Logo
RSS Feed

👈🏼 Back to
📜 Artefacts DB

🍏 🐧 UNIX Artefacts

Geo

iOS

/private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoHistory.mapsdata
/private/var/mobile/Containers/Data/Application/[APPGUID]/Library/Maps/GeoBookmarks.plist
/private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite
/private/var/mobile/Library/Caches/com.apple.routined/Local.sqlite

References

Expand… Something here

iOS Logs

Same as for macOS. On iOS - /private/var/.fseventsd, for System: /.fseventsd and Developer Patch at /DeveloperPatch/.fseventsd.

Internet activity

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE '%websitedata/local%'

Email activity

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'mobile/Library/Mail/%’

iCloud synced files

SELECT
*, _ROWID_ "NAVICAT_ROWID"
FROM
"fsevents"
WHERE
"filename" LIKE 'mobile/Library/Mobile
Documents/com~apple~CloudDocs/%'

Syslog

According to Apple docs, NSLog now doesn’t write to syslog, therefore I didn’t find a syslog.sock or syslog file itself.

iOS RAM

For mobile platforms (iOS and Android) there is currently no tool available to get a full copy of RAM. However, it’s still possible to take memory space of each process running.

💡 Research 🔬 Top secret yet

To get the list of running processes:

To get the memory space of a process:

frida-dump # had some bug for iOS, py file might need manual pathing.
clutch
objection


## References


    Expand…
    Something here

macOS Logs

macOS

Syslog

syslog. Since macOS Sierra (10.12, 2016) Apple has redesigned its log system. Unix logs were replaced (syslog, for example). By the way, syslog was replaced as well on iOS (see here). Some still exist: daily.out, cups, install.log. 🛑 More about logs for iOS and macOS here.

🛑 More about fervents here.

New unified log path in 2 directories:

  • /var/db/diagnistics
  • /var/db/uuidtext

According to Apple docs, NSLog now doesn’t write to syslog, therefore I didn’t find a syslog.sock or syslog file itself.

Processes

RAM

This is about … .

UNIX Configs

Linux

SSH Files

/home/%username%/.ssh/authorized_keys /home/%username%/.ssh/known_hosts
/home/%username%/.ssh/config
/home/%username%/.ssh/id_* (defualt) and just /home/%username%/.ssh/ for all the keys

Network

• /etc/*-release
• /etc/hostname
• /etc/hosts
• /var/lib/networkmanager, dhclient, and dhcp

System

/etc/*-release

macOS

Most of the configirations on macOS are stored in plist files. Unlike Windows with its one repo called the Registry 😱 there is no single place with all the plists.

Kerberos

plutil -p "./0/root/private/var/db/dslocal/nodes/Default/config/KerberosKDC.plist"

Plists

  1. Label
  2. Arguments
  3. RunAtLoad - persistence.

iOS

Application Permissions:

• HomeDomain-Library/TCC/TCC.db
• /private/var/mobile/Library/TCC/TCC.db

UNIX Core

iOS Keychain

In this article I’m trying to study how keychain works.

Metaphor

There once lived a monkey 🐒 George. He was a nice fellow, but his memory suck too much and caused him a lot of trouble. He also was very absent-minded and has lost some of his secret keys. He met a bird 🐔 Marvin and said: “Marvin, my memory is no good, here are all my keys 🔑🔑🔑🔑 , I will just retain this small key-card 🎴 which I will show you to prove it’s really me. Whenever I need a key, I’ll show you this card. You give me the key 🔑 temporary and then take it back after I used it 🔐 .”. Marvin was a very responsible guy and he agreed.