🛡️ Defence Mechanisms

Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.

🍎 iOS Evidence Collection

General Considerations

First of all, all the Apple devices support remote wiping which has evolved significantly over the year and now support Bluetooth. When I say wiping over Bluetooth, it doesn’t mean that the person wiping and the device need to be in the Bluetooth range (which is quite short). It could be an examiner with a Bluetooth enabled standing near the iPhone with Bluetooth on and the person of interest somewher within the range of the first responder. I didn’t try this myself, but I should. This is based on the interview given on the Surviving Digital Forensics podcast on T1 and T2 Apple devices and the challenges the forensic examiners now face.

🐧 Linux Evidence Collection

File Systems

EXT 2,3,4, ReiserFS, XFS, JFS, Btrfs.

Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. Should not be used on a live system!

Live Acquisition

https://github.com/Dead-Simple-Scripts/AutoLLR Automatically collection live info. Quite a heavy footprint. But if we are not collecting RAM, not the biggest issue.

References

https://www.sans.org/presentations/long-live-linux-forensics/ https://www.sans.org/blog/getting-started-with-linux-memory-forensics/ https://www.sans.org/blog/digital-forensics-ps3-linux-file-system-analysis-and-network-forensics/ https://www.sans.org/blog/bring-me-my-pipe/