Apple Pattern of Life Lazy Output'er (APOLLO)
- Originally presented as the first ever Objective by the Sea - Mac Security Conference in 2018
- Presentation Slides: From Apple Seeds to Apple Pie
- Presentation Slides: Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis
BETA - FOR TESTING PURPOSES ONLY
- This is your warning. I've tested a few modules but there is much more testing to be done.
- Find a bug or a better query, let me know!
- Extra warning on PowerLog modules, timestamps may be in the past and/or future - testing these.
- Many more modules to come!
- Python 3 (omg, finally!)
Dependencies
- SimpleKML - Copy the
simplekmldirectory to the directory where apollo.py is being run from.
Usage
python apollo.py -o {csv, sql} -p {ios, mac, yolo} -v {8,9,10,11,12,yolo} -k <modules directory> <data directory>
Output Options (-o)
csv- CSVsql- SQLite Database
KMZ Output(-k)
- Outputs location coordinates to separate files based on module.
Platform Options (-p)
iosmac[Offical support coming soon!]yolo- Just parse whatever. Use for ARTEMIS parsing.
Version Options (-v)
- iOS
8,9,10,11,12 yolo- Just parse whatever. Use for ARTEMIS parsing.
Getting Errors? Try This (Windows users, use eqivlent commands)
- Check database permissions - Use
chmodto give some databases with "all blank" permissions some sort of permission. (Happens with many types of physical-logical extractions.) - Check database ownership - Use
chownto take ownership of the files.
Thank You!
- Thanks to Sam Alptekin of @sjc_CyberCrimes, script is much, much faster than original.
- Thanks to @AlexisBrignoni for Python 3 support and ARTEMIS!
References
- Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
- Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
- On the First Day of APOLLO, My True Love Gave to Me - A Python Script – An Introduction to the Apple Pattern of Life Lazy Output’er (APOLLO) Blog Series
- On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
- On the Ninth Day of APOLLO, My True Love Gave to Me – A Beautiful Portrait – Analysis of the iOS Interface
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- On the Eleventh Day of APOLLO, My True Love Gave to Me – An Intriguing Story – Putting it All Together: A Day in the Life of My iPhone using APOLLO
- On the Twelfth Day of APOLLO, My True Love Gave to Me – A To Do List – Twelve Planned Improvements to APOLLO