanced Mobile DeviceForensics class, which we teach,
the Advanced Windows ForensicExaminer, applied Scripting, the
Forensic Linux Examinationsclass, the Managing a Digital
Forensic Lab, the forensic Linuxexaminations class, the

(06:45):
managing a digital forensic lab,mobile device forensics, open
source intelligence, preparingfor lab accreditation, and the
RAM capture and analysis class.

Speaker 1 (06:54):
Those are all awesome classes and, again, they're not
the main BCFE but they'repretty good.
They're really really good.
Let me see Yep and the MDF.
There's a certification for theMDF so they can get that.
Is there a Windows one there?
No, I don't think Windows isthere.

Speaker 2 (07:10):
Yeah, windows, it is, oh the Windows.

Speaker 1 (07:14):
A advanced Windows also has a certification, and
then all the other classes isgreat knowledge, so very cool.
So before we move on from whatwe've been doing you know IACs
related and all that I want totalk about what I did in between
the show.
So now it's going to be me timereal quick.

Speaker 2 (07:30):
Do it.

Speaker 1 (07:31):
I mean, it's me time most of the time anyways, but
more me time.
So I went to Epic Universe,right?
So my beautiful wife decidedthat we should take some PTO in
the middle of the week and dothis.
Yeah, exactly so it was great onher.
So this is the entrance.
It's amazing.
I hate AI, except when I candelete people from the picture.

(07:53):
So then I like AI so I can takepeople out.
So then it looks like there'snobody there.
And then this is me going intothe Nintendo world.
See how it simulates like thelittle pipes you go.
So I'm there being like runningtowards it, and I obviously
deleted all the other peoplearound me because it's all about
me did you make the soundeffects as you went in?

(08:15):
oh, of course, I mean actuallythe sound effects are part of
the thing as you're going up, so, but I made them anyways, you
know.
And then here we are innintendo World, here with my
beautiful wife right here, andwe're enjoying the.
It's really immersive, likewhen you get in, like you see,
like you can't really seeoutside of where you're at.
So you feel like you're in theplace, which is like an

(08:37):
interesting environment.
We'll see when it opens fullyfor the public and it's going to
be crowded for sure.
It was crowded and it wasn'tfull.
Now, the part that I got really,really excited was for the
Harry Potter section.
Like the Ministry of Magic, Iread the books when they came
out, I saw the movies and it'sreally impressive exactly how

(08:59):
the books and the movie are.
The ride was not open yet,because during this test period
some rides are open, so this onewasn't open, um, but it
promises to be really awesome.
So I enjoyed that.
And then, uh, we got some somebutter beer and if you're a fan
of the books, you know what thatis.
So you're like heather and youdon't know what it is.
Then you have to go read thebooks.

Speaker 2 (09:16):
You know what butter beers I had to ask, I know.
Now you told me yeah no, it's,it's pretty good.

Speaker 1 (09:22):
So, and of course, of course, I need to show you now
a video of me making a fullamount of myself, just so we
don't break.
We don't break the habit, so so, here you go, it's me well I
mean, we can't just make fun ofyou, I have to.
We have to make fun of me too.
So here's me doing my best mybest impression of mario some
the uh super mario brothers, uhuh video game.

(09:43):
Yeah, look at that.
Of some of the Super MarioBrothers video games.
Yeah, look at that, I'm anadult.

Speaker 2 (09:51):
I don't think so.

Speaker 1 (09:53):
I can see my wife there.
I hear my wife there laughingat me because you know, I'm a
goofball, definitely a goofball.
You don't have to agree, youhave to be like no, no, of
course you're not.
You're great man, You're aserious adult.

Speaker 2 (10:07):
No, I'm with Karen, I know, I know I'm chilling with
you.

Speaker 1 (10:13):
Well, there you have it.
That's what I've been doing.
Now let's get back on track onthis more serious stuff.
Thank you, thank you.
So we promised the studentsfrom our classes that we're
going to do so while we were.
Yeah, we're glitching here.

Speaker 2 (10:36):
I'm sorry, go ahead.

Speaker 1 (10:38):
Yeah that we promised the students that we were going
to do a spotlight demo, I cansee it.
We're super lagging Is thatbetter.

Speaker 2 (10:45):
I'm going to let a spotlight demo.
I can see it.

Speaker 1 (10:46):
We're super lagging.
I'm going to let you take over,so go ahead and tell us what's
going on, what's coming up.

Speaker 2 (10:51):
Can you hear me?
Can you hear me?
I know, okay, so during IASISwe had an extra lesson in
Spotlight part of iOS and macOSthat I didn't get to in class
and I promised the students thatwe would cover it on the next

(11:14):
podcast.
So we're going to cover for theArtifact of the Week, the
Spotlight demo that I was goingto do in class.

Speaker 1 (11:32):
All right, let me see here.

Speaker 2 (11:37):
And I am totally glitching out.

Speaker 1 (11:39):
Yeah, but just keep putting stuff up because I can
hear you, so we'll see how itgoes.
Your internet today is killingus, totally killing us.
You can hear you.

Speaker 2 (11:47):
So we'll see how it goes.
Your internet today is killingus Totally.
Clean us, you can hear me.
Okay, keep going.
All right.
So the iOS.
Okay, the iOS spotlight.
If you don't know what iOSspotlight is, it's the built in
intelligence search feature formacOS and iOS.
It searches apps, files and theweb, and you can see here in

(12:08):
this screenshot that you canaccess it by swiping down on the
home screen or with the searchoption available at the bottom
of the home screen.
So there are databases that arerelated to the spotlight
function in iOS and Mac OS, andhere on the screen I have the

(12:29):
paths where you can find thosein your iOS.
So if you go to private varmobile library, spotlight and in
the core spotlight directoryare three different locations
where you can find those storeDB store databases.

(12:50):
So just a quick little overviewof how the database is
structured.
There is the header page which,at offset zero, for four bytes,
you can see the header stringthere that is the 8TSD, and then
the next 4 bytes, starting atoffset 36, will tell you the

(13:11):
header page size and then, atoffset 324, for an indeterminate
amount of bytes, is the path towhere the store DB can be found
on the volume, the path towhere the store DB can be found
on the volume.
Then there is what's called themap page.
On the map page, the first fourbytes have the header string of

(13:31):
1MBD, and then there's anoffset for four bytes, starting
at offset four, that containsthe page size.
Then at offset eight, there isfour bytes that contain the
number of pages within the map,and then, at offset 32, for 16
bytes, start the map pageentries.

(13:52):
Then there's the data page.
So where all of the good datastored in this store DB is
contained, at 0 offset for 4bytes, is the header string,
which you'll find is 2pd.
Then you'll find the page size,at offset four, the allocated

(14:13):
size, at offset eight, and then,starting at offset 20, is the
data inside of the store DB.
So what can we find inside ofthe store DB?
All kinds of data?
Um.
It's an index, so you're goingto find things like file names?
Um file paths.
You'll find file types, allkinds of time stamps, such as

(14:35):
the created date, themodification date, last used
date, date added.
Um you'll find uh snippets oftexts from potentially text
messages, emails, pdfs and other?
Um other artifacts that mayhave text content.
You'll find titles, we'll findthe file size, whether a file

(14:56):
was written or not, uh, recentaccess dates.
We'll find heights and we'llfind what types of files are
located and you may also findfor some files, like the
duration of the files.
You can search keywords, youcan find downloaded dates and
then my favorite part is there'sa potential to recover deleted

(15:17):
files.
So if the spotlight indexhasn't been purged or re-indexed
, you may be able to find thingsthat have actually been deleted
from the device.
So on a previous episode of thepodcast I actually talked about
Spotlight and I talked aboutYogesh's script that is specific

(15:38):
for Spotlight and it pulls thedata out of the stored B into
text files.
At that time I didn't knowabout his tool, macapt.
So MacApt is a deferred tool toprocess Mac computer full disk
images, but it also includes aniOS processing function and
specifically it'll process thespotlight.

(16:01):
It uses a plugin for spotlight,so I'm going to show that.
Now Let me just share my screenand let's go to my desktop

(16:25):
where I have the Mac app alreadyinstalled In the software.
There we go.
So I'm going to open a commandprompt from the Mac app folder.

Speaker 1 (16:37):
I'd already unzipped it and installed all of the
dependencies and then, yeah,let's zoom in, or there we go,
bring that font up.

Speaker 2 (17:01):
It's a little bit small there.
There we go, All right.
So from the command prompt,once all of the dependencies are
installed, you use Python andprompt once all of the
dependencies are installed.

Speaker 1 (17:06):
you use Python Before you continue real quickly.
Kevin is saying that Jogeshalso has iOS APT, so there's
something that we should begoing to.
I haven't done it.
You haven't done it yet, right,heather?

Speaker 2 (17:17):
No, it's part of this , so.

Speaker 1 (17:18):
I'm going.

Speaker 2 (17:18):
Yep, yep, so I'm going to use the Mac app, but
the artifact only which relatesto the iOS APT.

Speaker 1 (17:29):
So they're together.
That's what you're saying.

Speaker 2 (17:31):
I believe so yeah.

Speaker 1 (17:32):
Okay, go ahead.

Speaker 2 (17:33):
And then I'm going to do the input and I already put
so Yogesh has in hisinstructions.
He has a spot where he put thespotlight files in a folder
called spot and then all I didwas drop the core spotlight
folder, all of the differentfiles from my full file system

(17:53):
extraction, into that spotfolder.
So each one of thesedirectories have this store DB
that you can see here.
So I'm just going to drag thatlocation for the input and then
I'm gonna output it right towhere Yogesh's example shows,

(18:15):
which is an output folder inthat same directory on the C
drive, and then I'm going to dospotlight to just run the
spotlight plugin Once.
That goes very quick.
By the way, if I go out to putfolder you will see here let me

(18:41):
just make it larger it actuallyoutputs all of the data from the
store DB into a SQLite database.
So we can open it up in DBbrowser and browse the data from
the store database.
So I'm just going to go tonotes because I know I have some

(19:02):
data in the notes here.
This is from one of my testphones and in the notes let me
just control.
You can see here that I haveone and it's the display name is
computer secrets, so that onemight be important in an
investigation, right.

Speaker 1 (19:21):
Secrets why.
What would that be Right?
Secrets why.

Speaker 2 (19:23):
What would that be?
But then in the description isactually the computer secrets,
which is the password to anencrypted volume on a computer
Bazinga 911 exclamation point.
So this can be found in thenotes portion of the store DP.
And then there's other stufftoo, like I have Facebook

(19:48):
Messenger in here and you cansee some of the store DP.
And then there's other stufftoo, like I have Facebook
messenger in here and you cansee some of the Facebook
messenger data.
It actually shows the twopeople who were communicating on
the Facebook messenger, whichis Sheldon Cooper this phone
this, these files are actuallyfrom Sheldon Cooper's phone and
Amy Farrah Fowler, who is theparticipant in the Facebook

(20:09):
Messenger messages on thisdevice.

Speaker 1 (20:12):
Nice.

Speaker 2 (20:13):
Yeah, so if you go to this database in a forensic
tool whatever your forensic toolof choice is and you go and
look at the database, you can'tsee the data.
One of my tools is actually.
It's completely blank and it'sbecause it doesn't have a viewer
for this type of proprietaryformat.
So exporting those files andthen bringing them using

(20:37):
Yogesh's tool to bring them intoa SQLite database definitely
makes life easier for yourinvestigations.

Speaker 1 (20:45):
if you want to take a look at the Spotlight databases
, I mean, I would say, if youhave a theory of the case, you
can definitely make a big bangout of it, you know.

Speaker 2 (20:55):
Oh.

Speaker 1 (20:57):
Grumps.

Speaker 2 (20:58):
Dad joke all the way Dad joke that was good, that was
good.

Speaker 1 (21:03):
Dad joke alert.

Speaker 2 (21:06):
But what you see like on here.
So it actually has informationabout podcasts.
You can see that what podcastsSheldon Cooper was watching the
FTK podcast and the DigitalForensics Now podcast.
So a lot of data to be foundinside of these store DBs and
not really great ways ofsearching through them unless
you pull the data out into theSQLite format.

Speaker 1 (21:31):
Well, I mean dealing with logs.
It's a pain, especially logsthat need some conversion right,
and SQLite is pretty solid way.
It's kind of funny because Ithink, let me see, I think the
thing we're going to talk aboutnext is in a second.
It's got the same flow rightwhen you take data from a log,

(21:52):
put it in a SQLite database todeal with it, right, and I think
that leads to the next section,which is what's new with the
leaps right.

Speaker 2 (21:59):
Right, what's new with the leaps, and we're going
to talk about the unified logsand potentially, some upcoming
support.

Speaker 1 (22:05):
Oh, absolutely.
So we've been talking a lotlately about unified logs, and
look, if Damien says it, then Ibelieve it.

Speaker 2 (22:17):
Yeah, I was just going to share that.

Speaker 1 (22:18):
Yeah, I'll put everything in SQLite.
It's so easy to work with itreally is.
Damien was also teaching atIACC.
We had some great conversationsabout how we can take some of
his code for a SQLite recoveryand hopefully integrate it into
other community tools like theLeap.
So I'm really happy with thoseconversations and hopefully we
can make that happen.
Damien is a master at allthings databases, sqlite and

(22:42):
others, so yeah, so if he agrees, I'm good, we're good.
Yeah, so this is what we haveright.
So we've been talking latelyabout Unified Logs a lot.
I think the community is notreally aware of how useful it is
that data is contained.
People like Lionel Notari,christian peter, which is he's

(23:07):
in the chat, so it's awesome tohave him here.
Um, um tim, uh, tim korvac.
His name's korvac, right?
Am I pronouncing it right?
Hold on, because I don't wantto, I don't want to misspell his
name.
Um, just I.
Oh, here we go.
Uh, tim korver, there we go.
Tim korver also is working,doing a lot of work on that.
So there's folks looking at it.

(23:30):
Now we're also.
You know, heather and myselfare looking at it, and some of
the other lead developers.
So why is it important, right?
Well, first of all, a quickprimer of what Apple Unified
looks.
They're not new.
They've been around for a longtime and the issue with them is
that they keep track of so manythings on the phone and some of
them are important to your caseand most are not.

(23:52):
I think Heather can tell us youran your phone for 15 minutes
and how many log entries did youget?

Speaker 2 (23:59):
1.5 million in 15 minutes.

Speaker 1 (24:04):
Exactly, and I mean a great comment right on point.
What was Brett saying?

Speaker 2 (24:10):
Heather, they are called unified logs because they
bring all your misery into oneconvenient place.
It is miserable to look throughthose, the work that Lionel has
done to go through those andactually figure out what some of
those unified logs mean.
I don't know how he sits thereand stares at it for that long.
I literally looked at 15minutes worth and wanted to pull

(24:31):
my hair out.

Speaker 1 (24:33):
I imagine his eyes bleeding and trying to figure
them out, but the sacrifice thatLionel has taken is worth it
for everybody and for all of us,because the amount of data is
so, so specific, and we're goingto give you some examples.
Now, before I give the examples, I want to also add, although
it is true that it brings ourmystery into one place, it's
also called unified because youfind them in iOS devices, you

(24:56):
find it in a MacBook, you findit in all these places that are
Apple related.

Speaker 2 (25:05):
I had to share Kevin.

Speaker 1 (25:06):
Kevin is saying that is why I have no hair left.
Well see, that's why I'm doingsome artifacts, so I don't have
to pull mine as well.
So what are we doing about it?
So the thing with, like Heathersaid, you have and I'm going to
actually let me start with the,let me check this out.

(25:28):
The thing we have to do is wehave to kind of pull these logs
right, put them in a formatthat's easier for us to work
with and then identify items ofinterest.
We're planning in the nearfuture like near near future
start making some artifacts thatare really specific to the
items that we need.
The idea is that, instead oflooking at for every 15 minutes
at what you said what a millionlines of log or whatever- no 1.5

(25:51):
.
1.5, almost a million lines oflog.
Then we can narrow it down tothe 100 that you might need in a
timeline by timestamp.
Okay, christian is saying thatchecking live logs on a test
device makes things much easier,which I agree, if you're doing
that part of testing.
So that's a good note andthere's ways of definitely doing
that, and actually that couldbe something we could show on

(26:12):
the next show.
So thanks for the suggestion,christian, so more folks can do
research, because it's not onlyabout the folks that code, like
myself, or the lead developers,like Johan or James or Kevin.
It's also about folks likeLionel that actually sit and
give meaning to the artifact.
So people like myself andothers we can then automate it
for the rest of the community.
So do that research.

(26:33):
So there's ways of doing that.
Now, what's the workflow thatwe're dealing with right now?
So let me show you, let me goback here and show you a couple
of things.
I'm going to open here myscreen.
Let me go back here and showyou a couple of things.
I'm going to open here myscreen.
Let me hide my cheat sheet here, what I'm doing.
The first thing is we need toacquire all the things, and how
do we do that?
We need to preserve those, andthere's been a lot of necessity

(26:58):
of doing that, because it hasbeen known that some of our
tools were getting rid of theselogs before we were able to
acquire them.
I believe that's been fixed insome of the tooling, but at the
end of the day, you need to doyour own testing and validation
of your acquisition tools tomake sure that no data is being
lost in the process.
Ok, so I'm going to show here agreat flow chart by Tim that

(27:23):
explains how it works.
Right, you can pull differenttypes of logs from these devices
the SysDiagnose and the AppleUnified logs.
We're going to focus on theApple Unified logs.
There'll be the column on theright, and I love this little
flow chart because it shows us,right, do you have access to the
device?
The answer is yes, and thenwhat you should do?

(27:44):
Then you should do acquire theAUL and you can access to the
device.
The answer is yes, and thenwhat you should do?
Then you should do acquire theAOL and you can go from the flow
of that chart what your bestoption is.
There has a command, sudo, logcollect.
So the log command is a logthat Mac devices, laptops,
computers will use to manage anddeal with those logs.
This method will require you tohave a Mac computer to be able

(28:04):
to pull those logs.
This method will require you tohave a Mac computer to be able
to pull those out.
There's other ways of beingable to extract that.
Ufate is one of the ways to dothat, which is fantastic, and
both Ufate and using the logcommand, the end product will be
a file.
Well, it's not really a file,but a file looking directory

(28:26):
with a dot log archive extension.
It's not really a file.
It looks like a file, but it'sactually a combination of files.
Instead of them, the trace v3or, yeah, trace v3 extension at
them.
That's where your logs are in.
If you open them, you will havetons of gobbledygook that you
cannot understand.
These need to be looked at intwo ways.

(28:46):
The first one is let me takethis picture out of the screen.
The first way of looking atthese log archives is to max the
console application.
It's a program that comes withMac computers.
You open the consoleapplication and you can
manipulate some of those.
I find it a little bitcumbersome and slow to do so, so
there's other ways of doing it.

(29:06):
The second way of pulling thosearchives is, if you have an
extraction, you can take thetrace v3 files and turn them
into a log archive.
Right now, the instructions wehave on that are in French,
thanks to Johan.

Speaker 2 (29:20):
I translated them.
You translated them, okay, Idid.

Speaker 1 (29:25):
I think the AI did maybe.

Speaker 2 (29:27):
Oh, the AI definitely did by I.
I meant we did it together, meand the AI.
Oh, yeah, yeah.

Speaker 1 (29:32):
Yeah, I don't think your French is up to speed that
your French is just as good asmine Totally non-existent, all
right, so there is a way ofdoing that and maybe we can
cover it in another episode onhow to pull those out.
So let me show you here how thecommand looks.
So you pull the logs.
This is a command I want toshow you.

(29:53):
It's called the stats command.
I found it interesting enoughto show.
I learned this command fromLionel's blogs and it's pretty
neat.
After you run, you have yourextraction, you can use log and
then call stats.
And it's pretty neat.
After you run, you'll have yourextraction, you can use log and
then call stats and it tellsyou all the types of how many
events you have in your log, theactivity, how many log messages
, time to live for all thosemessages.
It's pretty useful.

(30:13):
And the processes and the onesthat write the most of that
information, which again is somepretty interesting metadata.
And he goes further and he hasadditional commands to really
narrow down the differentsubsets of data using the stats
command.
I'm not going to go into thatnow, but you can see that in his
blog, lionel Notari's blog, sowe'll put his blog in the show

(30:34):
notes at the end of the show,and you can go, give us a few
hours so we can put them up andyou can look them up, right.
So?
So what do I do?
So the way I do it is let meopen here my.
What I do is, let me, of course, if I could open a window too,
you can all see, I take my Maccomputer and that's the only way

(30:58):
I know how to do it through aMac, and again, it doesn't have
to be a super powerful Mac, itcould be the cheapest Mac you
can find, the cheapest Mac youcan find, and I take that lock
archive that I created from mydevice, from my phone, through
using the lock command in a Maccomputer or through using Ufate
from Christian.
I take that lock archive andthis is my process and the

(31:20):
process that I think the tooling, our tooling, will use for the
time being, the ellipse will use.
For the time being we're goingto go.
For the time being we're gonnago and turn that dot log archive
into a json.
Okay, so let me show you here apicture of um, another picture,
sorry, of my screen.
That's what I should show you,my screen.
So the here.

(31:42):
Actually, you know what?
Yeah, I'll show you my screenbecause I want you to see the
command.
That'll be fine.
I'll share this.
This entire screen is fine.
This is good.
So let me open this up a littlebit, so the folks that are
there are listening.

(32:03):
I'll try to describe it as bestas I can.
How do I make this bigger here?
View bigger, so this one I'mplus.
Okay, I was hitting the wrongcommand.
There we go.

Speaker 2 (32:16):
That's better.

Speaker 1 (32:18):
I know it's too big, but it'll be fine.
So you'll see here on thescreen here log show.
So log is the log command, theshow parameter here, style is
going to be JSONson, and thenthe zero, zero, blah, blah, blah
, blah, all the way to dot logarchive.
That's what the collectionlooks like at the end.
Right, so you go to yourconnect your the iphone to the

(32:38):
computer or to ufade, you pullthe log, dot log archive.
That's going to look.
It's going to be like a bignumeric alphanumeric string
there at the, with dot logarchive at the end, and then the
command.
I made a mistake here because Iput it twice.
Let me clear.
Let me clear the screen alittle bit because it looks
horrendous for the folks thatare watching because I put the

(33:00):
command twice.
So let me just clear it out fora second.
There we go, so let me look forthe right one.
There we go, much better.
And then you say JSON.
You take the archive and youpipe it to a file called log
archive, archive, dot JSON.
I need you to name it just likethis in order for the leaps,

(33:20):
for I leap, to be able to pickit up.
If it's named something else, Ileap will not see it, so has to
be named logarchivejson.
Now, the interesting thingabout that, which I'm going to
show you now, is that Heatherdid a sample data for us and, if
you can see, here, let me showyou how that looks.
It's kind of small, sohopefully people can see it, but

(33:43):
the logarchive itself is 1.1gigabytes.
It's pretty compressed.
You say, well, that's a lot.
Well, if you turn it into aJSON, it's 24.339 gigabytes.
You know, like 24 gigs, almost24 and a half gigs of JSON,
which is insane.
But why do I use this?

(34:04):
Because it allows me tomanipulate it in different ways.
I'm going to take that JSONfile and put it inside a SQLite
database so I can query thedatabase.
In the near future, or nearestfuture, we're going to be able
to use the new viewer for thelist called Lava to parse
through them, and actually I'vealready done it.

(34:25):
Let me see if we have time forthat.
We'll see if we have some time,maybe I can show you.
The product is not ready yet.
We need to add some things.
One thing that we will need toadd is a functionality for you
to pick or select tag thedifferent log records, because
you don't want all of them,right?
You want some specific ones, sothat way you can start tagging

(34:50):
them and then end up with afinal product with all the ones
that you tagged.
That's something that's cominginto the future, but for the
time being, what we're going todo is we're going to do that
analysis using SQLite.
So how do we do that?
Well, since I have the screenhere, I can show it here.
So the first thing is we'regoing to go and we created our
log archive and then, after that, we turn it into a JSON with
the command that I just showedon screen.
Let me hide this from herebecause I don't want to see it.

(35:10):
And then this is you take theleap and you point it towards it
, and this is the output.
Actually, let me show you theactual command in the leap.
So you see and, by the way, Imerged this already.
So folks have access.
This is my script, folks haveaccess to it already, people
seeing behind the scenes here.
There we go, so let me run this, all right.

(35:32):
So what you do is you're goingto run your leaps, you're going
to browse the folder where yourlog archivejson is, that you
created Browse folder for youroutput and in modules you can
just put here log archive, sothat way you don't have to spend
time looking for it and selectit.
And then hit process Logs in thelog archive, process it.

(35:55):
When it's done, then it willshow you what I just showed you
a second ago.
It will show you this output.
The output is going to tell youfirst of all that log archive
has started and it saystruncated file after position
and a big long number.
The reason is is for yourknowledge as examiners, you can
know what the tool is doing whenyou use a mac computer to
convert the log archive into ajson.

(36:16):
It does the conversion, turnseverything into json format key
value pairs and then appends atthe end the name of the log
archive, which is great.
But the problem is that if Iwant to read the whole file as
JSON, it won't allow me to.
So what I do is, before Imanipulate the JSON, I truncate
the name of the file that's atthe end of the JSON.

(36:37):
That's the only thing I do.
So that's the solution for youto then ingest the file as JSON.
Okay.
So that's why I put it there,so folks know what the actual
tool is doing.
And then after that, it found20-something million amount of
records and then processed themand it's done.
It takes around six minutes,which I don't think is

(36:58):
unreasonable in order to takealmost 25 gigs of data and turn
it into.
I'll show you now.
I want to say two, but let meconfirm into where's the
database here it is into, I'msorry, 4.8, almost five gigs.
So from 25 to five, that'spretty good.
Now be aware that I made aselection of what fields from

(37:21):
the local archive I'm pullingand actually I'm going to make
some changes.
We're going to add one morefield that we think we need,
maybe one or two more.
We'll be doing that in the nextcouple of days.
So make sure that we don't missfields that are essential.
This is important for everybodylistening.
This tool and any tool will dothat for you.
They will make a decision ofwhat things to show.

(37:43):
It's incumbent upon you, as theexaminer, to make sure that
whatever the tool is not showing, you make sure that you might
not need it.
So you have to always look atthe source data and do some
sanity checks to make sure thatyou're not missing anything.
I saw you there kind of smiling.

Speaker 2 (37:58):
What's going on, brett?

Speaker 1 (38:00):
said.
I think I'm in lava with that.
I had to laugh.
Well, I'm not the only one witha dad joke, so I feel I'm in
great company with Brett here.
All right, so after we run thetool, we'll get a directory like
the ones you see here on screen.
You get the ILib directory, asusual, and the data directory
has the whole JSON there.

(38:20):
And then this artifact isinteresting.
This artifact will not producean HTML report, so if you run
the tool, it'll look like likenothing happened.
That's something I'm going tochange, for I'm going to make an
entry here on the left column.
I'm not saying me, but thedeveloper.
It's not just me, actually.
I'll be honest with everybody.
Right now I'm the one doing theleast code, and the reason is

(38:43):
because I'll be transparent theproject is, it's now, it's more
sophisticated, and it pains meto accept that people that are
way more knowledgeable than meneed to push it forward.
So I'm more doing artifactsthan doing sophisticated coding,
because it's out of my leagueright now.
So thank you, johan, thank youJames, for pushing the ball

(39:05):
forward where I cannot.
But I can make artifacts atleast.
So the folks are going to addhere on this, on the corner here
like an indicator that, hey,there is some data that's only
viewable through Lava orviewable with the SQLite
database.
Okay, so there'll be a notethere.
But if you're using this forthe first time, it'll be done
and it won't say anything thatyou have.

(39:26):
It did nothing.
Oh, it did something.
What did it do?
Well, you go back to yourdirectory, to your report
directory, and there'll be alava underscore, lava underscore
artifactsdb.
All your JSON is now in thereand it's about, like I said,
four gigs, five gigs almost inthis case.
Let's open that with SQLite DB,db browser for SQLite.

(39:47):
And before I do that, before westart querying and seeing useful
stuff, let me just show if Icould.
If I could, because I'm notsure if I can Actually.
No, I can't, because I need toopen the repository and jump
through hoops to get Lava to run.
Well, I mean, maybe I can, letme see.

(40:08):
See if I can remember thecommand NPM, was it?
You know what?
I'm going to phone a friend.
Hey, kevin, if you could put upin the chat what's the command
to run Lava from Visual StudioCode, put it there so I can show

(40:30):
the folks Because, honestly, atthe top of my head?
I do not know it.

Speaker 2 (40:35):
I can't help you with that.
I don't know it either.

Speaker 1 (40:37):
Yeah, I know If Kevin is listening can get it for me,
that would be great.
While he's doing that, let'sshow you again what's in the
artifacts database.
We open the database and let'sgo to browse data and within the
tables there's one called logarchive and we're going to open
that, as you'll see here thetimestamp.
Kevin doesn't remember thecommand right now.

(41:01):
If you have a computer, go tothe lava repository.
It's going to be there if youdon't mind.
You know what I think?
I have the lava repositorysaved in my thing oh.
I have it, never mind.
Never mind, kevin, I have it, Ihave it Actually.
I have a pin because I'm agenius like that Genius, as in
the opposite of genius.
Let me run Lava real quick sopeople can see how it looks.
Npm so I got that part right.

(41:22):
Npm rundev Run dev.
It's doing something there wego, all right.
So let me hide this.
Let me show folks Before we dothe SQL.
I want to show how it looks inLava.
So this is not even an alphaversion.
It's like a super early versionof the software.

(41:42):
So don't judge me too harshly.
I'm going to go to where mystuff is right.
Let's go to the desktop and Ipoint Lava to the Leaps
directory and then I point it tothe json file it's going to
read from and it will read thatdatabase.
You see logs here.
The logs archives table all the20 million records in them and

(42:04):
we press it and this Electronapp is going to query that
database and it's going to loadthe different information that's
in it.
It's pretty neat because youcan change even well.
That's loading.
It takes a little bit of time.
While that's loading you canchange it to light setting if
you want your eyes to bleed, oryou can change it to dark, and

(42:25):
it's pretty neat.
It has an option for yourtiming and time zones, and-.

Speaker 2 (42:32):
I love that there's a time zone.

Speaker 1 (42:34):
Yeah, you know we try to please, you know, people
that are not UTC value like thatdon't get better UTC like you.
I wonder if me messing up withwith DB browser open at the same
time it's gonna give it aheartache.
Let me close this up.
There we go so and there you go.
So you have the timestamps here, very nice, and then you can go
and query the different columns.

(42:56):
Let me see, for example, let'slook at soft system here.
You can then select what softsystems you want.
It's pretty neat.
Again, we're still in reallyearly phase, so we can't release
this yet, and the idea is thatyou can then look through this
interface, eventually add afunctionality to select
different roles that you careabout, do some queries and the

(43:18):
like.
So we're going to close it.
That's not ready for releaseyet, but that doesn't mean that
we're powerless.
What can we do?
Well, let's take this database,let's open it with browse db
browser for SQLite and let's goto the log archive.
So what we're going to do is,first of all, you notice the
timestamps here on Epochtimestamps.
Well, let's take the timestampcolumn, right click on it and

(43:41):
select edit display format.
In our situation, I'm going touse a dropdown that shows up in
the pop-up screen.
I'm going to select Unix Epochto local time.
The reason I'm doing that isbecause I know this data was
generated in New York, whichhappens to be my local time as
well, down in Florida.
So this should work.
Always when you apply filtersnot filters, but certain

(44:04):
transformations in regards totime zones you're going to make
sure that you're doing it to theright data and that the data
was generated in the right timezone, so you don't commit
mistakes.
Okay, so we're going to hit.
Ok and here you go.
Here are your timestamps.
You'll see the process IDs, thesubsystems, the categories and
the actual messages, which iswhat the log is actually

(44:26):
memorializing for you.
So what we're going to do nowis Heather's going to guide me
to some awesome examples thatshe obtained or she did, based
on Lionel's excellent work onthese logs.
So let's get to it.
What should I do first, heather?

Speaker 2 (44:40):
So for event message filter on iBoot.

Speaker 1 (44:44):
Event.
Let's put iBoot here and noticefolks we're talking about.
I know iBot here and noticefolks we're talking about I know
I bought iboot.
We're talking about 20something million records, so
this might might take half asecond or so.
Um, I feel, I still think it'samazing that sequel, that with
sqli we can actually movethrough it in a in a fashion
that's.
That's workable, all so whatare we seeing here, heather?

Speaker 2 (45:06):
So if you look at the entry on 5-15-2025 at 844,
that's when I started my 15minutes or so of testing and you
can see the iBoot version.
It is artifact 7.

Speaker 1 (45:19):
7.
I'm going to highlight it here.
There we go.

Speaker 2 (45:21):
That is when I booted the phone up to start my 15
minutes of testing.

Speaker 1 (45:27):
Look at that.
So an actual entry.
Was this phone booted?
Could that be importantinvestigation?
Absolutely.
What's next?

Speaker 2 (45:37):
So you can take the iBoot away and then on the
timestamp filter do 2025-05-15.

Speaker 1 (45:44):
Dash 05.

Speaker 2 (45:48):
Dash 15.
And then for time do 08, colon44, colon 45.

Speaker 1 (46:08):
The subsystem.
Once that goes on, subsystemput in springboard.
And this is the thing, right,what that's loading.
We're gonna build artifactsthat that speak, or at least to
a springboard.
Um, that will aggregate some ofthese.
But in the meantime you need togo to lionel's blogs and do
like we're doing look for umtimestamps, subsystems and event
messages of interest and lookthem up, and then you'll have

(46:29):
the timestamp of what'shappening.
And then you can filter by theminute.
Right, and I say by the minutebecause, heather, how many
records can we have in a minuteMore?

Speaker 2 (46:39):
or less.
There's tons.
I mean in 15 minutes there's1.5 million.
So I mean it's insane.

Speaker 1 (46:44):
We can have 15,000 in a minute, right?
So then you can filter, let'ssay, even if it's by a minute,
then you can see what'shappening before and after your
term of interest, right so?

Speaker 2 (46:54):
for example.

Speaker 1 (46:54):
Let's do the next one , heather.
What are we looking at now?

Speaker 2 (46:56):
So if you look at line number seven, there's a
lock button single press andthere's a lock button single
press recognized.
At that minute or at thatsecond, I pressed the side
button to lock the device.

Speaker 1 (47:12):
I mean, that level of granularity is insane yeah
definitely.
If you scroll down to artifact51.
All right, 51, I'm going tohighlight it.

Speaker 2 (47:29):
The received face and view.

Speaker 1 (47:30):
I was unlocking the device with my face, so you were
hitting the number for yournose.
Is that what you?

Speaker 2 (47:33):
were doing no, putting my face in view of the
phone so I could unlock it I'man idiot.
I'm an idiot, I know sometimes,um, if you leave the
springboard filter and then justchange the time to 0846, no
seconds.
And then scroll down toartifact 301.

Speaker 1 (48:01):
All right, let me scroll here 301, you'll see that
.

Speaker 2 (48:09):
Received face in view again.
I was opening the device withmy face again, but if you scroll
down to 382 you'll actually seethe transition state moves to
unlocked.

Speaker 1 (48:20):
And that is from my face unlock huh, look at that
like so face unlock.
This is great.
This is great evidence in thecase.

Speaker 2 (48:30):
Yeah, yeah, definitely Clearer, filters.

Speaker 1 (48:35):
And, by the way, can you imagine?
Well, no, I did not unlock it,it was your face.
Unless you have a twin, it hadto be you, because it's your
face that unlocked it.
I mean, come on, it doesn't getany better than that.
Sorry, I get excited.
What are?

Speaker 2 (48:48):
we doing now.
A lot of times I've seen, likeon the groups and on the
listeners, people saying how doI tell if somebody unlocked the
device with their face or theirpasscode?
These logs are going to tellyou that.

Speaker 1 (49:00):
Oh, that's so amazing .

Speaker 2 (49:02):
Yeah.

Speaker 1 (49:02):
All right.
What are we doing now?
Get rid of the timestamp filter, Get rid of the springboard
filter and I think just inmessage type penguin.

Speaker 2 (49:14):
P-E or P-I, I'm not even sure.
P-e.

Speaker 1 (49:18):
G-U-I-N.
You know, being Hispanic, Ispell penguin differently, so I
have to remind myself.
All right, all right, we haveseven records here, all right,
we have seven records here.

Speaker 2 (49:40):
So with these records what I did is the very first
few.
I called the contact in thephone, Penguin, by going to the
contacts to the phone book, andthen the bottom three if you see
, the subsystem is missing.
So those were actually donewith Siri, where I said, hey,
Siri call Penguin, and we'regoing to add a column that will
show that that was with Siri,because I can see it in console.
We just need to add it to this.

Speaker 1 (50:01):
Yeah, it's most likely a field that I did not
add in my ignorance, so that'swhy we have to do this testing.
So then, like Heather said, heyman, we're missing a field.
That's important, then we canadd it to the filtering that we
do when we process the JSON file.
That's amazing.
Can I press on them or not,really.

Speaker 2 (50:12):
Yeah, click on one of those last three in the message
.
Yeah, so then if you pull itover you can actually see the
contact.
The display name is Penguin andthere's actually a phone number
in there to the contact as well.

Speaker 1 (50:27):
Let me open this up.
I should have made this fontlarger, but bear with us folks.
So you see here, name isPenguin, right there.
I highlighted here on the rightside of the screen there and
then the phone number and theirvalue is there.
So that's pretty amazing.

Speaker 2 (50:46):
And that was one of the Siri, the Siri.
Hey, siri, call Penguin.

Speaker 1 (50:50):
Yeah, like an interaction that's pretty
amazing and that was one of theSiri the Siri.

Speaker 2 (50:56):
hey, siri call Penguin.
Yeah, like an interaction.
That's great.
I love it.

Speaker 1 (50:58):
Want some more.
Yeah, yeah, yeah.
I mean, why not?
We got time.
I mean this is awesome, Getsome more.

Speaker 2 (51:03):
Okay, so get rid of the Penguin.
Put a filter on for the 08 or515 or 2025-05-15, same day 15?

Speaker 1 (51:14):
Yep, yep.

Speaker 2 (51:16):
And then for time do 08, colon 52.

Speaker 1 (51:22):
08, colon 52.
Okay.

Speaker 2 (51:25):
And then under the message filter just type
airplane type airplane.

Speaker 1 (51:31):
Oh, I love where this is going.
I love it.
Let's give it a second here.

Speaker 2 (51:36):
It's gonna load those 25 000 records that were
produced in that minute yeah,that's insane but again, I don't
have more than less yeah, nowwe need to figure out what all
25 000 mean.
I'm gonna let you handle that.
That's insane.

Speaker 1 (51:51):
But again, I don't have more than less.
Yeah, now we need to figure outwhat all 25,000 mean I'm going
to let you handle that.

Speaker 2 (51:54):
I need help.
Is anybody out there?
I know Lionel and Christian areworking on it and Johan's
working on it.
Can we get some help?

Speaker 1 (52:00):
Oh, please, please.
Let me know, and I'll quote itAll right, so what do we have
here?
So, so, what do we have here?

Speaker 2 (52:04):
So the first year record you can see airplane mode
is off and then at record fiveis actually when I navigated to
the settings and enabledairplane mode on the device.

Speaker 1 (52:15):
So you can see there folks, airplane mode is on.
It's now one because it's on.
Amazing.

Speaker 2 (52:19):
Right, if you just change the timestamp filter to
0854.
Yep and leave that airplaneright in there.
We should see.
When I turned it off.

Speaker 1 (52:36):
See, Derek is saying that it's very cool.

Speaker 2 (52:39):
It is very cool.

Speaker 1 (52:41):
It is, and this type of information is not only
important on the JTAR, forensicside, working intrusion cases or
anything like that, likecorporate cases.
Having this granularity, thislevel of detail, you remember
Foghorn Leghorn in the cartoons.

Speaker 2 (53:01):
No In the old.

Speaker 1 (53:01):
Looney Tunes cartoons .

Speaker 2 (53:03):
Oh, yes, yes, I do.

Speaker 1 (53:05):
The rooster goes uh, uh, uh, and then he started with
one word and he couldn't finishit, so he went with a different
word.
That's me.

Speaker 2 (53:11):
You fixed it, but you just told on yourself.
You should have just went withit, it's okay.

Speaker 1 (53:17):
It's still true.
So yeah, so the amount of levelthat this detail, that this has
right is going to be useful forany corporate investigations,
corporate cases, all likeaccidents, accidents, dispute in
regards to who's responsiblefor an accident, distracted
drivers I mean, we are reallyright now.
This log, I believe, is reallyunderstated in the forensics

(53:37):
world.
And it should take.
We're working as communitymembers to make sure that we
give a word, put the word out,but also this type of conversion
to make it accessible to people.
Alright, sorry, got a littletangent there.

Speaker 2 (53:51):
No, you're good, so you can see at 8.54,.
I took the.
I turned airplane mode off.

Speaker 1 (53:56):
Oh, there we go, there we go, boom Off Awesome.

Speaker 2 (54:00):
Yeah, so remove airplane from your filters and
change your time filter insteadof 54, change it to 58.

Speaker 1 (54:08):
58,.
Here we go, okay.

Speaker 2 (54:11):
And there's a ton of stuff in here.
Actually, we're going to put afilter on for Facebook in the
messages.

Speaker 1 (54:19):
Messages.
This minute gave us 35,000records.

Speaker 2 (54:24):
I think we can narrow it down if we put Facebook in.

Speaker 1 (54:26):
Yeah, I think that might be a good idea.
It's down to 2000.
2000 is way more manageable.

Speaker 2 (54:36):
That's definitely better.
So at this minute at 8.58, Iopened up the Facebook
application, messed around inthere a little bit.
You can see in some of theseartifacts that there's data
usage for the Facebookapplication and there's a whole
bunch of other things going onwith the Facebook application
here too.
I mean, there's still 2,300artifacts just related to me

(55:01):
opening the Facebook app and Iliterally just clicked on one
thing.

Speaker 1 (55:05):
This is interesting because, even if there's not a
line that says facebook appopened you know I mean, uh, if
you look at what the behavior ofthe log is when you open an app
and you see, for example, likeyou said, data usage, how much,
how much wi-fi, then it's comingin and out, uh, paired to some
specific dns requests.
Paired to, I think there's.

(55:26):
I think you said there's a userone, is it?
That is that's not like a userentry, which is facebook, in the
facebook, I think there's.
I think you said there's a userone, is it?
That is that's not like a userentry?

Speaker 2 (55:30):
which is a facebook in the facebook one oh, there's
one I'm not exactly sure whatline it's on, but there's one
that actually, uh, that has theword icon in it, and it's, when
I'm pushing on the icon to open,to launch that app yeah, but
the user stuff.

Speaker 1 (55:45):
I'm not sure if there's anything user no, no but
even icon right, if you havethe icon, you have the data.
You kind of look at all thesethings like, well, it's getting
this section, it's getting this,getting that.
That will tell you that it'sconsistent with somebody driving
the thing that it's not just.
Facebook doing something behindthe scenes without you doing it

(56:05):
.

Speaker 2 (56:07):
There's artifacts in there too that show when the app
is in the foreground or when itmoves to the background.
I mean, I didn't map those outto show it, but they're.
They're in there.
So if you were to do somekeyword searching related to
Facebook and background andforeground, you'll find that too
.

Speaker 1 (56:21):
There you go, and let me say Matthew, saying that
this feels like knowledge C, butcooler and more granular
Knowledge C or Sec Bs, and Imean, do you agree, heather?

Speaker 2 (56:32):
Yeah, oh, definitely.
I think it's definitely cooler.

Speaker 1 (56:37):
It has way more detail.
Imagine having Sec B stuffright and then having this on
top of that.
I say Sec B because Sec Bs arenow the structures that are yeah
, that are took over forKnowledge C.
You put all these together, allthese different data points, in
a good timeline.
Oh my goodness, I mean how theamount of visibility you get
into user action, which is whatwe care about.

(56:58):
We care about differentiatingbetween user action and system
action devoid of the user.
It's just again, it's reallyunderstated.
Folks are not using it.
Many folks are not evencollecting these logs.
You have to collect these logsI'm sorry, but that's what it is
and we're going to kind ofshare the process of doing so

(57:21):
out of a full file systemextraction if you didn't run the
command, and then you can gothrough this process to turn it
from a log archive into JSON,use ILEAP to dump it into a
SQLite database and then you cango in and look for the key
keywords.
And again, in the near, nearfuture, I'm going to do it

(57:41):
myself.
I'm going to make sure I canbuild some artifacts.
At least, I want to build anartifact that puts all the ones
that Lionel has beenhighlighting in one place.
You can see themchronologically, like open face
view, locked, unlocked airplanemode, like all of those that we
discussed, all in one place, andthen, as we discover additional
ones, we can add them to thatknown to be awesome entry logs,

(58:05):
log entry, sorry.
So I still have to think howI'm going to do it, in the sense
of what the output will be,because I bet they won't fit on
an HTML report, you know.

Speaker 2 (58:14):
That's not going to happen.

Speaker 1 (58:16):
So I'm thinking maybe I need to turn into some JSON
and then, I don't know, I haveto think and then maybe have put
in a SQLite database.
I don't know how to think aboutit, but we're going to discuss
that.
I don't know how to think aboutit, but we're going to discuss
that.
Some of the developers aregoing to float the idea to them
and see where we go from there.

Speaker 2 (58:31):
All right, we got to show one more.

Speaker 1 (58:32):
Yeah, absolutely Go ahead.

Speaker 2 (58:33):
So if you change your time filter to 09.00.

Speaker 1 (58:37):
Take Facebook out.

Speaker 2 (58:39):
Yeah, you can, yep.

Speaker 1 (58:40):
Okay, take Facebook out and then send it to what
again?

Speaker 2 (58:42):
09.00.

Speaker 1 (58:45):
09.00.

Speaker 2 (58:47):
Yep, and then you should be able to just type in
face up oh, I can't hear you.

(59:32):
So can you hear me?
Oh, okay, well, let me justtell you about it real quick,
but I can't hear anything you'resaying.
So, um, you'll, you can findthe orientation changes to oh, I
hear you again okay, you knowmy, my dummy, uh arm hit the
move button okay.

(59:53):
So that one wasn't me goodbecause mine's been a disaster
this entire show.
So, um, I you can see the uhdevice orientation change to
face up.
So I had the phone face down onthe on my table and I flipped
it to face up.
So I had the phone face down onmy table and I flipped it to
face up and prior to that youcan actually go look and find a
face down entry as well.

Speaker 1 (01:00:15):
Well, and like you mentioned, you see here receive
orientation, and it goes fromface down to face up, of course,
like you said we can look forthat specific entry going back
in the log, but even mentionedis here.
So but even mention it's here.
So you had like a doubleconfirmation there what's going
on.

Speaker 2 (01:00:29):
Yeah.

Speaker 1 (01:00:31):
That's awesome Again.
It's like moving from thisplace to this other place.
Oh, how awesome is this.

Speaker 2 (01:00:37):
Yeah.
So all that stuff was going onin like 15 minutes too, and
there are so many entries thatare between the things that we
were just showing everybody thatI don't even know what they
mean.
So further investigation we'regoing to have to try and figure
out what some additional entriesmean for sure.

Speaker 1 (01:00:55):
Oh, out of 20 million entries, I believe, just based
on the statistics of how thingsare that we're still just
scratching the surface with asmany as 10, 15 artifacts, which
are still amazing.
I think you mentioned duringlast week because this, by the
way, this little conversion thatI did with the leaves, I did it
in the not breaks, but asHeather was teaching something,

(01:01:16):
then I had a break, then I wouldcode some of it right, and
Heather was telling me andcorrect me if I'm wrong that
there's some artifacts relatedto automotive things, right?

Speaker 2 (01:01:28):
Oh yeah, lionel has them on his blog.
So whether it's moving, whetherit's vehicular speed, I guess
it's picking up.
I'm not 100% sure, but he has awhole blog on the moving states
of the device.
John Hyla, who was teachingwith us in IASIS, was actually
testing them during the breakstoo, and he took the phone out
and he ran with it and it pickedup that the motion state

(01:01:50):
changed to running.

Speaker 1 (01:01:52):
Oh, wow.

Speaker 2 (01:01:52):
Yeah, he was checking that out.
Definitely he had it going.
We flew home together.
He had it going in the airportshowing me all this stuff, so it
was cool.

Speaker 1 (01:02:02):
We're about the same age, so me putting myself in his
his place, I bet he was reallyhappy at the phone.
Thought he was running.
Yeah, yeah, because if I do ithe might think I'm walking.

Speaker 2 (01:02:12):
Listen, it's fine, because you're not going to find
the running uh motion statetransition on any of my devices.
No way but?

Speaker 1 (01:02:21):
but you weren't, you weren't even trying.
But I think even if I tried, itwas still bristly walking, it
won't get to running state.
Which reminds me I think Billis trying to figure out how do I
simulate what?
Was it a crash with a phone?

Speaker 2 (01:02:36):
Oh yeah, he was Yep.

Speaker 1 (01:02:38):
And throwing it.
I don't think that's going tosimulate a crash.
Maybe if you get in the car,you get it to 80 miles per hour
and then you throw it atsomebody with a catcher's mitt,
maybe.
Of course I don't want to bethe one receiving that phone at
80 miles per hour.
Also, the phone might notsurvive.

Speaker 2 (01:02:56):
But who knows?
This is a good comment fromChristian.
Often, several entries show thesame process from different
perspectives, from theperspective of other apps
Springboard, et cetera and I100% can see that in the data
that I collected today.
Like for one airplane mode on,there's like a few different

(01:03:17):
ways of saying it in the logsand it's all the same event.
I only did it once.

Speaker 1 (01:03:20):
It will be interesting Again, I'm a
neophyte on this To see thosedifferent perspectives.
Hey, we can even aggregate themright, so some sort of
categorization of you know.
Again, if other apps areinteracting with another app,
how do we automate theidentification of those?
That would be prettyinteresting, yeah.
And the more we see a useraction generating something on

(01:03:45):
the device, the more we knowabout the user, which I think is
the, like Brett says, put theperson behind the keyboard or,
in this case, behind the screenof the device.
An actual human was using thisand doing X, y and Z.
That is relevant to the case.

Speaker 2 (01:04:01):
Right, exactly so.
Very cool stuff, and I didn'trealize you already put it into
the leaps and that I can go usethis now yeah, yeah again folks,
just again, and I have to.

Speaker 1 (01:04:12):
I had to make a post.
This is it's.
We're all so short in time, butI gotta make a post where it's
the explain the process, whichis take your mac, pull your log
archives or, if you have themalready, turn them into json,
make sure you rename it aslogarchivejson, run it with
ILEAP and look at the databaseand you should be able to do a
whole bunch of stuff with those.
You do the SQLite version of it.

Speaker 2 (01:04:33):
Let's do that, post this well, by next week, and
we'll add in Johan's way ofpulling the logs from a full
file system extraction and howto create that log archive so
that people have it.
I a full file system extractionand how to create that log
archive so that people have it.
I know you were asking me aboutit in the middle of the show
and I froze completely so Icouldn't hear what you were
saying.
But let's, let's try and put itup on either your site or my
site, or both and give that thatwalkthrough.

Speaker 1 (01:04:57):
Oh, that's awesome.
Yeah, we'll put it up and talkabout that, if you don't mind,
and talk about that.

Speaker 2 (01:05:03):
If you don't mind, so will this already work with the
Mandiant tool JSON output.
What did we find?
You ran it.

Speaker 1 (01:05:09):
So I ran it and it worked.
One thing I didn't like is thatit changed the column name to
something that they named and Ilike to use Mac to produce the
JSON because it's whatevernaming Apple gave it.
So I'm taking an Apple product,using another Apple product
that's designed to work withthose to produce the JSON that I

(01:05:30):
will use.
So to me, from my perspective,I'm not using removed from the
process third party to look atit.
I mean it's not wrong.
But from my perspective, theless I can involve third and
fourth parties into thetransformation process, I think
it's better.

(01:05:51):
So instead of being going fromapple to main, the end, to json,
to leaps, to sqlite, to you,I'd rather keep it all the way
apple to the sqlite.
And there you go, right, and I,I preserved, preserved the
names of those columns.
Of course, timestamp istimestamp, right, but subsystem
is how Apple named it.

(01:06:11):
Event, whatever it is, is howApple named it.
To have that continuity, it'smore of a preference.
If somebody says, well, I used aManion tool to convert it to
JSON to manipulate it, is thatincorrect?
No, it's not incorrect.
Again, you're an examiner,you're an expert, you verified
the data, you validated theprocess.
You put in your notes what eachfield means and you provide

(01:06:32):
your report.
I don't see why it wouldn't beaccepted.
But from my personalperspective, this workflow, I
feel it's better for me forthose reasons and also I control
also the SQLite database that'sproduced because I made it and
the source code is open source.
I'm not sure Mandiant is, maybeit is.

(01:06:53):
I don't want to speak out ofturn, but if it is great, right,
people can look at it and ifthey need to make changes to
make it better, they can submita pull request to us and then we
go from there.
Does that help, heather?

Speaker 2 (01:07:05):
Do you think that makes sense?
Yeah, definitely.
Um, I I haven't had a chance tolook at the output, uh that
mandy it puts out either.
I know you showed me that thecolumns are different, but I
would also like like you werekind of just saying want to make
sure that everything I'm seeingin console, and everything I'm
seeing that I think is, uh,relevant artifacts, actually are
there in the JSON.

Speaker 1 (01:07:25):
Yeah, absolutely.
And let me make a quick notefor the developers out there.
Again, this is a humongous JSONfile, 25 gigs.
If you're going to use importJSON and try to import JSON
library, eat it, good luck.
It's just way too big and it'sgoing to take forever and might
not even work.
So for developers out there,what I did, that seems and it
does work, as I justdemonstrated it's an import that

(01:07:48):
I did, a library which I'mgoing to have to add also to the
leaps to the requirements ofTXT.
It's called, if I'm notmistaken, ijson.
I want to show it here,obviously, so I have to do my
ABCs to know where L is.
All right, there we go.
I got the code there.
Let me show the folks quicklybefore we leave.
It's kind of funny.
We're like we have no news, nonews stuff to talk about in the

(01:08:10):
show.
So we're like let's make itlike a tech show.
And now it's like we need moretime.

Speaker 2 (01:08:15):
Yeah, I didn't think it would go the whole time.

Speaker 1 (01:08:17):
Yeah, me neither but.

Speaker 2 (01:08:19):
I love all this stuff .

Speaker 1 (01:08:21):
I mean we both do.
I need to hit stop screen andthen present on the screen,
share screen.
Right, allow it, and I want toshare the screen.
Okay, so here we go.
Perfect.
So here is how the artifactlooks Like I mentioned
previously.
Make sure that the output iscalled logarchivejson, so the
iLeap plugin or artifact canpick it up all right.

(01:08:42):
Notice folks here the outputtype is going to be a lava
output, which means it's goingto be the database, the sqlite
database.
You can put html here in thelist.
But the problem is that goodluck opening a 24 gig or two gig
html not happening, just nothappening.
Um so, but again, we're going towork on how to talk to
developers in the discord.

(01:09:02):
Today I'm going to put amessage out.
Smarter people than me, than me, how can we do this?
That being said, let's go downhere.
I want to show you.
I import iJSON, you see here.
So iJSON does, it takes andreads.
You know, in this case, it's abig dictionary that has lists in
it.
It reads each list individually, so it doesn't need to load the

(01:09:22):
whole JSON in memory to dealwith it.
It works with it as it'sloading.
So loads works with it.
Loads work with it, which Ireally like a lot, and you can
see here.
There's some code that I madehere to truncate the last part.
That's not JSON, so it doesn'tchoke, and then I let you know
that it's truncated afterposition one.
Actually, I need to put here itshouldn't be print.
I need to change this to what?

(01:09:43):
Hold on, I need to change it toLogFunc.
Actually, since I'm here.

Speaker 2 (01:09:49):
Let me do it right now.
Oh, we get to witness you livecoding.

Speaker 1 (01:09:52):
Well, live affects my own nonsense, all right.
So what LogFunc does isactually make sure that it's
shown to the screen and alsoshowing the actual TXT log,
which I didn't do, but now Ijust did.
T log, which I didn't do, butnow I just did.
Yay, all right, so it's prettyneat.
So for it to make a Lavacompliant, you put the decorator
for artifact processor and thenyou do your stuff as you would
do, and here I pull outtimestamp, process, id,

(01:10:15):
subsystem, category and eventmessage and the trace ID, and
then I collect them and then Isend them.
When I return it, the decoratorlooks for these three things
and make sure that the SQLdatabase is populated
accordingly.
And there we go, super easy tomake this artifact in the sense

(01:10:35):
of the artifact structure.
Your magic here about how yougo about going about the JSON.
Well, that's on you as adeveloper and that takes a
little bit more time.
And there we have it.
So folks use the iJSON librarythere and if you want to do your
own way of doing it, this isjust one way, not the way, but
you want to build your own.
I recommend using iJSON as yourmodules to read that JSON in

(01:11:00):
parts process read process, readprocess, read and make it
manageable, make in partsprocess read process read
process read and make itmanageable.
Make sense to you.

Speaker 2 (01:11:09):
Heather, it makes sense.
That's just a couple of thecode right, easy peasy, easy
peasy.

Speaker 1 (01:11:12):
Yeah, you know it's easy.
Sometimes you give me oh, it'snot easy, just Google it.
The first entry tells you howto do it.
I mean, come on, I know, AI, ai, no, no, google it, oh no.

Speaker 2 (01:11:26):
I'm not doing that anymore.
I'm not Well.
I did do it to translateJohan's PowerPoint, though.

Speaker 1 (01:11:29):
I mean, okay, I'll let it pass.

Speaker 2 (01:11:33):
Although I sent the translated copy to him and he
said a few things aren't right.
What yeah?

Speaker 1 (01:11:40):
I cannot believe it.

Speaker 2 (01:11:41):
It can't even translate right.
We had to get some kind of aiinto this hour, didn't we?

Speaker 1 (01:11:46):
uh, we have to, we have to, we, we, we love it a
little bit, I hate it a lotanyhow.
Uh, so that way, I think that'swhat we have for for everybody.
Uh, folks, are you have any?
Oh, no, heather does havesomething, or else what do we
have, heather?

Speaker 2 (01:11:59):
I didn't have to do the meme of the week we have to
go ahead, tell all right, let me.
Let me share my window here.
Uh, if I can find it there wego.
So, since we were gone for twolong weeks at iasis, we have to
put up the meme that has justgot back from a conference,

(01:12:19):
training.
And then it says the office andthere are things on fire,
there's people on the ground,there's things destroyed, what?

Speaker 1 (01:12:29):
am I missing A mess on the floor?

Speaker 2 (01:12:32):
Yeah.
So it is saying you know youcome back to the office after
your two weeks of conference ortraining and the office is on
fire.

Speaker 1 (01:12:42):
You have like 20 million emails waiting for you.

Speaker 2 (01:12:48):
So, yeah, I couldn't believe the number of emails and
I have a grand jury and a trialthat were sprung upon me when I
got back.

Speaker 1 (01:12:53):
So they're doing two weeks.
What?

Speaker 2 (01:12:56):
yeah, yeah, no, at least the, the analysis is done,
but they're going to court, sooh my goodness, so many emails.

Speaker 1 (01:13:03):
You want to turn into JSON and put it in SQL database
.

Speaker 2 (01:13:06):
Yeah.

Speaker 1 (01:13:06):
To be able to sort through them.

Speaker 2 (01:13:07):
Right, exactly.
Oh my God, that's like thenerdiest joke ever.
All right.
Well, you are a nerd.

Speaker 1 (01:13:17):
We are a nerd.
Actually, I can see that you'rea live nerd.

Speaker 2 (01:13:21):
Oh, I am yes.
Yeah, on your screen rightthere it says LiveNerd.

Speaker 1 (01:13:24):
Anyway, oh, it's been a blast as always.
Yes, you're the best Heather.

Speaker 2 (01:13:29):
Thank you so much Sorry about my Wi-Fi.
I will get it fixed for nextweek.
I hope the spotlight stuff camethrough for everybody.
If it didn't, I can alwaysbriefly redo it in the future
when I fix my internet issue.

Speaker 1 (01:13:42):
No, no, it came across.
What you need to do is fix yourWi-Fi by not using it, by
having a big fat wire.

Speaker 2 (01:13:49):
I know Cat 6 going from your computer to your
router.
Yeah, just like I used it, allright.

Speaker 1 (01:13:57):
That's funny.
I'm trying to do fireworks, butI don't see the fireworks
things on my thing anymore.
I think I turned it off.
Anyways, for the next episode.

Speaker 2 (01:14:05):
All right.

Speaker 1 (01:14:06):
Well, anything else for the Goody Order Heather.

Speaker 2 (01:14:10):
That is it, Thank you everybody for listening, Thank
you.

Speaker 1 (01:14:12):
If there's no cool news to comment on in the next
two weeks, guess what We'll do?
Another tech podcast, baby.

Speaker 2 (01:14:16):
Yeah, why not?

Speaker 1 (01:14:19):
Heck, we need to start just showing them how to
put the log archive from theTrace v3 files and make it into
log archives.
Just that is going to be a coolepisode, so we might be doing
that soon.

Speaker 2 (01:14:30):
Definitely.

Speaker 1 (01:14:31):
All right.
Again, thank you, and we'll seeyou all in a couple of weeks.
Take care.

Speaker 2 (01:14:35):
Bye.

Speaker 1 (01:14:35):
Bye Outro Music.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

The Breakfast Club

The Joe Rogan Experience

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Every Breath You Take, Every Swipe You Make—Your iPhone’s Logging It

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

The Breakfast Club

The Joe Rogan Experience

All Episodes

Every Breath You Take, Every Swipe You Make—Your iPhone’s Logging It

On Purpose with Jay Shetty