kieczkowskaFinally got around to writing up my iPhone Backup Forensics talk from #OBTSv7.0 — now in blog form:
https://kieczkowska.wordpress.com/2025/04/29/iphone-backup-forensics-101/
First post in a while, hopefully not the last.
Megan Carney"Mirror Mirror: Restoring Reflective Code Loading on macOS" (Patrick Wardle)
TL;DR In-memory execution is possible on macOS and used by bad actors. However, Apple has decided not to let processes see the memory of other processes as a privacy protection. Current detection will have to focus on what bad actors do after in-memory code execution. #detectionengineering
"Unveiling the Apple CVE-2024-40834 - A "shortcut" to the bypass road" (Marcio Almeida)
Users can build automations called shortcuts and even send them to other users or share them. 💀 He demonstrated one attack vector where you could persist malware via adding code to the .zshrc file. I'm sure there are many more. There aren't a lot of guardrails on what these shortcuts can do.
For enterprises, I would consider banning shortcuts entirely if you can.
#detectionengineering
"Mac, where’s my Bootstrap?. What is the bootstrap server and how can you talk to it?" (Brandon Dalton & Fitzl Csaba)
You can detect common classes of XPC exploits by looking at the code signing info on both sides of the connection. #detectionengineering
Code here: https://github.com/Brandon7CC/mac-wheres-my-bootstrap
"Tripwires in the Dark: Developing Behavior Detections for macOS" (Colson Wilhoit)
Mac malware is increasing and is increasingly targeted across verticals. Behavioral detection is an important part of defense. Detecting malware based on behaviors (i.e. this command ran then this command after it) is much more reliable than brittle indicators like IP addresses or hashes. (Though those detections have their place too.)
Colson and Elastic have released some rules here that might be useful for your org: https://github.com/elastic/detection-rules/tree/main/detection_rules
#detectionengineering #obts #obtsv7
"A Better Way - YARA-X, Mach-O Feature Extraction, and Malware Similarity" (Jacob Latonis & Greg Lesnewich)
Things I learned:
Imports stored inside macho binaries are rebuilt via finite state automa.
A pocket attribution guide for the DPRK. Enjoy the blurry picture of the slide below.
And . . . cool tools. Yara-X (written by Jacob) can parse macho files. So now we can build yara rules including dylib hashes (similar to imphashes for windows) and entitlement hashes. #detectionengineering
"iPhone Backup Forensics" (Kinga Kieczkowska)
Bunch of useful stuff here, but also a spy tip: you can guess a person's location by profiling their apps. Apps like parking payment can be very localized.
"Apple's not so Rapid Security Response" (Mykola Grymalyuk)
I have to admit, I didn't know much about RSRs. The July 2023 patch that broke everything was related to . . . how RSRs changed version numbers. RSRs added a letter to the OS version. Which was unexpected in user agents.
"Triangulating TrueType Fonts On macOS: Reconstructing CVE-2023-41990" (Aleksandar Nikolic )
Fonts are so much more complicated than I thought. To handle low-resolution displays, fonts could specify how they should be displayed when they scaled up and down. This complicated code allowed for an out-of-bounds memory write.
"Unraveling Time: Understanding Time Formats in iOS Sysdiagnose for Security Forensics" (Lina Wilske)
Things I learned:
Sysdiagnose logs use multiple timestamp formats. Like way too many formats.
You can enable baseband logging for more granular timezone changes, but you have to re-enable every 21 days.