Digital Forensics Now
A podcast by digital forensics examiners for digital forensics examiners. Hear about the latest news in digital forensics and learn from researcher interviews with field memes sprinkled in.
Digital Forensics Now
Every Breath You Take, Every Swipe You Make—Your iPhone’s Logging It
Apple devices are constantly recording user activity, yet few forensic examiners are making use of the vast amount of data these systems quietly generate. Apple's Unified Logs and Spotlight databases track nearly everything that happens on an iOS device, often without the user realizing it.
Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.
In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.
One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.
As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss.
Notes:
2026 IACIS in Reno NV-
https://www.iacis.com/training/reno-info/
Spotlight-
https://github.com/ydkhatri/mac_apt
Unified Logs-
https://www.ios-unifiedlogs.com/
https://github.com/abrignoni/iLEAPP
Welcome to the Digital Forensics Now podcast. Today is Thursday, may 15th 2025. Now podcast today's thursday may 15 2025. My name is alexis briggs brignoli and I'm accompanied by the sleeping beauty that doesn't work sleeping and anything else when need be, because she works hard. The early riser to work. The queen of all things apple logs, as you will see during the show, the one, the inimitable and only Heather Chapartier. The music is Hire Up by Shane Ivers and can be found at supermansoundcom. Yeah, what's my mouse do? There we go.
Speaker 2:Sleepy.
Speaker 1:Yeah, I mean you work hard. So you know you work hard, you get tired and you have to sleep a lot Like at four o'clock in the afternoon. You know it's hard.
Speaker 2:A way to tell on me. Way to tell on me.
Speaker 1:I mean I do the same thing. Not as often as you, but just kidding, just kidding you are the queen of the logs and we're going to demonstrate that today, people, that she's the queen of the logs. So yeah, so what's going on? What's happening since last week?
Speaker 2:Last week we were in Florida. Well, you live in Florida, but I was in Florida for IASIS and that's why I'm sleeping so much. I'm catching up.
Speaker 1:Yeah, that's true. There's a lot of work, you know, keeping up with the class at night, no partying whatsoever, right, no, no, none of that, just playing work the whole time.
Speaker 2:Maybe a day or two Now.
Speaker 1:the first week was like really business, but the second week is more slow because you kind of got it down, got it down from getting kind of lined up from the first week.
Speaker 2:Yes, and then?
Speaker 1:you can kind of relax a little bit in the afternoons.
Speaker 2:Yeah, yeah. So I have some pictures to show from IASIS, from week one. We have our lovely instructor's picture with Chris Currier, myself, you, bill Aycock and John Hyla and, of course, hannah, who did not cooperate for this picture, and look at the camera.
Speaker 1:Look, she was giving you her best side to the picture. You have to understand that that's her best side.
Speaker 2:She probably saw a treat or something, fire, hydrant, squirrel. Yeah, pretty much I got it. I got that reference only oh, from a commercial though.
Speaker 1:Oh, you got that reference like captain, america.
Speaker 2:Anyways, go ahead I did, I did and then of course, our wonderful, our wonderful students from week one week one had some pretty smart students yeah, yeah, I just to begin with.
Speaker 1:So if you go from the left the one to a third person there, that hoodie that looks kind of white, but it's got I think it's gray or something like that. It's the one and only johan, which is like dude, what am I gonna teach you? Like, are you kidding me? You should stand up and teach. But he did learn something in class, so that's exciting.
Speaker 2:He did, he did. Let me throw up. And then week two, we had a little change of instructors. We have Princessa and then the rest of us, obviously, that were already there. Hannah cooperated for this one.
Speaker 1:Yeah, she's just tired of coming. You take so many pictures of me. Leave me alone.
Speaker 2:All the wonderful instructors, and then our week two students who are just as amazing as the week one students.
Speaker 1:See, look, I organized this picture. Everybody's like taking a knee at the front. It's a better picture.
Speaker 2:I'm just saying yeah, your picture is definitely more organized than mine.
Speaker 1:It has a ponky in the back as opposed to the doors on the left. It's a beautiful door. Sure, if you're into that sort of thing, you're into doors. I mean, there's people that are into doors. Hey, look at that.
Speaker 2:And then our class mascot just chilling waiting for somebody to come rub her belly.
Speaker 1:Oh, maybe I should do that too in class there's nobody going to rub your belly.
Speaker 1:They're just kicking me in the ribs. Get up. Well, that's awesome. That's awesome. Well, we both enjoyed that time in IASIS, just teaching and spending time with the students and other folks that are at the event. Iasis is an organization that's voluntary driven, so all the people there is volunteer work because we're really passionate about education and education specifically in the field of digital forensics. Right, and it's a blessing, it's an honor to be part of the organization and able to give that that way. So looking forward to be there next year.
Speaker 2:Yeah, absolutely, and you don't have to wait till next year. Well, you kind of do nevermind January of 2026, not in Florida, but if anybody is looking to take some classes from IASIS, there's going to be a specialized event in Reno, nevada, so it will be January 12th through the 16th at the.
Speaker 1:Did you lose me? I don't know if it's you or it's me. I don't know if somebody in the chat can tell me if she's breaking up or not. To make sure that maybe I'm not the problem, let me see. If Kevin is around, you can put in the chat if he is around, if she's breaking up. If not, it's me, and then you can carry on. Somebody needs to tell me if I'm breaking up. Let me see. Christian says that you're breaking up.
Speaker 2:Okay, christian, it's up, it's his.
Speaker 1:it's what, midnight his time yeah, great christian is a trooper you could have watched the rerun later well, but he supports yeah. Yeah, you're glitching out, so let me repeat that part. There is the special event in reno at the Sierra Resort right.
Speaker 2:Yeah, yep, so it's going to have all the classes, not the BSCFE, though it's going to be all the specialized classes. So the Advanced Mobile Device Forensics class, which we teach, the Advanced Windows Forensic Examiner, applied Scripting, the Forensic Linux Examinations class, the Managing a Digital Forensic Lab, the forensic Linux examinations class, the managing a digital forensic lab, mobile device forensics, open source intelligence, preparing for lab accreditation, and the RAM capture and analysis class.
Speaker 1:Those are all awesome classes and, again, they're not the main BCFE but they're pretty good. They're really really good. Let me see Yep and the MDF. There's a certification for the MDF so they can get that. Is there a Windows one there? No, I don't think Windows is there.
Speaker 2:Yeah, windows, it is, oh the Windows.
Speaker 1:A advanced Windows also has a certification, and then all the other classes is great knowledge, so very cool. So before we move on from what we've been doing you know IACs related and all that I want to talk about what I did in between the show. So now it's going to be me time real quick.
Speaker 2:Do it.
Speaker 1:I mean, it's me time most of the time anyways, but more me time. So I went to Epic Universe, right? So my beautiful wife decided that we should take some PTO in the middle of the week and do this.
Speaker 1:Yeah, exactly so it was great on her. So this is the entrance. It's amazing. I hate AI, except when I can delete people from the picture. So then I like AI so I can take people out. So then it looks like there's nobody there. And then this is me going into the Nintendo world. See how it simulates like the little pipes you go. So I'm there being like running towards it, and I obviously deleted all the other people around me because it's all about me did you make the sound effects as you went in?
Speaker 1:oh, of course, I mean actually the sound effects are part of the thing as you're going up, so, but I made them anyways, you know. And then here we are in nintendo World, here with my beautiful wife right here, and we're enjoying the. It's really immersive, like when you get in, like you see, like you can't really see outside of where you're at. So you feel like you're in the place, which is like an interesting environment. We'll see when it opens fully for the public and it's going to be crowded for sure. It was crowded and it wasn't full.
Speaker 1:Now, the part that I got really, really excited was for the Harry Potter section. Like the Ministry of Magic, I read the books when they came out, I saw the movies and it's really impressive exactly how the books and the movie are. The ride was not open yet, because during this test period some rides are open, so this one wasn't open, um, but it promises to be really awesome. So I enjoyed that. And then, uh, we got some some butter beer and if you're a fan of the books, you know what that is. So you're like heather and you don't know what it is. Then you have to go read the books.
Speaker 2:You know what butter beers I had to ask, I know. Now you told me yeah no, it's, it's pretty good.
Speaker 1:So, and of course, of course, I need to show you now a video of me making a full amount of myself, just so we don't break. We don't break the habit, so so, here you go, it's me well I mean, we can't just make fun of you, I have to. We have to make fun of me too.
Speaker 1:So here's me doing my best my best impression of mario some the uh super mario brothers, uh uh video game. Yeah, look at that. Of some of the Super Mario Brothers video games. Yeah, look at that, I'm an adult.
Speaker 2:I don't think so.
Speaker 1:I can see my wife there. I hear my wife there laughing at me because you know, I'm a goofball, definitely a goofball. You don't have to agree, you have to be like no, no, of course you're not. You're great man, You're a serious adult.
Speaker 2:No, I'm with Karen, I know, I know I'm chilling with you.
Speaker 1:Well, there you have it. That's what I've been doing. Now let's get back on track on this more serious stuff. Thank you, thank you. So we promised the students from our classes that we're going to do so while we were. Yeah, we're glitching here.
Speaker 2:I'm sorry, go ahead.
Speaker 1:Yeah that we promised the students that we were going to do a spotlight demo, I can see it. We're super lagging Is that better.
Speaker 2:I'm going to let a spotlight demo. I can see it.
Speaker 1:We're super lagging. I'm going to let you take over, so go ahead and tell us what's going on, what's coming up.
Speaker 2:Can you hear me? Can you hear me? I know, okay, so during IASIS we had an extra lesson in Spotlight part of iOS and macOS that I didn't get to in class and I promised the students that we would cover it on the next podcast. So we're going to cover for the Artifact of the Week, the Spotlight demo that I was going to do in class.
Speaker 1:All right, let me see here.
Speaker 2:And I am totally glitching out.
Speaker 1:Yeah, but just keep putting stuff up because I can hear you, so we'll see how it goes. Your internet today is killing us, totally killing us. You can hear you.
Speaker 2:So we'll see how it goes. Your internet today is killing us Totally. Clean us, you can hear me. Okay, keep going. All right. So the iOS. Okay, the iOS spotlight. If you don't know what iOS spotlight is, it's the built in intelligence search feature for macOS and iOS. It searches apps, files and the web, and you can see here in this screenshot that you can access it by swiping down on the home screen or with the search option available at the bottom of the home screen. So there are databases that are related to the spotlight function in iOS and Mac OS, and here on the screen I have the paths where you can find those in your iOS. So if you go to private var mobile library, spotlight and in the core spotlight directory are three different locations where you can find those store DB store databases.
Speaker 2:So just a quick little overview of how the database is structured. There is the header page which, at offset zero, for four bytes, you can see the header string there that is the 8TSD, and then the next 4 bytes, starting at offset 36, will tell you the header page size and then, at offset 324, for an indeterminate amount of bytes, is the path to where the store DB can be found on the volume, the path to where the store DB can be found on the volume. Then there is what's called the map page. On the map page, the first four bytes have the header string of 1MBD, and then there's an offset for four bytes, starting at offset four, that contains the page size. Then at offset eight, there is four bytes that contain the number of pages within the map, and then, at offset 32, for 16 bytes, start the map page entries. Then there's the data page. So where all of the good data stored in this store DB is contained, at 0 offset for 4 bytes, is the header string, which you'll find is 2pd. Then you'll find the page size, at offset four, the allocated size, at offset eight, and then, starting at offset 20, is the data inside of the store DB.
Speaker 2:So what can we find inside of the store DB? All kinds of data? Um. It's an index, so you're going to find things like file names? Um file paths. You'll find file types, all kinds of time stamps, such as the created date, the modification date, last used date, date added. Um you'll find uh snippets of texts from potentially text messages, emails, pdfs and other? Um other artifacts that may have text content. You'll find titles, we'll find the file size, whether a file was written or not, uh, recent access dates. We'll find heights and we'll find what types of files are located and you may also find for some files, like the duration of the files. You can search keywords, you can find downloaded dates and then my favorite part is there's a potential to recover deleted files. So if the spotlight index hasn't been purged or re-indexed, you may be able to find things that have actually been deleted from the device.
Speaker 2:So on a previous episode of the podcast I actually talked about Spotlight and I talked about Yogesh's script that is specific for Spotlight and it pulls the data out of the stored B into text files. At that time I didn't know about his tool, macapt. So MacApt is a deferred tool to process Mac computer full disk images, but it also includes an iOS processing function and specifically it'll process the spotlight. It uses a plugin for spotlight, so I'm going to show that. Now Let me just share my screen and let's go to my desktop where I have the Mac app already installed In the software. There we go. So I'm going to open a command prompt from the Mac app folder.
Speaker 1:I'd already unzipped it and installed all of the dependencies and then, yeah, let's zoom in, or there we go, bring that font up.
Speaker 2:It's a little bit small there. There we go, All right. So from the command prompt, once all of the dependencies are installed, you use Python and prompt once all of the dependencies are installed.
Speaker 1:you use Python Before you continue real quickly. Kevin is saying that Jogesh also has iOS APT, so there's something that we should be going to. I haven't done it. You haven't done it yet, right, heather?
Speaker 2:No, it's part of this, so.
Speaker 1:I'm going.
Speaker 2:Yep, yep, so I'm going to use the Mac app, but the artifact only which relates to the iOS APT.
Speaker 1:So they're together. That's what you're saying.
Speaker 2:I believe so yeah.
Speaker 1:Okay, go ahead.
Speaker 2:And then I'm going to do the input and I already put so Yogesh has in his instructions. He has a spot where he put the spotlight files in a folder called spot and then all I did was drop the core spotlight folder, all of the different files from my full file system extraction, into that spot folder. So each one of these directories have this store DB that you can see here. So I'm just going to drag that location for the input and then I'm gonna output it right to where Yogesh's example shows, which is an output folder in that same directory on the C drive, and then I'm going to do spotlight to just run the spotlight plugin Once.
Speaker 2:That goes very quick. By the way, if I go out to put folder you will see here let me just make it larger it actually outputs all of the data from the store DB into a SQLite database. So we can open it up in DB browser and browse the data from the store database. So I'm just going to go to notes because I know I have some data in the notes here. This is from one of my test phones and in the notes let me just control. You can see here that I have one and it's the display name is computer secrets, so that one might be important in an investigation, right.
Speaker 1:Secrets why. What would that be Right? Secrets why.
Speaker 2:What would that be? But then in the description is actually the computer secrets, which is the password to an encrypted volume on a computer Bazinga 911 exclamation point. So this can be found in the notes portion of the store DP. And then there's other stuff too, like I have Facebook Messenger in here and you can see some of the store DP. And then there's other stuff too, like I have Facebook messenger in here and you can see some of the Facebook messenger data. It actually shows the two people who were communicating on the Facebook messenger, which is Sheldon Cooper this phone this, these files are actually from Sheldon Cooper's phone and Amy Farrah Fowler, who is the participant in the Facebook Messenger messages on this device.
Speaker 1:Nice.
Speaker 2:Yeah, so if you go to this database in a forensic tool whatever your forensic tool of choice is and you go and look at the database, you can't see the data. One of my tools is actually. It's completely blank and it's because it doesn't have a viewer for this type of proprietary format. So exporting those files and then bringing them using Yogesh's tool to bring them into a SQLite database definitely makes life easier for your investigations.
Speaker 1:if you want to take a look at the Spotlight databases, I mean, I would say, if you have a theory of the case, you can definitely make a big bang out of it, you know.
Speaker 2:Oh.
Speaker 1:Grumps.
Speaker 2:Dad joke all the way Dad joke that was good, that was good.
Speaker 1:Dad joke alert.
Speaker 2:But what you see like on here. So it actually has information about podcasts. You can see that what podcasts Sheldon Cooper was watching the FTK podcast and the Digital Forensics Now podcast. So a lot of data to be found inside of these store DBs and not really great ways of searching through them unless you pull the data out into the SQLite format.
Speaker 1:Well, I mean dealing with logs. It's a pain, especially logs that need some conversion right, and SQLite is pretty solid way. It's kind of funny because I think, let me see, I think the thing we're going to talk about next is in a second. It's got the same flow right when you take data from a log, put it in a SQLite database to deal with it, right, and I think that leads to the next section, which is what's new with the leaps right.
Speaker 2:Right, what's new with the leaps, and we're going to talk about the unified logs and potentially, some upcoming support.
Speaker 1:Oh, absolutely. So we've been talking a lot lately about unified logs, and look, if Damien says it, then I believe it.
Speaker 2:Yeah, I was just going to share that.
Speaker 1:Yeah, I'll put everything in SQLite. It's so easy to work with it really is. Damien was also teaching at IACC. We had some great conversations about how we can take some of his code for a SQLite recovery and hopefully integrate it into other community tools like the Leap. So I'm really happy with those conversations and hopefully we can make that happen. Damien is a master at all things databases, sqlite and others, so yeah, so if he agrees, I'm good, we're good. Yeah, so this is what we have right.
Speaker 1:So we've been talking lately about Unified Logs a lot. I think the community is not really aware of how useful it is that data is contained. People like Lionel Notari, christian peter, which is he's in the chat, so it's awesome to have him here. Um, um tim, uh, tim korvac. His name's korvac, right? Am I pronouncing it right? Hold on, because I don't want to, I don't want to misspell his name. Um, just I. Oh, here we go. Uh, tim korver, there we go.
Speaker 1:Tim korver also is working, doing a lot of work on that. So there's folks looking at it. Now we're also. You know, heather and myself are looking at it, and some of the other lead developers. So why is it important, right? Well, first of all, a quick primer of what Apple Unified looks. They're not new. They've been around for a long time and the issue with them is that they keep track of so many things on the phone and some of them are important to your case and most are not. I think Heather can tell us you ran your phone for 15 minutes and how many log entries did you get?
Speaker 2:1.5 million in 15 minutes.
Speaker 1:Exactly, and I mean a great comment right on point. What was Brett saying?
Speaker 2:Heather, they are called unified logs because they bring all your misery into one convenient place. It is miserable to look through those, the work that Lionel has done to go through those and actually figure out what some of those unified logs mean. I don't know how he sits there and stares at it for that long. I literally looked at 15 minutes worth and wanted to pull my hair out.
Speaker 1:I imagine his eyes bleeding and trying to figure them out, but the sacrifice that Lionel has taken is worth it for everybody and for all of us, because the amount of data is so, so specific, and we're going to give you some examples. Now, before I give the examples, I want to also add, although it is true that it brings our mystery into one place, it's also called unified because you find them in iOS devices, you find it in a MacBook, you find it in all these places that are Apple related.
Speaker 2:I had to share Kevin.
Speaker 1:Kevin is saying that is why I have no hair left. Well see, that's why I'm doing some artifacts, so I don't have to pull mine as well. So what are we doing about it? So the thing with, like Heather said, you have and I'm going to actually let me start with the, let me check this out. The thing we have to do is we have to kind of pull these logs right, put them in a format that's easier for us to work with and then identify items of interest. We're planning in the near future like near near future start making some artifacts that are really specific to the items that we need. The idea is that, instead of looking at for every 15 minutes at what you said what a million lines of log or whatever- no 1.5.
Speaker 1:1.5, almost a million lines of log. Then we can narrow it down to the 100 that you might need in a timeline by timestamp. Okay, christian is saying that checking live logs on a test device makes things much easier, which I agree, if you're doing that part of testing. So that's a good note and there's ways of definitely doing that, and actually that could be something we could show on the next show.
Speaker 1:So thanks for the suggestion, christian, so more folks can do research, because it's not only about the folks that code, like myself, or the lead developers, like Johan or James or Kevin. It's also about folks like Lionel that actually sit and give meaning to the artifact. So people like myself and others we can then automate it for the rest of the community. So do that research. So there's ways of doing that. Now, what's the workflow that we're dealing with right now? So let me show you, let me go back here and show you a couple of things. I'm going to open here my screen. Let me go back here and show you a couple of things. I'm going to open here my screen. Let me hide my cheat sheet here, what I'm doing. The first thing is we need to acquire all the things, and how do we do that? We need to preserve those, and there's been a lot of necessity of doing that, because it has been known that some of our tools were getting rid of these logs before we were able to acquire them. I believe that's been fixed in some of the tooling, but at the end of the day, you need to do your own testing and validation of your acquisition tools to make sure that no data is being lost in the process. Ok, so I'm going to show here a great flow chart by Tim that explains how it works. Right, you can pull different types of logs from these devices the SysDiagnose and the Apple Unified logs. We're going to focus on the Apple Unified logs. There'll be the column on the right, and I love this little flow chart because it shows us, right, do you have access to the device? The answer is yes, and then what you should do? Then you should do acquire the AUL and you can access to the device. The answer is yes, and then what you should do? Then you should do acquire the AOL and you can go from the flow of that chart what your best option is.
Speaker 1:There has a command, sudo, log collect. So the log command is a log that Mac devices, laptops, computers will use to manage and deal with those logs. This method will require you to have a Mac computer to be able to pull those logs. This method will require you to have a Mac computer to be able to pull those out. There's other ways of being able to extract that. Ufate is one of the ways to do that, which is fantastic, and both Ufate and using the log command, the end product will be a file. Well, it's not really a file, but a file looking directory with a dot log archive extension. It's not really a file. It looks like a file, but it's actually a combination of files. Instead of them, the trace v3 or, yeah, trace v3 extension at them. That's where your logs are in.
Speaker 1:If you open them, you will have tons of gobbledygook that you cannot understand. These need to be looked at in two ways. The first one is let me take this picture out of the screen. The first way of looking at these log archives is to max the console application. It's a program that comes with Mac computers. You open the console application and you can manipulate some of those. I find it a little bit cumbersome and slow to do so, so there's other ways of doing it. The second way of pulling those archives is, if you have an extraction, you can take the trace v3 files and turn them into a log archive. Right now, the instructions we have on that are in French, thanks to Johan.
Speaker 2:I translated them. You translated them, okay, I did.
Speaker 1:I think the AI did maybe.
Speaker 2:Oh, the AI definitely did by I. I meant we did it together, me and the AI. Oh, yeah, yeah.
Speaker 1:Yeah, I don't think your French is up to speed that your French is just as good as mine Totally non-existent, all right, so there is a way of doing that and maybe we can cover it in another episode on how to pull those out. So let me show you here how the command looks. So you pull the logs. This is a command I want to show you. It's called the stats command. I found it interesting enough to show. I learned this command from Lionel's blogs and it's pretty neat. After you run, you have your extraction, you can use log and then call stats. And it's pretty neat. After you run, you'll have your extraction, you can use log and then call stats and it tells you all the types of how many events you have in your log, the activity, how many log messages, time to live for all those messages. It's pretty useful. And the processes and the ones that write the most of that information, which again is some pretty interesting metadata. And he goes further and he has additional commands to really narrow down the different subsets of data using the stats command. I'm not going to go into that now, but you can see that in his blog, lionel Notari's blog, so we'll put his blog in the show notes at the end of the show, and you can go, give us a few hours so we can put them up and you can look them up, right. So? So what do I do? So the way I do it is let me open here my. What I do is, let me, of course, if I could open a window too, you can all see, I take my Mac computer and that's the only way I know how to do it through a Mac, and again, it doesn't have to be a super powerful Mac, it could be the cheapest Mac you can find, the cheapest Mac you can find, and I take that lock archive that I created from my device, from my phone, through using the lock command in a Mac computer or through using Ufate from Christian. I take that lock archive and this is my process and the process that I think the tooling, our tooling, will use for the time being, the ellipse will use. For the time being we're going to go. For the time being we're gonna go and turn that dot log archive into a json.
Speaker 1:Okay, so let me show you here a picture of um, another picture, sorry, of my screen. That's what I should show you, my screen. So the here. Actually, you know what? Yeah, I'll show you my screen because I want you to see the command. That'll be fine. I'll share this. This entire screen is fine. This is good. So let me open this up a little bit, so the folks that are there are listening. I'll try to describe it as best as I can. How do I make this bigger here? View bigger, so this one I'm plus. Okay, I was hitting the wrong command. There we go.
Speaker 2:That's better.
Speaker 1:I know it's too big, but it'll be fine. So you'll see here on the screen here log show. So log is the log command, the show parameter here, style is going to be JSONson, and then the zero, zero, blah, blah, blah, blah, all the way to dot log archive. That's what the collection looks like at the end. Right, so you go to your connect your the iphone to the computer or to ufade, you pull the log, dot log archive. That's going to look. It's going to be like a big numeric alphanumeric string there at the, with dot log archive at the end, and then the command. I made a mistake here because I put it twice. Let me clear. Let me clear the screen a little bit because it looks horrendous for the folks that are watching because I put the command twice. So let me just clear it out for a second. There we go, so let me look for the right one. There we go, much better. And then you say JSON.
Speaker 1:You take the archive and you pipe it to a file called log archive, archive, dot JSON. I need you to name it just like this in order for the leaps, for I leap, to be able to pick it up. If it's named something else, I leap will not see it, so has to be named logarchivejson. Now, the interesting thing about that, which I'm going to show you now, is that Heather did a sample data for us and, if you can see, here, let me show you how that looks. It's kind of small, so hopefully people can see it, but the logarchive itself is 1.1 gigabytes. It's pretty compressed. You say, well, that's a lot. Well, if you turn it into a JSON, it's 24.339 gigabytes. You know, like 24 gigs, almost 24 and a half gigs of JSON, which is insane. But why do I use this? Because it allows me to manipulate it in different ways. I'm going to take that JSON file and put it inside a SQLite database so I can query the database.
Speaker 1:In the near future, or nearest future, we're going to be able to use the new viewer for the list called Lava to parse through them, and actually I've already done it. Let me see if we have time for that. We'll see if we have some time, maybe I can show you. The product is not ready yet. We need to add some things. One thing that we will need to add is a functionality for you to pick or select tag the different log records, because you don't want all of them, right? You want some specific ones, so that way you can start tagging them and then end up with a final product with all the ones that you tagged. That's something that's coming into the future, but for the time being, what we're going to do is we're going to do that analysis using SQLite.
Speaker 1:So how do we do that? Well, since I have the screen here, I can show it here. So the first thing is we're going to go and we created our log archive and then, after that, we turn it into a JSON with the command that I just showed on screen. Let me hide this from here because I don't want to see it. And then this is you take the leap and you point it towards it, and this is the output. Actually, let me show you the actual command in the leap. So you see and, by the way, I merged this already. So folks have access. This is my script, folks have access to it already, people seeing behind the scenes here. There we go, so let me run this, all right. So what you do is you're going to run your leaps, you're going to browse the folder where your log archivejson is, that you created Browse folder for your output and in modules you can just put here log archive, so that way you don't have to spend time looking for it and select it.
Speaker 1:And then hit process Logs in the log archive, process it. When it's done, then it will show you what I just showed you a second ago. It will show you this output. The output is going to tell you first of all that log archive has started and it says truncated file after position and a big long number. The reason is is for your knowledge as examiners, you can know what the tool is doing when you use a mac computer to convert the log archive into a json. It does the conversion, turns everything into json format key value pairs and then appends at the end the name of the log archive, which is great.
Speaker 1:But the problem is that if I want to read the whole file as JSON, it won't allow me to. So what I do is, before I manipulate the JSON, I truncate the name of the file that's at the end of the JSON. That's the only thing I do. So that's the solution for you to then ingest the file as JSON. Okay. So that's why I put it there, so folks know what the actual tool is doing. And then after that, it found 20-something million amount of records and then processed them and it's done. It takes around six minutes, which I don't think is unreasonable in order to take almost 25 gigs of data and turn it into.
Speaker 1:I'll show you now. I want to say two, but let me confirm into where's the database here it is into, I'm sorry, 4.8, almost five gigs. So from 25 to five, that's pretty good. Now be aware that I made a selection of what fields from the local archive I'm pulling and actually I'm going to make some changes. We're going to add one more field that we think we need, maybe one or two more. We'll be doing that in the next couple of days. So make sure that we don't miss fields that are essential. This is important for everybody listening. This tool and any tool will do that for you. They will make a decision of what things to show. It's incumbent upon you, as the examiner, to make sure that whatever the tool is not showing, you make sure that you might not need it. So you have to always look at the source data and do some sanity checks to make sure that you're not missing anything. I saw you there kind of smiling.
Speaker 2:What's going on, brett?
Speaker 1:said. I think I'm in lava with that. I had to laugh. Well, I'm not the only one with a dad joke, so I feel I'm in great company with Brett here. All right, so after we run the tool, we'll get a directory like the ones you see here on screen. You get the ILib directory, as usual, and the data directory has the whole JSON there. And then this artifact is interesting. This artifact will not produce an HTML report, so if you run the tool, it'll look like like nothing happened.
Speaker 1:That's something I'm going to change, for I'm going to make an entry here on the left column. I'm not saying me, but the developer. It's not just me, actually. I'll be honest with everybody. Right now I'm the one doing the least code, and the reason is because I'll be transparent the project is, it's now, it's more sophisticated, and it pains me to accept that people that are way more knowledgeable than me need to push it forward. So I'm more doing artifacts than doing sophisticated coding, because it's out of my league right now. So thank you, johan, thank you James, for pushing the ball forward where I cannot. But I can make artifacts at least.
Speaker 1:So the folks are going to add here on this, on the corner here like an indicator that, hey, there is some data that's only viewable through Lava or viewable with the SQLite database. Okay, so there'll be a note there. But if you're using this for the first time, it'll be done and it won't say anything that you have. It did nothing. Oh, it did something. What did it do? Well, you go back to your directory, to your report directory, and there'll be a lava underscore, lava underscore artifactsdb. All your JSON is now in there and it's about, like I said, four gigs, five gigs almost in this case. Let's open that with SQLite DB, db browser for SQLite.
Speaker 1:And before I do that, before we start querying and seeing useful stuff, let me just show if I could. If I could, because I'm not sure if I can Actually. No, I can't, because I need to open the repository and jump through hoops to get Lava to run. Well, I mean, maybe I can, let me see. See if I can remember the command NPM, was it? You know what? I'm going to phone a friend. Hey, kevin, if you could put up in the chat what's the command to run Lava from Visual Studio Code, put it there so I can show the folks Because, honestly, at the top of my head? I do not know it.
Speaker 2:I can't help you with that. I don't know it either.
Speaker 1:Yeah, I know If Kevin is listening can get it for me, that would be great. While he's doing that, let's show you again what's in the artifacts database. We open the database and let's go to browse data and within the tables there's one called log archive and we're going to open that, as you'll see here the timestamp. Kevin doesn't remember the command right now.
Speaker 1:If you have a computer, go to the lava repository. It's going to be there if you don't mind. You know what I think? I have the lava repository saved in my thing oh. I have it, never mind. Never mind, kevin, I have it, I have it Actually.
Speaker 1:I have a pin because I'm a genius like that Genius, as in the opposite of genius. Let me run Lava real quick so people can see how it looks. Npm so I got that part right. Npm rundev Run dev. It's doing something there we go, all right. So let me hide this. Let me show folks Before we do the SQL. I want to show how it looks in Lava.
Speaker 1:So this is not even an alpha version. It's like a super early version of the software. So don't judge me too harshly. I'm going to go to where my stuff is right. Let's go to the desktop and I point Lava to the Leaps directory and then I point it to the json file it's going to read from and it will read that database. You see logs here. The logs archives table all the 20 million records in them and we press it and this Electron app is going to query that database and it's going to load the different information that's in it. It's pretty neat because you can change even well. That's loading. It takes a little bit of time. While that's loading you can change it to light setting if you want your eyes to bleed, or you can change it to dark, and it's pretty neat. It has an option for your timing and time zones, and-.
Speaker 2:I love that there's a time zone.
Speaker 1:Yeah, you know we try to please, you know, people that are not UTC value like that don't get better UTC like you. I wonder if me messing up with with DB browser open at the same time it's gonna give it a heartache. Let me close this up. There we go so and there you go. So you have the timestamps here, very nice, and then you can go and query the different columns. Let me see, for example, let's look at soft system here. You can then select what soft systems you want. It's pretty neat.
Speaker 1:Again, we're still in really early phase, so we can't release this yet, and the idea is that you can then look through this interface, eventually add a functionality to select different roles that you care about, do some queries and the like. So we're going to close it. That's not ready for release yet, but that doesn't mean that we're powerless. What can we do? Well, let's take this database, let's open it with browse db browser for SQLite and let's go to the log archive. So what we're going to do is, first of all, you notice the timestamps here on Epoch timestamps. Well, let's take the timestamp column, right click on it and select edit display format.
Speaker 1:In our situation, I'm going to use a dropdown that shows up in the pop-up screen. I'm going to select Unix Epoch to local time. The reason I'm doing that is because I know this data was generated in New York, which happens to be my local time as well, down in Florida. So this should work. Always when you apply filters not filters, but certain transformations in regards to time zones you're going to make sure that you're doing it to the right data and that the data was generated in the right time zone, so you don't commit mistakes. Okay, so we're going to hit. Ok and here you go. Here are your timestamps. You'll see the process IDs, the subsystems, the categories and the actual messages, which is what the log is actually memorializing for you. So what we're going to do now is Heather's going to guide me to some awesome examples that she obtained or she did, based on Lionel's excellent work on these logs. So let's get to it. What should I do first, heather?
Speaker 2:So for event message filter on iBoot.
Speaker 1:Event. Let's put iBoot here and notice folks we're talking about. I know iBot here and notice folks we're talking about I know I bought iboot. We're talking about 20 something million records, so this might might take half a second or so. Um, I feel, I still think it's amazing that sequel, that with sqli we can actually move through it in a in a fashion that's. That's workable, all so what are we seeing here, heather?
Speaker 2:So if you look at the entry on 5-15-2025 at 844, that's when I started my 15 minutes or so of testing and you can see the iBoot version. It is artifact 7.
Speaker 1:7. I'm going to highlight it here. There we go.
Speaker 2:That is when I booted the phone up to start my 15 minutes of testing.
Speaker 1:Look at that. So an actual entry. Was this phone booted? Could that be important investigation? Absolutely. What's next?
Speaker 2:So you can take the iBoot away and then on the timestamp filter do 2025-05-15.
Speaker 1:Dash 05.
Speaker 2:Dash 15. And then for time do 08, colon 44, colon 45.
Speaker 1:The subsystem. Once that goes on, subsystem put in springboard. And this is the thing, right, what that's loading. We're gonna build artifacts that that speak, or at least to a springboard. Um, that will aggregate some of these. But in the meantime you need to go to lionel's blogs and do like we're doing look for um timestamps, subsystems and event messages of interest and look them up, and then you'll have the timestamp of what's happening. And then you can filter by the minute. Right, and I say by the minute because, heather, how many records can we have in a minute More?
Speaker 2:or less. There's tons. I mean in 15 minutes there's 1.5 million. So I mean it's insane.
Speaker 1:We can have 15,000 in a minute, right? So then you can filter, let's say, even if it's by a minute, then you can see what's happening before and after your term of interest, right so?
Speaker 2:for example.
Speaker 1:Let's do the next one, heather. What are we looking at now?
Speaker 2:So if you look at line number seven, there's a lock button single press and there's a lock button single press recognized. At that minute or at that second, I pressed the side button to lock the device.
Speaker 1:I mean, that level of granularity is insane yeah definitely. If you scroll down to artifact 51. All right, 51, I'm going to highlight it.
Speaker 2:The received face and view.
Speaker 1:I was unlocking the device with my face, so you were hitting the number for your nose. Is that what you?
Speaker 2:were doing no, putting my face in view of the phone so I could unlock it I'm an idiot. I'm an idiot, I know sometimes, um, if you leave the springboard filter and then just change the time to 0846, no seconds. And then scroll down to artifact 301.
Speaker 1:All right, let me scroll here 301, you'll see that.
Speaker 2:Received face in view again. I was opening the device with my face again, but if you scroll down to 382 you'll actually see the transition state moves to unlocked.
Speaker 1:And that is from my face unlock huh, look at that like so face unlock. This is great. This is great evidence in the case.
Speaker 2:Yeah, yeah, definitely Clearer, filters.
Speaker 1:And, by the way, can you imagine? Well, no, I did not unlock it, it was your face. Unless you have a twin, it had to be you, because it's your face that unlocked it. I mean, come on, it doesn't get any better than that. Sorry, I get excited. What are?
Speaker 2:we doing now. A lot of times I've seen, like on the groups and on the listeners, people saying how do I tell if somebody unlocked the device with their face or their passcode? These logs are going to tell you that.
Speaker 1:Oh, that's so amazing.
Speaker 2:Yeah.
Speaker 1:All right. What are we doing now? Get rid of the timestamp filter, Get rid of the springboard filter and I think just in message type penguin.
Speaker 2:P-E or P-I, I'm not even sure. P-e.
Speaker 1:G-U-I-N. You know, being Hispanic, I spell penguin differently, so I have to remind myself. All right, all right, we have seven records here, all right, we have seven records here.
Speaker 2:So with these records what I did is the very first few. I called the contact in the phone, Penguin, by going to the contacts to the phone book, and then the bottom three if you see, the subsystem is missing. So those were actually done with Siri, where I said, hey, Siri call Penguin, and we're going to add a column that will show that that was with Siri, because I can see it in console. We just need to add it to this.
Speaker 1:Yeah, it's most likely a field that I did not add in my ignorance, so that's why we have to do this testing. So then, like Heather said, hey man, we're missing a field. That's important, then we can add it to the filtering that we do when we process the JSON file. That's amazing. Can I press on them or not, really.
Speaker 2:Yeah, click on one of those last three in the message. Yeah, so then if you pull it over you can actually see the contact. The display name is Penguin and there's actually a phone number in there to the contact as well.
Speaker 1:Let me open this up. I should have made this font larger, but bear with us folks. So you see here, name is Penguin, right there. I highlighted here on the right side of the screen there and then the phone number and their value is there. So that's pretty amazing.
Speaker 2:And that was one of the Siri, the Siri. Hey, siri, call Penguin.
Speaker 1:Yeah, like an interaction that's pretty amazing and that was one of the Siri the Siri.
Speaker 2:hey, siri call Penguin. Yeah, like an interaction. That's great. I love it.
Speaker 1:Want some more. Yeah, yeah, yeah. I mean, why not? We got time. I mean this is awesome, Get some more.
Speaker 2:Okay, so get rid of the Penguin. Put a filter on for the 08 or 515 or 2025-05-15, same day 15?
Speaker 1:Yep, yep.
Speaker 2:And then for time do 08, colon 52.
Speaker 1:08, colon 52. Okay.
Speaker 2:And then under the message filter just type airplane type airplane.
Speaker 1:Oh, I love where this is going. I love it. Let's give it a second here.
Speaker 2:It's gonna load those 25 000 records that were produced in that minute yeah, that's insane but again, I don't have more than less yeah, now we need to figure out what all 25 000 mean. I'm gonna let you handle that. That's insane.
Speaker 1:But again, I don't have more than less. Yeah, now we need to figure out what all 25,000 mean I'm going to let you handle that.
Speaker 2:I need help. Is anybody out there? I know Lionel and Christian are working on it and Johan's working on it. Can we get some help?
Speaker 1:Oh, please, please. Let me know, and I'll quote it All right, so what do we have here? So, so, what do we have here?
Speaker 2:So the first year record you can see airplane mode is off and then at record five is actually when I navigated to the settings and enabled airplane mode on the device.
Speaker 1:So you can see there folks, airplane mode is on. It's now one because it's on. Amazing.
Speaker 2:Right, if you just change the timestamp filter to 0854. Yep and leave that airplane right in there. We should see. When I turned it off.
Speaker 1:See, Derek is saying that it's very cool.
Speaker 2:It is very cool.
Speaker 1:It is, and this type of information is not only important on the JTAR, forensic side, working intrusion cases or anything like that, like corporate cases. Having this granularity, this level of detail, you remember Foghorn Leghorn in the cartoons.
Speaker 2:No In the old.
Speaker 1:Looney Tunes cartoons.
Speaker 2:Oh, yes, yes, I do.
Speaker 1:The rooster goes uh, uh, uh, and then he started with one word and he couldn't finish it, so he went with a different word. That's me.
Speaker 2:You fixed it, but you just told on yourself. You should have just went with it, it's okay.
Speaker 1:It's still true. So yeah, so the amount of level that this detail, that this has right is going to be useful for any corporate investigations, corporate cases, all like accidents, accidents, dispute in regards to who's responsible for an accident, distracted drivers I mean, we are really right now. This log, I believe, is really understated in the forensics world.
Speaker 1:And it should take. We're working as community members to make sure that we give a word, put the word out, but also this type of conversion to make it accessible to people. Alright, sorry, got a little tangent there.
Speaker 2:No, you're good, so you can see at 8.54,. I took the. I turned airplane mode off.
Speaker 1:Oh, there we go, there we go, boom Off Awesome.
Speaker 2:Yeah, so remove airplane from your filters and change your time filter instead of 54, change it to 58.
Speaker 1:58,. Here we go, okay.
Speaker 2:And there's a ton of stuff in here. Actually, we're going to put a filter on for Facebook in the messages.
Speaker 1:Messages. This minute gave us 35,000 records.
Speaker 2:I think we can narrow it down if we put Facebook in.
Speaker 1:Yeah, I think that might be a good idea. It's down to 2000. 2000 is way more manageable.
Speaker 2:That's definitely better. So at this minute at 8.58, I opened up the Facebook application, messed around in there a little bit. You can see in some of these artifacts that there's data usage for the Facebook application and there's a whole bunch of other things going on with the Facebook application here too. I mean, there's still 2,300 artifacts just related to me opening the Facebook app and I literally just clicked on one thing.
Speaker 1:This is interesting because, even if there's not a line that says facebook app opened you know I mean, uh, if you look at what the behavior of the log is when you open an app and you see, for example, like you said, data usage, how much, how much wi-fi, then it's coming in and out, uh, paired to some specific dns requests. Paired to, I think there's. I think you said there's a user one, is it? That is that's not like a user entry, which is facebook, in the facebook, I think there's. I think you said there's a user one, is it? That is that's not like a user entry?
Speaker 2:which is a facebook in the facebook one oh, there's one I'm not exactly sure what line it's on, but there's one that actually, uh, that has the word icon in it, and it's, when I'm pushing on the icon to open, to launch that app yeah, but the user stuff.
Speaker 1:I'm not sure if there's anything user no, no but even icon right, if you have the icon, you have the data. You kind of look at all these things like, well, it's getting this section, it's getting this, getting that. That will tell you that it's consistent with somebody driving the thing that it's not just. Facebook doing something behind the scenes without you doing it.
Speaker 2:There's artifacts in there too that show when the app is in the foreground or when it moves to the background. I mean, I didn't map those out to show it, but they're. They're in there. So if you were to do some keyword searching related to Facebook and background and foreground, you'll find that too.
Speaker 1:There you go, and let me say Matthew, saying that this feels like knowledge C, but cooler and more granular Knowledge C or Sec Bs, and I mean, do you agree, heather?
Speaker 2:Yeah, oh, definitely. I think it's definitely cooler.
Speaker 1:It has way more detail. Imagine having Sec B stuff right and then having this on top of that. I say Sec B because Sec Bs are now the structures that are yeah, that are took over for Knowledge C. You put all these together, all these different data points, in a good timeline. Oh my goodness, I mean how the amount of visibility you get into user action, which is what we care about.
Speaker 1:We care about differentiating between user action and system action devoid of the user. It's just again, it's really understated. Folks are not using it. Many folks are not even collecting these logs. You have to collect these logs I'm sorry, but that's what it is and we're going to kind of share the process of doing so out of a full file system extraction if you didn't run the command, and then you can go through this process to turn it from a log archive into JSON, use ILEAP to dump it into a SQLite database and then you can go in and look for the key keywords.
Speaker 1:And again, in the near, near future, I'm going to do it myself. I'm going to make sure I can build some artifacts. At least, I want to build an artifact that puts all the ones that Lionel has been highlighting in one place. You can see them chronologically, like open face view, locked, unlocked airplane mode, like all of those that we discussed, all in one place, and then, as we discover additional ones, we can add them to that known to be awesome entry logs, log entry, sorry. So I still have to think how I'm going to do it, in the sense of what the output will be, because I bet they won't fit on an HTML report, you know.
Speaker 2:That's not going to happen.
Speaker 1:So I'm thinking maybe I need to turn into some JSON and then, I don't know, I have to think and then maybe have put in a SQLite database. I don't know how to think about it, but we're going to discuss that. I don't know how to think about it, but we're going to discuss that. Some of the developers are going to float the idea to them and see where we go from there.
Speaker 2:All right, we got to show one more.
Speaker 1:Yeah, absolutely Go ahead.
Speaker 2:So if you change your time filter to 09.00.
Speaker 1:Take Facebook out.
Speaker 2:Yeah, you can, yep.
Speaker 1:Okay, take Facebook out and then send it to what again?
Speaker 2:09.00.
Speaker 1:09.00.
Speaker 2:Yep, and then you should be able to just type in face up oh, I can't hear you. So can you hear me? Oh, okay, well, let me just tell you about it real quick, but I can't hear anything you're saying. So, um, you'll, you can find the orientation changes to oh, I hear you again okay, you know my, my dummy, uh arm hit the move button okay.
Speaker 2:So that one wasn't me good because mine's been a disaster this entire show. So, um, I you can see the uh device orientation change to face up. So I had the phone face down on the on my table and I flipped it to face up. So I had the phone face down on my table and I flipped it to face up and prior to that you can actually go look and find a face down entry as well.
Speaker 1:Well, and like you mentioned, you see here receive orientation, and it goes from face down to face up, of course, like you said we can look for that specific entry going back in the log, but even mentioned is here. So but even mention it's here. So you had like a double confirmation there what's going on.
Speaker 2:Yeah.
Speaker 1:That's awesome Again. It's like moving from this place to this other place. Oh, how awesome is this.
Speaker 2:Yeah. So all that stuff was going on in like 15 minutes too, and there are so many entries that are between the things that we were just showing everybody that I don't even know what they mean. So further investigation we're going to have to try and figure out what some additional entries mean for sure.
Speaker 1:Oh, out of 20 million entries, I believe, just based on the statistics of how things are that we're still just scratching the surface with as many as 10, 15 artifacts, which are still amazing. I think you mentioned during last week because this, by the way, this little conversion that I did with the leaves, I did it in the not breaks, but as Heather was teaching something, then I had a break, then I would code some of it right, and Heather was telling me and correct me if I'm wrong that there's some artifacts related to automotive things, right?
Speaker 2:Oh yeah, lionel has them on his blog. So whether it's moving, whether it's vehicular speed, I guess it's picking up. I'm not 100% sure, but he has a whole blog on the moving states of the device. John Hyla, who was teaching with us in IASIS, was actually testing them during the breaks too, and he took the phone out and he ran with it and it picked up that the motion state changed to running.
Speaker 1:Oh, wow.
Speaker 2:Yeah, he was checking that out. Definitely he had it going. We flew home together. He had it going in the airport showing me all this stuff, so it was cool.
Speaker 1:We're about the same age, so me putting myself in his his place, I bet he was really happy at the phone. Thought he was running. Yeah, yeah, because if I do it he might think I'm walking.
Speaker 2:Listen, it's fine, because you're not going to find the running uh motion state transition on any of my devices. No way but?
Speaker 1:but you weren't, you weren't even trying. But I think even if I tried, it was still bristly walking, it won't get to running state. Which reminds me I think Bill is trying to figure out how do I simulate what? Was it a crash with a phone?
Speaker 2:Oh yeah, he was Yep.
Speaker 1:And throwing it. I don't think that's going to simulate a crash. Maybe if you get in the car, you get it to 80 miles per hour and then you throw it at somebody with a catcher's mitt, maybe. Of course I don't want to be the one receiving that phone at 80 miles per hour. Also, the phone might not survive.
Speaker 2:But who knows? This is a good comment from Christian. Often, several entries show the same process from different perspectives, from the perspective of other apps Springboard, et cetera and I 100% can see that in the data that I collected today. Like for one airplane mode on, there's like a few different ways of saying it in the logs and it's all the same event. I only did it once.
Speaker 1:It will be interesting Again, I'm a neophyte on this To see those different perspectives. Hey, we can even aggregate them right, so some sort of categorization of you know. Again, if other apps are interacting with another app, how do we automate the identification of those? That would be pretty interesting, yeah. And the more we see a user action generating something on the device, the more we know about the user, which I think is the, like Brett says, put the person behind the keyboard or, in this case, behind the screen of the device. An actual human was using this and doing X, y and Z. That is relevant to the case.
Speaker 2:Right, exactly so. Very cool stuff, and I didn't realize you already put it into the leaps and that I can go use this now yeah, yeah again folks, just again, and I have to.
Speaker 1:I had to make a post. This is it's. We're all so short in time, but I gotta make a post where it's the explain the process, which is take your mac, pull your log archives or, if you have them already, turn them into json, make sure you rename it as logarchivejson, run it with ILEAP and look at the database and you should be able to do a whole bunch of stuff with those. You do the SQLite version of it.
Speaker 2:Let's do that, post this well, by next week, and we'll add in Johan's way of pulling the logs from a full file system extraction and how to create that log archive so that people have it. I a full file system extraction and how to create that log archive so that people have it. I know you were asking me about it in the middle of the show and I froze completely so I couldn't hear what you were saying. But let's, let's try and put it up on either your site or my site, or both and give that that walkthrough.
Speaker 1:Oh, that's awesome. Yeah, we'll put it up and talk about that, if you don't mind, and talk about that.
Speaker 2:If you don't mind, so will this already work with the Mandiant tool JSON output. What did we find? You ran it.
Speaker 1:So I ran it and it worked. One thing I didn't like is that it changed the column name to something that they named and I like to use Mac to produce the JSON because it's whatever naming Apple gave it. So I'm taking an Apple product, using another Apple product that's designed to work with those to produce the JSON that I will use. So to me, from my perspective, I'm not using removed from the process third party to look at it. I mean it's not wrong. But from my perspective, the less I can involve third and fourth parties into the transformation process, I think it's better. So instead of being going from apple to main, the end, to json, to leaps, to sqlite, to you, I'd rather keep it all the way apple to the sqlite. And there you go, right, and I, I preserved, preserved the names of those columns. Of course, timestamp is timestamp, right, but subsystem is how Apple named it. Event, whatever it is, is how Apple named it. To have that continuity, it's more of a preference.
Speaker 1:If somebody says, well, I used a Manion tool to convert it to JSON to manipulate it, is that incorrect? No, it's not incorrect. Again, you're an examiner, you're an expert, you verified the data, you validated the process. You put in your notes what each field means and you provide your report. I don't see why it wouldn't be accepted. But from my personal perspective, this workflow, I feel it's better for me for those reasons and also I control also the SQLite database that's produced because I made it and the source code is open source. I'm not sure Mandiant is, maybe it is. I don't want to speak out of turn, but if it is great, right, people can look at it and if they need to make changes to make it better, they can submit a pull request to us and then we go from there. Does that help, heather?
Speaker 2:Do you think that makes sense? Yeah, definitely. Um, I I haven't had a chance to look at the output, uh that mandy it puts out either. I know you showed me that the columns are different, but I would also like like you were kind of just saying want to make sure that everything I'm seeing in console, and everything I'm seeing that I think is, uh, relevant artifacts, actually are there in the JSON.
Speaker 1:Yeah, absolutely. And let me make a quick note for the developers out there. Again, this is a humongous JSON file, 25 gigs. If you're going to use import JSON and try to import JSON library, eat it, good luck. It's just way too big and it's going to take forever and might not even work. So for developers out there, what I did, that seems and it does work, as I just demonstrated it's an import that I did, a library which I'm going to have to add also to the leaps to the requirements of TXT. It's called, if I'm not mistaken, ijson. I want to show it here, obviously, so I have to do my ABCs to know where L is. All right, there we go. I got the code there. Let me show the folks quickly before we leave. It's kind of funny. We're like we have no news, no news stuff to talk about in the show. So we're like let's make it like a tech show. And now it's like we need more time.
Speaker 2:Yeah, I didn't think it would go the whole time.
Speaker 1:Yeah, me neither but.
Speaker 2:I love all this stuff.
Speaker 1:I mean we both do. I need to hit stop screen and then present on the screen, share screen. Right, allow it, and I want to share the screen. Okay, so here we go. Perfect. So here is how the artifact looks Like I mentioned previously. Make sure that the output is called logarchivejson, so the iLeap plugin or artifact can pick it up all right. Notice folks here the output type is going to be a lava output, which means it's going to be the database, the sqlite database. You can put html here in the list. But the problem is that good luck opening a 24 gig or two gig html not happening, just not happening.
Speaker 1:Um so, but again, we're going to work on how to talk to developers in the discord. Today I'm going to put a message out. Smarter people than me, than me, how can we do this? That being said, let's go down here. I want to show you. I import iJSON, you see here. So iJSON does, it takes and reads. You know, in this case, it's a big dictionary that has lists in it. It reads each list individually, so it doesn't need to load the whole JSON in memory to deal with it. It works with it as it's loading. So loads works with it. Loads work with it, which I really like a lot, and you can see here. There's some code that I made here to truncate the last part. That's not JSON, so it doesn't choke, and then I let you know that it's truncated after position one. Actually, I need to put here it shouldn't be print. I need to change this to what? Hold on, I need to change it to LogFunc. Actually, since I'm here.
Speaker 2:Let me do it right now. Oh, we get to witness you live coding.
Speaker 1:Well, live affects my own nonsense, all right. So what LogFunc does is actually make sure that it's shown to the screen and also showing the actual TXT log, which I didn't do, but now I just did. T log, which I didn't do, but now I just did. Yay, all right, so it's pretty neat. So for it to make a Lava compliant, you put the decorator for artifact processor and then you do your stuff as you would do, and here I pull out timestamp, process, id, subsystem, category and event message and the trace ID, and then I collect them and then I send them. When I return it, the decorator looks for these three things and make sure that the SQL database is populated accordingly.
Speaker 1:And there we go, super easy to make this artifact in the sense of the artifact structure. Your magic here about how you go about going about the JSON. Well, that's on you as a developer and that takes a little bit more time. And there we have it. So folks use the iJSON library there and if you want to do your own way of doing it, this is just one way, not the way, but you want to build your own. I recommend using iJSON as your modules to read that JSON in parts process read process, read process, read and make it manageable, make in parts process read process read process read and make it manageable.
Speaker 1:Make sense to you.
Speaker 2:Heather, it makes sense. That's just a couple of the code right, easy peasy, easy peasy.
Speaker 1:Yeah, you know it's easy. Sometimes you give me oh, it's not easy, just Google it. The first entry tells you how to do it. I mean, come on, I know, AI, ai, no, no, google it, oh no.
Speaker 2:I'm not doing that anymore. I'm not Well. I did do it to translate Johan's PowerPoint, though.
Speaker 1:I mean, okay, I'll let it pass.
Speaker 2:Although I sent the translated copy to him and he said a few things aren't right. What yeah?
Speaker 1:I cannot believe it.
Speaker 2:It can't even translate right. We had to get some kind of ai into this hour, didn't we?
Speaker 1:uh, we have to, we have to, we, we, we love it a little bit, I hate it a lot anyhow. Uh, so that way, I think that's what we have for for everybody. Uh, folks, are you have any? Oh, no, heather does have something, or else what do we have, heather?
Speaker 2:I didn't have to do the meme of the week we have to go ahead, tell all right, let me. Let me share my window here. Uh, if I can find it there we go. So, since we were gone for two long weeks at iasis, we have to put up the meme that has just got back from a conference, training. And then it says the office and there are things on fire, there's people on the ground, there's things destroyed, what?
Speaker 1:am I missing A mess on the floor?
Speaker 2:Yeah. So it is saying you know you come back to the office after your two weeks of conference or training and the office is on fire.
Speaker 1:You have like 20 million emails waiting for you.
Speaker 2:So, yeah, I couldn't believe the number of emails and I have a grand jury and a trial that were sprung upon me when I got back.
Speaker 1:So they're doing two weeks. What?
Speaker 2:yeah, yeah, no, at least the, the analysis is done, but they're going to court, so oh my goodness, so many emails.
Speaker 1:You want to turn into JSON and put it in SQL database.
Speaker 2:Yeah.
Speaker 1:To be able to sort through them.
Speaker 2:Right, exactly. Oh my God, that's like the nerdiest joke ever. All right. Well, you are a nerd.
Speaker 1:We are a nerd. Actually, I can see that you're a live nerd.
Speaker 2:Oh, I am yes. Yeah, on your screen right there it says LiveNerd.
Speaker 1:Anyway, oh, it's been a blast as always. Yes, you're the best Heather.
Speaker 2:Thank you so much Sorry about my Wi-Fi. I will get it fixed for next week. I hope the spotlight stuff came through for everybody. If it didn't, I can always briefly redo it in the future when I fix my internet issue.
Speaker 1:No, no, it came across. What you need to do is fix your Wi-Fi by not using it, by having a big fat wire.
Speaker 2:I know Cat 6 going from your computer to your router. Yeah, just like I used it, all right.
Speaker 1:That's funny. I'm trying to do fireworks, but I don't see the fireworks things on my thing anymore. I think I turned it off. Anyways, for the next episode.
Speaker 2:All right.
Speaker 1:Well, anything else for the Goody Order Heather.
Speaker 2:That is it, Thank you everybody for listening, Thank you.
Speaker 1:If there's no cool news to comment on in the next two weeks, guess what We'll do? Another tech podcast, baby.
Speaker 2:Yeah, why not?
Speaker 1:Heck, we need to start just showing them how to put the log archive from the Trace v3 files and make it into log archives. Just that is going to be a cool episode, so we might be doing that soon.
Speaker 2:Definitely.
Speaker 1:All right. Again, thank you, and we'll see you all in a couple of weeks. Take care.
Speaker 2:Bye.
Speaker 1:Bye Outro Music.
