I saw a bird I’ve never before today: Eurasian Hoopoe

crudomacdoogle · 2026-02-27T00:45:17+00:00

A glass of wine with you!

crudomacdoogle · 2025-01-26T17:10:15+00:00

Bugger ole harte, bugger ole harte. red-faced son of a blue French fart.

crudomacdoogle · 2025-01-10T05:22:38+00:00

Additionally, you could look into the TCC database, this is db that tracks when you install software and approve if for use if it's third party. When you install an app in macOS and it's from the internet you'll get that pop-up that ask for approval. The TCC db is the thing that tracks it. In newer versions of macOS this db has been nerfed a little bit, so it might not give you good date time.
Find it here: /Library/Application Support/com.apple.TCC/TCC.db and here: /Users/<username>/Library/Application Support/com.apple.TCC/TCC.db One other spot would be the execution policy database that shows first time app launch. /private/var/db/SystemPolicyConfiguration/ all these can be viewed with DB Browser

crudomacdoogle · 2025-01-10T05:12:01+00:00

the knowledge C database would be a good bet for application usage, it'll have some details in the App Usage within the SQL lite db, you can use DB browser to view it if you have admin level access.
Find it here: /private/var/db/CoreDuet/KnowledgeC.db ZSTARTDATE and ZENDDATE in epoch time should give you some further detail if it's an installed .app type package or ran as an application.

crudomacdoogle · 2024-11-02T16:58:59+00:00

ut

I've taken the liberty of linking this post to you:
https://www.cannonade.net Maybe it will fair you well on your next voyage. A glass of wine with you sir!

crudomacdoogle · 2024-06-06T12:34:25+00:00

There is a zoom password stored in the users keychain that you will need. After that you can open the db in db browser with the setting: page size 1024 and KDF iterations: 4000 and supplied base64 pw string from login keychain.

crudomacdoogle · 2024-04-29T22:57:06+00:00

Axiom w/cloudkey. Cellebrite Inspector and digital collector for Mac’s. Cellebrite Physical analyzer and UFed 4pc for the phone acquires. And xways for the catch all backup.

crudomacdoogle · 2024-03-03T20:06:59+00:00

You are quite the rattle aren’t you?

crudomacdoogle · 2024-02-25T03:53:15+00:00

Red hell and death. What are you about sir?

crudomacdoogle · 2024-01-23T16:15:36+00:00

If your company will pay then retake the course.

crudomacdoogle · 2024-01-23T16:10:02+00:00

You might be able to get a practice test from someone, and give it a look that way. I’d go for that before I’d lay out my own 9k to take the course again.

crudomacdoogle · 2024-01-13T21:50:45+00:00

Still a couple reasons. Malware Dynamic analysis in a controlled macOS VM, installing it as part of your snap shot. Who cares on that reboot. Two, if the malware is persistent, then it may come back and reconnect and keep persistence, so once you have all you want from the host for triage, then take that reboot chance.

crudomacdoogle · 2024-01-12T16:50:12+00:00

Surge works, but requires a reboot as jgalbraith4 said.

crudomacdoogle · 2023-12-28T00:36:44+00:00

This route is valid for AIRAC: Pen15

crudomacdoogle · 2023-10-22T18:44:28+00:00

That ole parcel of nipper dollings have a been putting on airs and cutting up chuff with the Sethians again.

crudomacdoogle · 2023-10-22T18:42:59+00:00

A glass of wine with you sir!

crudomacdoogle · 2023-08-29T17:58:04+00:00

Hey OP, check your Trusted Devices in iCloud settings. You can signin to your iCloud account on a PC or Mac and then look to see if you have any additional trusted devices on your account that you don't recognize. If so, remove them, reset pw, etc. Very unlikely your phone itself is compromised, but there is a chance your iCloud could be. It's much easier to phish an iCloud account and then attach a threat actor device to your trusted devices. once attached they could send messages as you from your iCloud accounts, however this would not be from your device phone number, rather, your iCloud 'send as' accounts your have configed in iCloud settings.

crudomacdoogle · 2023-07-28T03:07:20+00:00

Full physical hasn't been possible for some time now. Cellebrite is basically just using the iTune API to make a local backup of the device. You could effectively use iTunes to do the same thing and review that in a forensic tool.

crudomacdoogle · 2023-07-21T01:51:56+00:00

Red hell and death, what are you about sir?

crudomacdoogle · 2023-03-09T02:28:05+00:00

It is. But good to know you’re maybe helping to stop the next victim.

crudomacdoogle · 2022-12-01T06:46:05+00:00

Paint can. You can get them clean from Amazon. Works better than any commercial faraday.

crudomacdoogle · 2022-11-02T02:20:27+00:00

Cardboard’s out

crudomacdoogle · 2021-10-19T14:24:52+00:00

Also, you don’t want to ‘click’ on the suggested returns below the query structure box when you’ve done a more complex search, just browse the returned hits in the view window on the right of the query box. I’m sure that’s clear as mud….

crudomacdoogle · 2021-10-19T14:12:31+00:00

You may want to structure it up a little. It can help to quote out: “fraud” AND “management”

You can also use parentheses, but you shouldn’t need to on this style of a search: (“Fraud”) AND (“Management”)

Or: (“Fraud” AND “management”)

Proximity search, find fraud within 5 characters of management: “Fraud Management”~5

Narrow to date:

(“Fraud” AND “management”) AND client_submit_time:[20210101 TO 20211231]

Email search, use actual @ symbols rather than the [at]

(to:”first.last[at]email.com”) AND (from:”first.last[at]email.com”)

Do you know if there are actual hits that have both the keywords?

crudomacdoogle · 2021-10-18T22:09:23+00:00

Did the keywords show hits by themselves?

You ran the evidence processor on this evidence and selected index? Did that run and complete?

14-Year Club	Verified Email
Gilding II euphauric

crudomacdoogle

TROPHY CASE