Inside the Core Episode 2


Episode Artwork
1.0x
0% played 00:00 00:00
Jun 09 2009 30 mins  
Episode 2 is uploaded! The sound quality is a bit better but still working on that. In this episode we cover: Defeating the Open Firmware password, Mobile Forensics World's iPhone Forensics panel discussion, the Plist of the Week and a few Mac websites.

You can send any comments or questions to:
Click here to send The MacDudes an e-mail

Episode 1 Show Notes (Download at: Show Notes)

GOLDEN RULE: Use OPTION key to boot first and confirm no Firmware Password

OFP: Prevents any other startup option other than "option" or "startup disk".

If OFP is active and you attempt alternative boot sequence, the system will default to the normal “Startup Disk” and possible writes will be made.
-Dont want to make writes....

1. Boot with option key to confirm Open Firmware Password exist
2. To get around:
A. Pull hard drive and image via write block (24 screws or less)

B. Reconfigure the RAM:
1) Shut down
2) Disconnect power (if laptop remove battery)
3) Remove stick or add stick of RAM to reconfigure
4) Close up, connect battery/power
5) Command+Option+P+R key all at once "Vulcan Death Grip"
6) Listen for 3 Chimes-Indicates reset
7) Restart and use Option key to check

NOTE: Time will be reset. The clock will possibly be off.
Logs may be important.

Mobile Forensics World iPhone Forensics Panel

iPhone Panel:
-Ryan Kubasiak: Macosxforensics.com
-Jonathan Zdziarski : iPhone Forensics author
-Sean Morrissey :Dept. of Defense
-Andrew Hoag : Moderator

-Took questions from audience after moderated question session.

Different ways to get data:
Hardware/Software Suites:

Wolf: Good for unlocked phone, and if you unlock can use.

Cellebrite

Different Methods:
Raw Disk info: Jonathan Zdziarski and Sean Morrissey
-Concerns as to what is being changed from data
standpoint

Dont forget about the iPhone backups on the Mac: a wealth of information

PList(s) of the Week(PLOW):

Plist: Registry like files but corruption of one file doesnʼt corrupt the entire system.

Application plists:

Quicktime:
Global: Library--> Preferences--> com.apple.quicktime.plist
-Shows Registered User and Registered Key
-Can indicate the key for verififcation of legal software

iWork (Mac Office Suite):
Global-->Library-->Preferences->
iWork08: com.apple.iwork08.plist
iWork09: com.apple.iwork09.plist

Google Gears:
Global--Library-->Preferences-> com.google.gears.plist
User-->Library-->Preferences-> com.google.gmailnotifier.plist

Websites to Check Out:
Mac Shadows: www.macshadows.com

Macenstein: www.macenstein.com