Yogesh Khatri's forensic blog
All things forensic and security related
Friday, November 4, 2022
Reading OneDrive Logs Part 2
In the last OneDrive blog post , I outlined how the ODL file format is structured. A working version of an ODL parser was also created to re...
Sunday, February 13, 2022
Reading OneDrive Logs
Due to the popularity of OneDrive, it has become an important source of evidence in forensics. Last week, Brian Maloney posted about his res...
Saturday, January 9, 2021
Gboard has some interesting data..
Gboard - the Google Keyboard, is the default keyboard on Pixel devices, and overall has been installed over a billion times according to the...
Sunday, January 3, 2021
iOS Application Groups & Shared data
Background Tracking down an iOS application's Data folder, aka, SandboxPath in iOS is fairly easy. One simply needs to look at the appli...
Monday, December 28, 2020
Introducing ios_apt - iOS Artifact Parsing Tool
ios_apt is the new shiny companion to mac_apt ios_apt is not a separate project, it's just a part of the mac_apt framework, and serves ...
Sunday, July 19, 2020
KTX to PNG in Python for iOS snapshots
App snapshots on iOS are stored as KTX files, this is fairly well known at this point, thanks to the research by Geraldine Blay ( @i_am_t...
Tuesday, June 9, 2020
Screentime Notifications in Catalina (10.15)
If you routinely perform mac forensics, you've probably done a few macOS Catalina (10.15) examinations already. And if you are the kind...
View web version