- Originally presented as the first ever Objective by the Sea - Mac Security Conference in 2018
- Presentation Slides: From Apple Seeds to Apple Pie
- Presentation Slides: Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis
- This is your warning. I've tested a few modules but there is much more testing to be done.
- Find a bug or a better query, let me know!
- Extra warning on PowerLog modules, timestamps may be in the past and/or future - testing these.
- Many more modules to come!
- Python 3 (omg, finally!)
- SimpleKML - Copy the
simplekmldirectory to the directory where apollo.py is being run from. Download here - Depending on your python3 installation you may get a
No module named 'sixerror, you will need to installsix
python apollo.py -o {csv, sql} -p {ios, mac, yolo} -v {8,9,10,11,12,yolo} -k <modules directory> <data directory>
csv- CSVsql- SQLite Database
- Outputs location coordinates to separate files based on module.
- iOS Location Mapping with APOLLO - I Know Where You Were Today, Yesterday, Last Month, and Years Ago!
- iOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd)
iosmac[Offical support coming soon!]yolo- Just parse whatever. Use for ARTEMIS parsing.
- iOS
8,9,10,11,12 yolo- Just parse whatever. Use for ARTEMIS parsing.
You may see that APOLLO reports back "0 databases" found when executed, most likely from CurrentPowerlog.PLSQL and locationd modules. Two common directories with databases that cause problems due to permissions (depends on how files were extracted from device):
/private/var/root/Library/Caches/locationd//private/var/containers/Shared/SystemGroup/[GUID]/Library/BatteryLife
chmod -R 755 /private/var/containers/Shared/SystemGroup/[GUID_for BatteryLife Data]/chmod -R 755 /private/var/root
- Check database permissions - Use
chmodto give some databases with "all blank" permissions some sort of permission. (Happens with many types of physical-logical extractions.) - Check database ownership - Use
chownto take ownership of the files.
- Thanks to Sam Alptekin of @sjc_CyberCrimes, script is much, much faster than original.
- Thanks to @AlexisBrignoni for Python 3 support and ARTEMIS!
- Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
- Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
- On the First Day of APOLLO, My True Love Gave to Me - A Python Script – An Introduction to the Apple Pattern of Life Lazy Output’er (APOLLO) Blog Series
- On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
- On the Ninth Day of APOLLO, My True Love Gave to Me – A Beautiful Portrait – Analysis of the iOS Interface
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- On the Eleventh Day of APOLLO, My True Love Gave to Me – An Intriguing Story – Putting it All Together: A Day in the Life of My iPhone using APOLLO
- On the Twelfth Day of APOLLO, My True Love Gave to Me – A To Do List – Twelve Planned Improvements to APOLLO