With the release of Cellebrite Inspector 2020 R1, BlackBag expanded the macOS artifacts process.  By user request, features were added to process: AirDrop artifacts, built-in iCloud productions, additional data in macOS about Recent Items, and mac OS user account information.

Cellebrite Inspector 2020 R1 also parses Keychains and Spotlight artifacts. 

AirDrop

AirDrop is a built-in feature in macOS and iOS that lets devices share files wirelessly, using Bluetooth, to create a peer-to-peer WiFi network between macOS and iOS devices. AirDrop enables the transfer of files between devices without using MMS, email, or other file transfer devices or services.  AirDrop can be set up on an iOs or macOS device, to be used only used by contacts or by everyone.

Cellebrite Inspector displays the AirDrop ID and AirDrop Discoverable Mode information for devices on the [Details] tab.

Having information about the AirDrop configuration on a device is helpful, but what is of more interest is knowing what files were transferred to and from the device using AirDrop.  This information is parsed in [Actionable Intel] and is found in the ‘Air Drop’ section of the “Downloads” subview.

Here each entry shows the file transferred, the name of the sender and recipient, whether the file was sent from the device (outbound) or sent to the device (inbound), and other information.

iCloud Productions

Apple device users typically have an iCloud account associated with all of their devices.  An iCloud account is used to sync data across multiple devices, like Calendars and Photos, and is also used for iOS device backups.  Multiple devices can be synced and backed up to one iCloud account.  An iCloud account potentially stores a lot of important information.

Provided you have the proper search authority, Apple will provide the data from a user’s iCloud account.  The iCloud Productions are sent in an encrypted GPG format.  Once decrypted, the zip file containing the user’s data can be processed by Cellebrite Inspector 2020 R1.  Prior to this release, users needed to send the productions to BlackBag for processing.  Now that the format has stabilized, we have built the processing directly into Inspector.

Warning:  Ingesting data from iCloud Production files relies on the formatting of these files.  If Apple chooses to alter the format of the data in iCloud Production files, Cellebrite Inspector may cease to identify iOS device backups in the iCloud Production files.  In those cases, you can still reach out to BlackBag to help adjust the processing as you could in the past.

Keep in mind, some users do not back up their iOS devices to iCloud, but they do store other data in their iCloud account.  During the ingestion of the zip file containing the iCloud Production, Cellebrite Inspector will automatically detect if device backups are stored.  When device backups are detected, the Processing Option iCloud Backups is automatically selected.

Cellebrite Inspector first processes the zip file, parsing the data the user stored in the iCloud account.  Upon encountering iOS device backups, a separate device is added for each backup.  There may be multiple backups for the same device stored in an iCloud account.

Once everything is processed, the data extracted from the iCloud Production can be reviewed.  Within the zip file itself, you can review Account Information, Bookmarks, Notes, etc. – whatever data the user stored in iCloud.

Each device backup has a date associated with it, allowing you to see what was on the iOS device on the date the backup was created.

Analysis of these iOS backups is similar to the analysis of any other iOS backup.

macOS Recent Items

The goal in reviewing ‘Recent Items’ (displayed in [Actionable Intel]) is to gain an understanding of what the user was doing on the computer.  The newest release of Inspector provides more understanding by parsing more information in “Recent Items” for macOS systems than ever before.

For macOS systems, data is now parsed from the following locations:

The data parsed is displayed in the “File Knowledge” section of the ‘Recent Items’ subview in [Actionable Intel].  Since a lot of this information is stored in plist files, Inspector parses information from the plist, but it also displays the plist in the File Content Viewer pane.  For some of the files parsed, additional content can be found in the associated plist.  Along with the information parsed, data in the plist can be tagged and included in your examination report.

macOS User Account Information

Databases for macOS devices are stored in ~/Library/Accounts. This file also contains information about the user’s other accounts including iCloud, social media, email, and calendars.   Data is now parsed from these databases in the “User Accounts” section of the ‘Account Usage’ subview in [Actionable Intel].

Cellebrite Inspector 2020 R1 also parses additional information from macOS user account plist files (created date and last password change date).

Learn more about Cellebrite Inspector.

Share this post