Sarah Edwards: Poking the Bear - Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis
December 9, 2019.
Sarah Edwards speaking at the Jailbreak Brewing Company Security Summit on Friday, October 11, 2019.
If I come across a useful piece of data on macOS or iOS I do not just assume I know what it means - especially if my whole case depends on it. My experience with Apple data is that it is consistently inconsistent. They certainly do some questionable things. Testing is the only way to get that warm fuzzy feeling that the awesome piece of data you found truly means what you think it means. Yes, testing takes time. Yes, testing can be tedious. However, testing can make or break cases. This talk will go through my testing processes on Mac and IOS platforms to show that sometimes a quick test really is a quick test. A 30 second test may be well worth the investment in the long run. I will also show how more intensive testing can be implemented to tease out the strange oddities of native and 3rd party data stored in various SQLite databases using some of my APOLLO modules as examples.