Mobile 4N6 101
Nic Fillingham: Hello. And welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.
Natalia Godyla: And now let's unlock the pod.
Nic Fillingham: Hello, the internet. Hello, listeners. Welcome to Episode 48 of "Security Unlocked." Thanks for joining us. My name is Nic Fillingham. I'm joined, as always, by Natalia Godyla. Natalia, how are you? And do you like or watch any of these "CSI," NCIS-y television programs?
Natalia Godyla: Oh, man, yes. Maybe there's a reason why I'm into this cybersecurity space. I grew up on "Law & Order: SVU" and "NCIS."
Nic Fillingham: That explains so much.
Natalia Godyla: (Laughter) All of the dots have been connected.
Nic Fillingham: As a fan of these shows and watching these shows, how much of what you see in the show did you ever think was a true representation of actual crime scene investigation, actual forensic work?
Natalia Godyla: I was sold. I thought that that's what a crime scene looks like, how investigators operated. But Sarah, our guest for today, sheds some new light on that.
Nic Fillingham: Absolutely. I am leading the witness here. So our guest today is...
Natalia Godyla: (Laughter).
Nic Fillingham: ...Sarah Edwards, who has multiple roles. Sarah is a researcher at Cellebrite, as well as a senior instructor at the SANS Institute, focusing on mobile digital forensics, which is not a van full of people who conduct digital forensics. Get it? Mobile digital forensics.
Natalia Godyla: (Laughter) I got it.
Nic Fillingham: Thank you. But instead, it is about digital forensics conducted on mobile devices. And so it's a great conversation. And yeah, we actually posed that question to Sarah. How much of the real life of a digital forensics expert is actually mirrored in these TV shows?
Natalia Godyla: And what's great about this is this is yet another episode in which we've brought on a major security expert from the industry to bring their unique perspective to the podcast. So as you might remember, we had Tanya join us, CEO and founder of We Hack Purple Academy. Sarah Edwards is the second guest like this, an industry expert who has come to talk to us about a topic across the security industry. And we'll continue to bring on other influential external guests to share their unique perspectives for you. As always, we are looking for feedback. So let us know how you like these conversations.
Nic Fillingham: Yeah. We'd love to hear from you. Send us an email, securityunlocked@microsoft.com. Or hit us up on the Twitters. And with that, on with the pod.
Natalia Godyla: On with the pod. Well, hello, Sarah Edwards. Welcome to the show today.
Sarah Edwards: Thank you. Thank you for having me.
Natalia Godyla: Sarah, so you are a senior digital forensics researcher at Cellebrite and senior SANS instructor. What does a day in the life for Sarah look like?
Sarah Edwards: Very busy and always on the computer. So a day in the life is - I do have my normal day job. That's the Cellebrite job. So I'm researching all the different Mac and iOS artifacts that are out there to put into the tool, you know, and to make the end user investigations go a little bit, you know, further, trying to make their lives a little bit easier. Then evening, weekends and, every once in a while, a week is the SANS part of my life. So I will, again, do more research, put together course material. So I have my own Mac forensics course. And I teach said course around the world as well. So theoretically, a lot of travel, you know, in the before times and, hopefully, coming up soon. But, yeah, I keep very busy.
Natalia Godyla: And has your career always been in digital forensics? What was your path to cybersecurity?
Sarah Edwards: It's pretty much always been forensic. So when I was at RIT up in Rochester - Rochester Institute of Technology - I did go through a few different majors, found out that I'm not great from the engineering side. I'm not awesome at math. But I've always loved solving puzzles. I've always loved kind of putting different investigation pieces together. So forensics is a key part of that. This is always - also during the period of "CSI," the original, the OG, "CSI." So I am also one of those folks who were like, I want to do that. I want to solve crimes. I want to put things together. I want to tell a story of what happened on these devices.
Nic Fillingham: Did you also want to take your Ray-Bans off and, like...
(LAUGHTER)
Nic Fillingham: ...Stare into the distance and have someone go, yeah.
Sarah Edwards: Have I Maybe had that soundtrack on before? Yeah, you know?
(LAUGHTER)
Nic Fillingham: So Sarah, the sort of high-level topic for today's conversation is around DFIR. May I ask you to start with expanding upon that acronym for us? What is DFIR? And why do you do it?
Sarah Edwards: Absolutely. So it's - we call it DFIR. That's our quick way of saying the - that term. So it's digital forensics and incident response. So we kind of have two pieces. We have digital forensics. And this is kind of how you can think of, like, the true - kind of the true crime of forensics, you know, missing persons. Or you're looking at different investigations surrounding your employees. Or, you know, somebody is spilling secrets or something. I don't know - a lot of different types of investigations like that. The incident-response side, this is going to be more where the security piece comes into play. This is going to be, your device is compromised, you're looking for malware. How did the malware get on the system? - and everything associated with some of that. So we really do lump them together. But in this world, all investigations are going to be a little bit different.
Nic Fillingham: And is DFIR something that has to be conducted with physical access to the device? Or can it be done sort of remotely if a device is either not in your - you know, you don't have access to the device or the device is lost, et cetera. Can it be done sort of, like, after the fact? Or is this uniquely a task that happens with the actual piece of hardware in front of you?
Sarah Edwards: Our favorite answer in this field is it depends. (Laughter) So it really depends on what type of investigation. Yes, a lot of things can be done remotely. And a lot of the compromises for, you know, big, enterprise systems can be done remotely because these devices are quite literally all over the world. So - you know, you do have some folks who will fly to all these places and do collections of all these devices. But even in more recent times, you know, specifically during the COVID period, you can't. You can't really do that. So a lot of remote capabilities have been being introduced, the different capabilities. It's not always possible to do that specifically with things like mobile devices. Sometimes you really, truly have to have that sitting in front of you because you have to connect that to all of your different collection utilities to get access to that data. So - yeah, it depends.
Natalia Godyla: So what makes mobile forensics particularly unique? How does it differ from other types of forensics like network, email, et cetera?
Sarah Edwards: So I love mobile forensics because mobile devices are probably the most intimate device that you have. People live on their iPhones, their iPads, their Android devices. They have their watches strapped to them at any given point in time. And all of these devices are constantly collecting all sorts of interesting data about you, your usage, your health. It's creepy.
(LAUGHTER)
Sarah Edwards: I don't want to make it sound like it's - I don't know. What's the word like - it is creepy. But it is being stored for legitimate purposes, you know? Apple uses a lot of this information to figure out, what is the user going to try to do next? What application should I suggest when it comes on the pop - you know, popping up on the screen? So I think that's why I like the mobile side. You get to see everything about a person's life.
Nic Fillingham: Gosh. Part of me wants to sort of expand upon the fact that that's a - maybe a double-edged sword.
Sarah Edwards: Yes. Yes. Oh, yes (laughter).
Nic Fillingham: I think the other question I wanted to ask is related to sort of mobile forensics. You know, you mentioned iOS. You mentioned Android. You mentioned iPad. In a very rudimentary sense, these all run variants of, like, the UNIX or Linux operating system. So what sort of differentiates mobile forensics to just sort of Linux, UNIX forensics, I guess? I know it probably sounds like a silly question. But what is sitting on top of the operating system? And then, obviously, you know, as you say, the way that we use these devices and things that we do on them, how does that differentiate from someone that might be doing forensics in the enterprise where they are looking at lots of, you know, Linux and UNIX VMs and systems?
Sarah Edwards: That's a great question. So if you are coming from it from an Android side. Now, I used to do a lot of Android stuff, not too much anymore. But if you've done - as a forensic investigator, if you've done analysis of various UNIX and Linux boxes, Android pretty much looks the same. You know, there's definitely some, you know, big differences between that. But if you are used to seeing those file systems, looking for a lot of very similar artifacts, you're good to go. You are familiar already with how that operating system works. And on the iOS side, especially if you're coming from the Mac side, Mac and iOS, forensically speaking, I would say 95% the same. It's getting access to the data, which is usually the big, hard part. Mobile devices are generally a little bit trickier just because a lot of the security protections that are being put on there because they are the most intimate devices for us. But once you get that data, pretty much looks the same.
Natalia Godyla: So I'd love to pivot here to talk a little bit about what the threat landscape looks like for mobile devices. So I was reading your blog. And I saw that you shared an incident in which a school received bomb threats via AirDrop, which to me was just eye-opening - the type of compromises that can happen through a mobile device. So can you share what is typical for a mobile device, what compromises are typical? How is a mobile device used as part of an attack chain?
Sarah Edwards: All right. So there's quite a few ways of kind of going about this. So there's quite a few different types of attacks, starting off first with the AirDrop attack. So that one - that blog article actually came out because an investigator emailed me saying, hey, I got this thing that's happening in a local school district. How do I look at this? And I'm like, I love solving these kind of things, or at least attempting to solve these kind of problems, because I know a lot of folks don't get to really dive deep into this kind of data. And AirDrop is very interesting because of how temporary it truly is. So it just kind of works over Bluetooth and Wi-Fi, you know, seemingly magically. And there's not a lot of artifacts that are sitting on the devices. Now, that particular blog article, I actually went in and kind of mimicked an attack. So in this particular example, the school district was seeing students and employees getting AirDropped pictures or notes that were threatening messages. And it's something that's been in a few other places as well. So the investigator is basically saying, like, how can I figure out who is doing the AirDropping, who is sending these threatening messages? So I went in, and I spent quite a bit of time researching it, playing around with my different research devices, kind of mimicking that different scenario. Turns out, it's very, very difficult if you do not have all the devices at hand. And in a school, you're never going to have all those devices. You're never going to be able to acquire all the students' devices, the teachers'. People will come and go. That's just going to be really difficult. So actually, to put that piece of that investigation together is very, very difficult. But then you get through things like other different types of attacks. The big one that, you know, really just came out is the big NSO surveillanceware that's being installed on a lot of activists and journalists that are out there. That one's a whole different level. So this one is going to, you know, of course, targets certain folks. And they're going to drop a couple of zero-days on these devices, either zero-click or one-click - meaning, you know, the user just has to browse to a page. Or it's through iMessage. Just through something - they won't even know. Or they're doing the one-click, where it's like, click this link to claim your prize. That kind of thing. So depending on the different processes, the different exploits that are going to be used, they're going to get compromised. Now, those are particularly interesting because of the higher level, advanced capabilities of that. So generally speaking, things like NSO tools, they're going to drop down their surveillance packages on there. So they're going to look at your pictures, your messages, all of your application data. And each - you know, those different implant tools are going to each be a little bit different. But that's the really creepy stuff. And those are also extremely hard to look at because sometimes the end user has no idea that they're actually compromised.
Natalia Godyla: Just a quick follow-up - so in your explanation of the AirDrop incident, you mentioned using a few research tools. What tools do you typically use in your investigations?
Sarah Edwards: So I go pretty simple. I have a lot of different devices. They're all my old devices that I have jailbroken. I will, more or less, just create the scenario that's as close to the original scenario as possible. So I do jailbreak pretty much everything. It's really important from a research perspective that you do that so you can see everything and not just what's maybe in an iTunes backup. That's very, very limiting from a forensics perspective. And I'm running a couple of tools on there. I love Fsmon - file system monitor. That's one of my favorite tools to kind of keep track of what's happening in the file system when I do a certain thing. When I click a certain thing, I want to see what's happening, what files are being touched, what databases are being touched. I use a couple of other just - really nothing more complicated than just SCPing the files off. If I target - if I find a target database of interest, I'm just going to SCP that off and take a closer look at that. So things like a lot of SQLite browsers and viewers, I often use those, constantly writing different SQLite queries for the different databases and just kind of taking a look at how things are working. So it is a very time-consuming process depending on what I am investigating. But sometimes, it's as simple as, like, where is this one setting in a particular PLIST file? And that, you know, maybe will take 10 minutes - easy. But the AirDrop one took far longer...
(LAUGHTER)
Sarah Edwards: ...Far, far longer.
Nic Fillingham: Sarah, I wonder - you talk about the tools that you use. Can any of these tools be run from a Windows environment? And I guess my question here is that if I'm a listener to this episode and I live in Windows - maybe I only have access to Windows, can I perform forensics on iOS devices, on Unix and Linux devices, on iPads, et cetera, et cetera? Is there a way to - you know, first of all, do these tools run on Windows? Or is there a way to run them inside VMs? Does that make sense?
Sarah Edwards: Absolutely.
Nic Fillingham: Like, can I do all of this work from the Windows land?
Sarah Edwards: Absolutely. Yeah. Yes, you can. As long as you have your iOS devices - unfortunately, there's not a lot of options to really, you know, emulate those. There's things like Corellium out there. I use just plain-old devices that I have lying around here. That's probably the hardest piece coming from the Windows side. But everything - like jailbreaking - most jailbreak softwares do have a Windows component to that. So that's usually OK. Other than that, you're using things like SSH, SCP. You're loading up tools to the device itself. Or when you pull files off, you need some file readers. Now, the main, primary files on these devices are PLIST files, which is kind of like the Mac and iOS version of the registry. Those can be a little bit tricky. But there are some Windows pieces of software that can open those just fine. I hear Notepadd++ can work out quite well with a plug-in. Another tool called iBackupBot works out quite well. Other things like SQLite databases - there are hundreds of SQLite database viewers out there. Pick your favorite.
Nic Fillingham: Good. I think that's great news for folks listening to the podcast that maybe you're interested in getting into this space but are in predominantly a Windows environment. I wonder if we could move on to sort of some trends that, Sarah, you've discovered and sort of noted and seen over the past few years, especially for mobile and sort of forensics work in the mobile space? Is there anything that's sort of - I'm assuming a lot has changed. So I know it's sort of a silly question, but are there a couple of things that bubble to the top of sort of big trends, big changes over the last sort of five-ish years?
Sarah Edwards: Well, the one thing is it changes all the time. It changes almost every single time you look at it. You know, Apple puts out an update and something breaks somewhere. So - or they update a new application or, you know, a million other things. So it is constantly changing. So it is - one of the most difficult things about being in the Mac and iOS field is that something is always new. So there's always something to investigate. There's always different security things that might be a problem. I know Apple is definitely always trying to introduce new security features. From a forensics perspective, usually that makes our lives a little bit difficult. But then I put on my security hat. And I'm like, oh, I actually like this as an end user. This is a wonderful thing to have. So I kind of go back and forth with some of those. So a few other trends, specifically - I know I'll talk about jailbreaking forever. That is a big one, especially with the Checkm8 jailbreak that came out a couple of years ago - that was huge in both the security and the forensics communities. This allows me to do a lot of the internal research that I like to write about, that I like to present about. So without these jailbreaks, you know, I'm very, very limited in what I can actually do. So that is always a big one. And definitely, Checkm8 is the biggest because it is a bootrom-level exploit, meaning Apple can't really patch it for a very specific set of devices. So it's kind of built into the hardware. So that one's very, very useful.
Nic Fillingham: Can I just pause there, Sarah, just to clarify?
Sarah Edwards: Yeah.
Nic Fillingham: So it sounds like you're saying a big part of your toolkit, the ability for you to do forensics on iOS devices, is actually dependent on sort of the jailbreak community to actually go and find and leverage exploits, is that right?
Sarah Edwards: It is 100% true. I...
Nic Fillingham: Oh, that's interesting.
: It's all the really good, juicy stuff is protected behind the scenes because of the Apple protections that are built in there. So I do need that level of access. I need that root level of access with the jailbreaks - that the jailbreaks provide me to actually get in there. Otherwise, I'm kind of only seeing - I don't know - maybe 20% of what's there and none of the really good stuff because that is protected by the security mechanisms. So yeah, I can't do my job without jailbreaks.
Nic Fillingham: I did interrupt you there. I apologize. You were talking about trends. But I just wanted to sort of clarify that, that sort of jailbreak comment there.
Sarah Edwards: Oh, yeah. No. No problem. I love jailbreaks. You have to be patient sometimes. But I - (laughter) I'm kind of known to jailbreak pretty much anything within an arm's length of me. It just really is important to a lot of my research. So let's see - other trends. I think a lot of the trends currently are some of the security mechanisms that Apple has been, you know, introducing. You know, does it help the security community, is it a little bit questionable? A lot of the stuff like the CSAM thing that they introduced - or they at least mentioned but they haven't quite introduced yet - you know, there's been some security issues with that. People are very concerned about that, you know? It's going to be scanning your photos and whatnot. Now, I'm no crypto person, for sure. So I'll let the crypto folks handle that one. But that's definitely something that's going to be of interest, you know, to us. Other things like a lot of the malware, the surveillanceware, things like the NSOs of the world - I've already mentioned that a little bit before. That's another big thing. It's kind of introducing the world to, you know, the risks associated with having these devices. Now, no device is going to be perfect. There is no 100% secure device. But it really is opening people's eyes up to, oh, my fully patched iPhone is, in fact - you can actually compromise that. Now, whether somebody is going to spend, you know, a few million dollars on a couple of 0-days for you in particular, that's questionable. But you do still have a lot of the commodity malware that's out there. You know, you have things like the spousal stalker applications. Or somebody compromised your iCloud credentials and could potentially stalk you that way. That's going to be seen, probably, more in the day-to-day for that kind of thing. So that's, you know, two completely different levels but same kind of aspect, right? They're using your devices against you.
Natalia Godyla: I want to pause here and ask a rather dicey question.
Sarah Edwards: Excellent.
Natalia Godyla: When you're talking about jailbreaking, is that allowable? Is there a line that you can't cross when jailbreaking a device? Or is it understood by those who produce these devices that it's required for investigations?
Sarah Edwards: Ah.
(LAUGHTER)
Sarah Edwards: OK. So legally speaking, I can jailbreak devices that I own. Now, this is definitely going to be absolutely dependent on where I am in the world, in which countries I'm in, so - you know, your-mileage-may-vary kind of thing. Now, does Apple want me to jailbreak my devices? Probably not. But they can't really - I mean, they try to do stuff to stop the jailbreaks, but hackers are going to hack. They're going to find an exploit in there. And they're going to be able to create these jailbreaks. So I'd like to think that I am using these jailbreaks for legitimate purposes. I am trying to solve, you know, real-world scenarios that, because of Apple's limitations, I have to break the security of the system to actually see what is happening on this device, to figure out what's happening on these other people's devices, you know? I'm trying to solve crimes here. And unfortunately, Apple does not allow me to do that in a legitimate way.
Natalia Godyla: So let's talk a little bit more, then, about what this process looks like when it unfolds. So from the point in which you're starting an investigation, what does it look like? And what are you typically looking for on these devices?
Sarah Edwards: Well, that's our favorite answer again - it depends.
(LAUGHTER)
Sarah Edwards: Every investigation is going to be looking for something different. So I'm just going to throw out some examples here. Say I am looking at somebody's Mac. Let's say it's a missing person's kind of case. So I'm trying to figure out, where is this person? I have their Mac. How can I find out, you know, where were they going to go? So I might be looking at things like their text messages. I might be looking at their calendar entries. I may be looking at their browsing history, saying, OK, they're going to go to the park at 9 p.m. to meet a certain person or something like that. And I can work that into the investigation and maybe help someone try to find this missing persons - you know, not always perfect, but that's kind of one piece of that. So I'm looking at more, like, their application-based data. Then you have things like malware investigations. So let's go with Mac or iOS on this one. So now I'm going to look for different vectors in. You know, maybe I have an idea. You know, maybe they think that they're being stalked. Or maybe this device was - you know, maybe it's not completely known if it was compromised or not but it was just, you know, outside of that person's control for some time - so a couple of different things we can go about there. So if I'm looking at things like different vectors onto these devices, specifically iOS, I'm going to be looking for, you know, shady links either through web browsing or text messaging. Are those perfect? Is that going to find it 100% of the time? Absolutely not, and especially for more of the higher end kind of things. I may never know the vector. Other things I might look at are things like a lot of the persistence mechanisms. So like launch agents, launch daemons, you know, just like Windows - just like any other operating system out there, stuff needs to persist. Malware generally likes to persist. And I say generally because if you start looking at the - you know, the higher-end NSO stuff that just came out, that actually doesn't persist only because it's very, very difficult to persist on a lot of these newer iOS devices. So that's kind of a new feature. And that kind of makes my life a little bit difficult. But then I can always propagate over to things like the logs. Now, one thing I absolutely love about Mac and iOS is that it does an immense amount of logging. Now, unfortunately, logs don't stick around forever. So kind of time is of the essence. You really do want to get to that system as soon as possible. But you may get a hint of something that was happening on that device or security was changed. You can look at things like the TCC database, which is a pretty popular one, that keeps track of the different permissions. Was video turned on? Was the microphone turned on? You know, that kind of thing. So there is about a million different things that you can look at from an investigation. It's just where the investigation leads you. You just start pulling the different threads and kind of figuring out, how would I look at this? What am I looking for? And start going about it.
Nic Fillingham: Sarah, you mentioned earlier - actually, I won't say you said you were a fan. But you did reference the television show "CSI." Do those pop culture interpretations, though, do you think they actually, sort of maybe do a bit a harm in terms of setting expectations of what can be recovered from a device in a forensics perspective? Like, you know, I wonder if people are - you know, they have a missing loved one that they're trying to find. And they say, here is their iPhone, you know? This will be able - for you to find them. And it's not as simple as that?
Sarah Edwards: Oh, absolutely. Even when the original "CSI," you have the - kind of the "CSI" effect for the juries. The juries, they're expecting - oh, you should be able to do X, Y and Z. Why isn't the - you know, the expert actually, you know, finding all of this stuff? When it's actually far more difficult. And on the flip side, you know, it may actually show people what capabilities there are or what your devices actually are storing about you from a security perspective. So - you know, there's reasons back and forth.
Natalia Godyla: Well, that seems like an opportunity for Hollywood to get it right. So for anyone who is interested in filmmaking and watching this, there's your next big story idea.
Sarah Edwards: I would be surprised because I think if they watched me do what I do, they're like, that is the most tedious thing I have ever seen.
Natalia Godyla: (Laughter).
Sarah Edwards: She's just scrolling through logs for three hours a day. So I know why...
Nic Fillingham: They could just - they could speed it up double time and put "Yakety Sax" behind it. That would make it much more interesting.
Sarah Edwards: (Laughter) This is why on NCIS, they had the two people using the same keyboard. It makes it more efficient.
(LAUGHTER)
Sarah Edwards: Classic.
Natalia Godyla: I wanted to ask about something that was in reference to your course on SANS. So as we're talking about the different artifacts that you're looking for on these devices, you reference something called pattern-of-life analysis. Can you explain that concept for DIFR?
Sarah Edwards: Absolutely. So pattern-of-life is where a lot of my research comes into play. So pattern-of-life is a very fancy way of saying, how do people use their devices? What applications are they using? What are they listening to? When do they plug it in? What is the battery level? How long are they using certain applications? Do they have the Apple Watch? Can I see a lot of their health data stored in there? So it is quite literally the pattern of their life. When they wake up in the morning, what is the first thing that they do on that device? Do they unplug it from their nightstand? Do they go to their favorite application, you know, check Twitter for 20 minutes, you know, what have you? That is their pattern. Do they have a normal workout at 7 a.m. every single morning? You could potentially see that, too. It's a very fancy way of saying, this is all the really weird, creepy data that's being stored on these devices. It is being stored, generally, for purposes, you know? Apple's intelligence service is kind of trying to determine what are you going to do next, trying to help the end user. But from a forensics perspective, it can tell a extremely detailed picture of what happened on that device.
Nic Fillingham: And is there any way to automate that process? So - you know, for example, you know, you just mentioned, does the person typically wake up at the same time, you know? Does an alarm go off? Do they check Twitter for 20 minutes? Do they then, you know, go workout. And you can see that data. Is there - I'm sure you are following a process when you go through that yourself. But is there a way to sort of automate it, so to speak, so that you can sort of have some of that legwork be done for you in advance? Or is it really tediously poring through logs and pulling it together yourself?
Sarah Edwards: Well, kind of a little bit of both.
Nic Fillingham: OK.
Sarah Edwards: So I actually did write a tool. It's called APOLLO - Apple Pattern of Life Lazy Output'er- which automates...
(LAUGHTER)
Nic Fillingham: I love it already.
Sarah Edwards: I came up with that. I'm just - I love this acronym.
Nic Fillingham: I love it.
Sarah Edwards: Now, technically, it's just - it's a fancy SQLite database dumper. That's it. So a lot of these different pattern-of-life items are stored in a variety of different databases. I'd probably say about 20 different databases hold this information. So what I would do before is open up every single database, all 20 of them, and run different SQL queries for each one. Now, one database has the potential to hold, let's say - like, knowledgeC is one of my favorites. KnowledgeC quite literally stores knowledge about the user. It is the super-creepy database. It is storing, probably, like, 70, 75 different aspects of the intelligence of that device. So I'm running, say, 70 queries on one database. So once you start aggregating all of this information, I think I have somewhere upwards of 250 different queries now, each pulling out a different specific aspect of a user's life or of the device's life. So my APOLLO tool does that automatically for me. Long as I have access to the databases - again, this is where jailbreaks come into play because a lot of these are protected. So I need to run through those, collect them and just automatically run all these queries. It's a very, very dumb script. It's - you know, it's a lazy outputter. It's just running a SQL query on a database and dumping the information out. Then it just comes out to a database or CSV file. And then that's where the tedious piece comes into play. This is where you're going to have to know, what are you looking for? Do you have a particular time period in mind? So a lot of investigators will use APOLLO for investigations like accidents, you know, specifically on iOS devices. So they have, like, a timeframe in mind, you know? They know when that car got smashed. Were they distracted driving? So they're going to take a look at what applications were they using right before this? Were they using hands-free devices? Were they not? Things like that. So you can do it with a specific time, or you're looking more for the pattern. Maybe you're not quite sure what applications the user uses most often, but you need to, you know, do investigations associated with that. You can tell very specifically how long a user is using a specific application for about four weeks or so. So this data, it's very much like a log file. It doesn't stick around forever in most cases. But, you know, if I want to know what application were you using at 9:32 in the morning 3 1/2 weeks ago? I can do that. I could do that, and it's very, very accurate, so a lot of different scenarios. I can see what you're listening to. I can see how you're listening to it, you know? Are you using Bluetooth? Are you using a speaker system? Is it plugged into your car? I can see your location. It's just - I could go on and on, and on. But it's collecting a lot of data for you.
Nic Fillingham: Part of me really wants to run your APOLLO script on my phone and see what APOLLO can tell me about me. But then part of me really, really doesn't want to do that.
Sarah Edwards: (Laughter) It's enlightening. And I think that's the polite way of putting it.
Nic Fillingham: You spend how much time on Twitter...
Sarah Edwards: (Laughter).
Nic Fillingham: ...And how much time on Reddit? Oh, wow.
Sarah Edwards: So I end up using a lot of my own data. And I spend a ridiculous amount of time on Twitter. And I'm like, I really should not do that.
Natalia Godyla: (Laughter).
Sarah Edwards: Yeah.
Natalia Godyla: We have just a few minutes here. And I really want to ask this question before we wrap up. But what investigation has really stumped you? Has there ever been an attacker or even a simulated attacker that was just super hard to crack for you?
Sarah Edwards: I think - and this is going back because I'm more or less on the research side now, so I don't get to do, like, the day-to-day, true forensic investigations. And I do miss that because they were so much fun. But going back to my, you know, previous gigs, I used to do a lot of Windows intrusion and malware examinations. And one of the most frustrating things - it's not in a particular case or anything. But it's one of those - it's like, did I find what I needed to find? Am I missing something? Are my skills good enough? Did I find one compromise, but there's actually three others, which are, you know, more advanced, so they're hiding from me? So it's always that questioning, like, did I find it all? Or did I find nothing? And I'm like, the user really does think that they were compromised. Am I looking in the right place? So it's that - kind of that self-questioning. And that's just one of those things you have to just - you can't look at this device forever. Now, you may find something five years from then and be like, oh, I wish I knew about this particular artifact, you know, five years ago for that one particular case. But at that point, it's usually a moot problem at that point.
Nic Fillingham: Well, Sarah, thank you so much for your time. This has been a fascinating conversation. I have so much I want to learn about this space. I may jailbreak my phone and run your APOLLO script. I'm sort of on the fence there. We'll see. But for folks listening that want to learn more about DFIR and want to learn more about the courses that you teach, where can they go? How can they follow you? What should folks do to learn more about this space?
Sarah Edwards: All right. Well, they can go to my blog first. So that's mac4n6.com - or Mac forensics. They can go to my Twitter at @iamevltwin. Yes, the I is missing. There's a story behind that, but it goes way back to the AIM days. But @iamevltwin on Twitter. And, yes, I do spend a lot of time on Twitter. Let's see - oh, and my forensics class, Forensics 518 - the Mac and iOS Forensics & Incident Response class, you can go take a look at for518.com for that.
Nic Fillingham: Awesome. Sarah Edwards, thank you so much for your time. We'd love to have you back on "Security Unlocked" another day.
Sarah Edwards: This was lovely. Thank you so much for having me.
Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us at @msftsecurity. Or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe.
Natalia Godyla: Stay secure.