 All right, so I'm Kevin Estes. This is Randy Robbins and this is Hacking the Apple TV and Where Your Forensic Data Lives. Now just to set expectations so that everyone is here, you know, has the same understanding. We developed this slideshow based on today being newbie talks. So it's kind of high level and it focuses on the functionality of the Apple TV, how easy it is to actually hack it to do what you want it to do, and at the end of the talk we're going to talk a little bit about some of a little bit about at a high level where your data actually gets planted and spread across the Apple TV. The intent here is to kind of offer those that are looking into digital forensics or doing digital forensics investigations so that they have a better understanding of the capabilities of the Apple TV and where to start looking for data. That all being said, let's see if this works. All right, first and foremost, the DMCA disclaimer, if you see anything during this talk, either in the deck or that I say or do that you think violates the DMCA and you were the valid copyright holder, please come to me and tell me. Okay, and you have to do it according to all of the caveats there. I don't know what the hell they are but they're there. All right, so what is the Apple TV? This is an overview so we're going to go over what is the Apple TV, what makes it so different, how it gets modified. Do a real quick discussion on the old way to do it as of about two years ago and what has been going on on the scene for the last about a year or so, maybe a little bit more than a year, and then we're going to walk to walk through two different patch sticks used to modify the Apple TV. From there we're going to go into the forensics data portion. As you can tell, we spend a little bit more time on the forensics portion, at least in the slideshow. You know, I do have in case images if we run out of time and everyone wants to, hey, bring that up an in case. Okay, great, we can all do that or we can all go find a beer. I'll leave that to you. All right, so this is a really good image from a couple of different levels. One, it's very pretty, and two, it shows actually how hot the Apple TV tends to get. We'll talk more about some of the basic hardware functionality of an Apple TV in a minute, but do notice that compared to the laptop that's sitting right next to it and the human hand, the Apple TV is real easy to spot with thermal imaging. Okay, and I like this just because I like it. Yeah, I mean, if you're, you know, as soon as I saw that, I was like, I am getting an Apple TV. All right, so what is the Apple TV? All right, so first and foremost, it is a digital media player. It is based on OS X, works with iTunes and iPhoto. It has built in 802.11, A, G, and N, uses QuickTime media components to play different digital media. And because it is the Apple TV operating system that is based on OS X, it can be modified very, very easily. All right, so the basics of the Apple TV OS, it is built on Darwin, which is, you know, BSD, I'll say Unix, which is the back end of course of Mac OS X. It does use the front row application as its graphical user interface. We'll look at that in a couple of minutes. It does not have any DVR capabilities. This is a playing device only. And in general, it syncs with iTunes and iPhoto. So just a quick note on that, if it syncs with iTunes and iPhoto, then you're not just looking for an Apple TV if you're looking for something in someone's house, right? All right, so it's built on Darwin, which is a full kernel system for stability purposes. And it does use kernel extensions just like Mac OS X. So basically, if there's a problem in Mac OS X, there's going to be a problem in the Apple TV OS. Same thing for features and functionality and all that good stuff. If you want to know more about the internals of OS X, you can get with me afterwards and I'll give you the name of a guy named Dino. I never can remember Dino's last name. And Dino's done a whole lot of work on that. All right, so the front row interface. The one with the big red X, that's the default menu for Apple TV OS 1.1. And the bad thing about it is you can't really get these screenshots very easily without the Apple TV being already modified. So you will not see the version for Apple TV OS 2.4, which is up on the screen there. Of course, that one's been modified. You'll see that in a minute. OS 2.0.1, same thing. So basically the biggest thing about OS 2.0.1 is they introduced the genres category in the movies section, which, hey, that's nice. Okay, one of the other capabilities of Apple TV is it integrates very, very well with the iPhone as a remote control medium. So you can see on here is two different components. One is the iPhone remote application from Apple. So it's four bucks or something like that, five bucks from the application store from iTunes. The second one is the remote application. The nice thing about remote is once you install the helper application on Apple TV OS, you can actually use your iPhone as a keyboard and a mouse as well. So there's a lot of great functionality there. And we'll get to some of the places and things you can do with that in a minute. The basics for the iTunes stores, you know, you can go out, download movies, high definitions, standard definition. The nice thing, I think, from a usability perspective for people is it does allow you to actually look at other movies and who actually starred in them and all that good stuff. It does sync with iTunes and iPhoto. As the note says there, you know, if you have a hits or firewalls and, you know, other security devices, it's going to cause problems. As a matter of fact, this is a Randy screenshot, but I know on mine, I always have to go in and disable my firewall instead of just adding the rules because I'm too damn lazy. All right, so how does it get modified? Two different ways to modify the Apple TVS. The old way and the new way. The old way requires you to remove the drive, which meant you avoided the warranty. You had to copy over scripts and binaries manually, just, you know, plugging a drive in to something. You'll see that in a second. Generally, it's more reliable. Things tend to work a little bit better. Patch sticks are good solutions, but sometimes they don't work very well. If you've ever jailbroken your iPhone and you've done it more than once, you know, you'll understand that, yeah, sometimes it works. Sometimes it doesn't work so well. So the new way is kind of a take on the point click hack type of thing from some of the automated penetration test tools. You know, point click modified. It's extremely simple. Sometimes stuff doesn't work or install very well, but really with the reliability, you know, you reboot, keep the USB patch stick in there and try it one more time. Generally works very well. On the old way, I'm not going to spend a whole lot of time on these types of slides just to give you a real brief overview. On the old way, yeah, you had to actually take it out, connect it. Generally, you'd want to image the drive in case you hosed it. This case, I use DCFL DD just so that I could hash it and make sure that I didn't have any bit for bit errors or something. Then you had to actually copy over some of the binaries for SSH, which was time consuming and a pen on the ass. Enabling VNC, same thing. It was not very easy. As you can see there, you had to basically download Bind VNC, install it on your machine, let it run on your machine, copy over the PLIS. Okay, enabling the kernel extensions. All right, kernel extensions for those of you who don't know are those components that interface with the kernel and allow you to load basically drivers, right? So if you want to use a mouse, you need a kernel extension. If you want to use a USB drive, you need a kernel extension. On Apple TV OS 1.0, Apple said, well, let's just use OS X for the Apple TV, and they threw everything on there. They made some sim links, and they made a couple of different directories and partitions, but that was basically it. So you had everything you needed. As of OS 1.1, they looked around and were like, oh, shit, people are actually using all of this stuff. So they started removing it. So as the game goes, someone out there, a couple of people out there, actually looked at it and said, you know what? No, we're going to make a way to add this back. So patching the kernel manually, bringing over the kernel extensions, loading them up. The process, I think, probably took about an hour to actually walk through it. Once everything is loaded, of course, you enabled it, run DiskUtil with the list, so you can actually see, hey, great, it did find my USB drive. And then, of course, you can actually make a sim link to where it uses only what's on your USB drive. So all of a sudden, you're no longer storing digital media on the Apple drive. So you think, well, I'm going to put this on another drive, and I'm going to put Thermite on it, and that way, if they kick down my door, everything's going to be gone. I won't have to worry about it. All my files are on this Thermite-packed USB drive. We'll get to how that's wrong in a minute. Then you actually had to install AwkwardTV, which gave you the capability to install all of the other great programs. And we're going to get to some of those in a second. One of those is Perian. So if you use a Mac to play media other than what you can download somewhere out in the middle of TV land, you're going to need Perian, because you want to play other types of media, because Perian will actually let you do something, play things other than MP4s and H.264 encoded media. So you install Perian, and then all of a sudden, you can rip your movies, download them, copy them, play them on the Apple TV, you're done. So your Apple TV has probably three times of functionality. And if you haven't seen that movie, that's a really good movie, The Hangover. I felt like that this morning. I didn't have a chicken. I didn't have a chicken, but I kind of felt like what's his name. Alright, so the new way. Patchstick summary. So all patchsticks basically do the same thing. They start out the same way. It does require USB drive. You do need boot EFI from an existing Apple TV, Apple TV OS disk image, right? So the boot EFI is, I don't know, in the Windows world, basically the what? What? NT loader? Okay, that was going, I was going somewhere else. So from a Windows world, it's basically like NT loader. So it's the only way you're going to be able to actually boot up the Apple TV is if you have this boot EFI. So all patchsticks have that. They're all based on some version of bootable Linux, every one of them. And I have not found one yet that actually does not enable SSH and add your front row or finder appliances, right? Wait, what did I put on there? Oh, okay, it adds a finder app about appliances. Yeah. They are all made for use with people with the basic understanding of computers. It doesn't require a whole lot of knowledge, right? You're not probably not going to have your grandmother do this. But if your mom's been using computers for, you know, 10 years, she'll be able to do this. All right. So we're going to talk about one of the commercial ones right now. Generally, I have not been very big on the commercial patchsticks, because there are some really good free ones out there that do a whole lot and enable all of the important things. The one thing I did find that's nice about ATV flash is it actually does install a little bit more functionality, including the ability to run Firefox without having a lot of manual hacks. The code is fairly clean. It's commented. I do not know how they are as far as their yearly updates. I haven't done that for, you know, three years. But it does work fairly well. And it'll integrate with the Nido TV smart installer, which is important. You'll see that in a second. Just the basic process on it, you know, select the USB drive, it calls home. But it does as far as I can tell. It only does so in order to check and see if there's an internet connection. It does require an internet connection so that it can download one of the Apple TV OS firmware updates, because it's going to be pulling files from them. After it downloads the update, it's got a nice little checklist menu, which those of you on this side of the room, you may not be able to see it right very well. But you can install a lot of different apps like the ATV files, air control, XBMC and boxy. And you're a lot, you can disable the auto update. That's an important feature that's in all the major applications. If you don't do that, what happens is, is Apple pushes out an update to the OS, and it overwrites everything and then you have to go back and re break it, which is just generally painful because if you're like me, you spend a whole lot of time actually setting everything up the way you wanted it. You tell me what to do. It doesn't delete the files necessarily. So you still have some of the files that are still on there, at least far as, actually, no, actually, I actually think it does delete most of the files because it actually rewrites everything. Yeah. Yeah, your movies and stuff will or will go away. Yeah. That's one of the see the caveats to this is, is generally with an Apple TV, you're syncing your movies with iTunes somewhere. On the the ones that you've bought, the record of your your purchases from iTunes will stay with your iTunes account. Roger, correct? So as soon as you reinstall, it'll ask you when you go into iTunes and they'll say, Hey, do you want to download all your pre your movies you've paid for? Yep. And it re downloads them. So you'll lose everything. It's been a while since that's happened to me. So I kind of have to think back. I just able to auto updates the first time I hacked mine. Geez, three, three and a half years ago. And I haven't I haven't had it override any of my stuff since then. So, but we can do it here after we're done. So just to make sure this is just a real quick glimpse at the file structure. Basically, the only thing I really wanted you to see here is that there is a hidden sub directory called root. And that's actually what's copied over to your your patchsticks, your thumb drive. All of the directory structure of the applications, including the P list for couch surfer and everything else. At the bottom of the window, which you actually can't see on the slide here. It has everything you need in it. Okay, so this is basically a mirror image of what gets copied over onto your thumb drive. That's just a snippet of the code. It's very pretty. Now we'll just go through a quick overview atv atv USB creator. What we're going to do just so you know, is we're going to do atv USB creator. And then we're going to demo it on this box over here. Do you want to go ahead and walk them through Nito before we do that? Just do that. Let's go back through there. Okay, we're going to get a little bit out of order here. Alright, so we're going to talk about some of the popular application applications, but one of them is Nito TV, and we're actually going to set up to run Nito here in a second. So Nito TV is installed by just about all the patchsticks. It has a just an enormous amount of functionality. It'll install all the kernel extensions that you need, allows you to view RSS feeds and a lot of third party applications. It does mount your USB drives for you gives you access to streaming media as well. As you can see the RSS menu is not it's not very functional, because it's all text based. So and I haven't found or tried to put a different RSS reader in does have a large backend functionality for settings. That's actually where the best thing is. Nito TV has what's called a smart installer, and the smart installer will actually go and download everything it needs to install the new applications, including Perian and all the kernel extensions, all of the updates. The utilities menu is nice on it because it actually goes through and you have a lot of different utilities for, you know, rebooting the the Apple TV or restarting find or whatever. And it gives you access to the console. And as you can see up on their SSH and all that, or you're walking through to good. All right. So do me a favor, go back on to the files of the top. All the way at the top and then enter. Okay, so I just threw a couple of movies on a thumb drive and stuck it on there a little bit ago. And you'll notice it automatically pulls those up at mouse, the thumb drive, you can see a little disk image of them, you see a little graphic of them, right? It'll go through and play. Now right now, I have it playing through something called mPlayer. Nito TV will install two different, we'll have two different players in there. One is mPlayer, which is an open source media player runs on OSX. And the other one, of course, is QuickTime. So I have these set to play through mPlayer. No, I'm sorry. No, those are mP4s actually. Xvid will play. And if you set up, you can, there's a little checkbox in Nito TV and you can have it play in mixed mode. And it'll actually pick which player to use. Petroska. I'm not sure. MKV files. mPlayer, I think, does play MKV files. QuickTime, even with Parian, it has problems with it. Because I did that with some of the MKVs. And I actually had to force it into mPlayer. I had to take it off mixed mode. So I stopped using them. Sorry, my gooing radio. Okay. Yeah, I don't think you don't need to go through that. Let's go back up real quick, run through the ATV USB creator. And what we're going to do is we're actually going to run ATV USB creator. If you notice right now on the on the menu, I go all the way up to the top. So we'll walk through. We'll look at some of the apps later. This launcher menu is installed by ATV Flash or ATV USB creator. There's also going to be a software menu in a couple of minutes. So we'll look at that in just a second. But let's just walk through some of the the overview of USB creator. I'll let Randy do that. Hi, all done. So that was my part of this presentation. Playing with ATV USB creator. It's basically an open source patch stick. It takes your USB stick, report mats that repartitions it makes two partitions on it a hidden partition that uses the boot Linux and it puts a visible one in there that runs the scripts from it's on Google code. It's managed by one guy I wasn't able to find out any more information about him than what was on the page. It adds all the stuff that Kevin's described from the SSH utilities and file details. And the XMBC as well as boxy to your capability to install. Basically, not all thumb drives are created equal. Some of them don't function well with the way the creator reformats the drive. So you need you might have to play around with that a little bit. Make sure you're doing it on the right disk. Make sure you check your disk finder or other drive disk manager. Click create using button down below and it will create it. You can select a different DMG if you want. So if you're rolling your own Uber ATV recovery DMG, you're welcome to insert whatever functionality you want into it. In about two minutes, it'll make a ATV USB patch stick. Here's a basic layout of the scripts. It's very similar to ATV flash. However, it's a very simple layout. So if you wanted to add more stuff into it, it'd be very easy. You'll see later on, but I just kind of give you a layout of the drives right there. After it's created, the disk s this two s one is not visible when it's mounted. And similar to ATV flash, it's got a pretty good code. It's commented it. You can go through it and follow through it. Basically, it sets up links and then runs installed SH scripts from the other from the other subdirectories. So you could add your own additional install shell scripts and do and add whatever you wanted to to into the process. And once you're done, you have the modified Apple TV with your menu. And the software menu that Kevin was talking about is you notice it's not on this one yet. But when we run the patch stick on it, it'll show up on it when we reboot it. So ready to do a demo? Yeah, that's the only user that's on the system by default is front row. And it's Alright, so let's let this boot up. You can see it's actually loading them. I can't see what it's from here. But it looks like it found the patch stick. So while that's going, your question is about the default user for SSH. Apple TV dot local is yes, you can get to it at you know, front row at Apple TV dot local, if you're on the local segment, right? So you're going to do that across across routers and the internet. Yeah, if you're on a Windows machine, you'd use putty or something like that. And you could still get to it at SSH, you know, front row at Apple TV dot local is going to go sir. Yeah, it's gonna it. Yeah. Oh, okay. Yeah. Does it? Okay. Yeah. She says yeah, okay. Okay. I'm not the, you know, my seven year old has a Windows machine. And that's it. Everything else in my house is a Mac. All right. Would you believe that in the heat? I live in Texas and the schools they're moved from Macs to Windows. So I don't know. You know, I'm not sure why they did it. Now you'll see right now that this Apple TV is booting up in verbose mode. That's just another option that you can do once you actually get SSH access to your to your Apple TV. So I have mine boot up in verbose mode, just like I have my laptop and my minis and everything else, just so I can see what's taken so long and what failed to load. So hopefully this will actually come up and we'll have a software menu in a second. Just so you know, to make the patch stick for a TV USB creator, I think is what five minutes? Yeah, I mean, it's it takes nothing. Hopefully this will finish booting in a second. Mine has a 40 gig hard drive. They are selling with 160 gig now, sir. The patch stick. They recommend about 256 or greater. Yeah, they recommend 256 or more. But I have a four gig sand disk and a TV flash just would not work. I threw it on a 256. It worked fine. Yeah, they're not all great at equal. Yeah, sir. There's no way that it can do what I believe that I it'll do 1080. I yeah, it'll do 1080. I don't think it's P. I think it'll do 1080. I know I don't I don't know one. No, I don't know one. Yep. Okay, so on the software menu, which is new, we can go in, go up to third party plugins. And yeah, see if it'll go and it's thinking. Yeah, you have to honestly, we've been pretty lucky with the whole demo thing today. So I'm not too unhappy. All right, go ahead and back out. See if it'll back out and go to manage built in and see. Alright, so everything shown. So you can actually go in and decide on which of the plugins you want to you want to show everything shown go back out and one more time for the plugins. Alright, so it may take a second. Let me go ahead and go down. See what we have after this. Okay, sir. Yes, it does. It did. Yeah, you know what, either do check actually don't do check for updates, go back out to the main movie menu and see if it'll if it'll pull up the iTunes top movies. Nope, it's got access to the internet. Alright, so the key point here is that with the software with a TV USB creator, it's that easy to hack the Apple TV. It takes just a matter of minutes and you've included all functionality. You have a question? You know, I don't know. I'm sorry. The question is, is if I think Apple TV might disable booting from the USB device? You know, I guess my answer is two fold a I don't know if that's actually possible. Just because of the way USB works. And B, I don't know that they would do it even if they could. So far, they've left the Apple TV community completely alone. That you know, you don't have cease and desist orders and stuff like that. You know, as the question of the question of whether they would is a good one, primarily because you know, you've seen this was the iPhone that all of a sudden a an application gets denied because it duplicates duplicate some type of iPhone functionality. Right? So, you know, whether or not they would start doing that on Apple TV, I don't know. But I'd like to see them start building in some of this functionality actually, you know, I wouldn't hack the dang thing if it would come out and and be half as functional as it as it is unhacked. You know, why in the hell are you going to do it? You know, I want to SSH, you know, I want to use a firewall. I want to be able to surf the web on my couch. I'm freaking lazy. So, alright, what we're gonna do, we're gonna go ahead and what time are we at now? Because I want to we need to get into some of the forensics here soon to 335. Okay. So we have more than enough time. Great. Alright, so we're going to do right now. We had set up for the Neto TV demo. We already kind of walked through that. I want to kind of look at boxy. Oh, so it is and it was and it wasn't anybody doing any wireless hacking in here. No, we should be connected on your hardwired speaker LAN unless I unplugged it. No. Alright, so whoever raised his hand a minute ago about the inner check for updates on the software menu, that was you. Yeah, so apparently the top movies was cached. You may need to reboot. Yeah, why don't you go ahead and do the try the check for updates? But yep, they're showing now. And all honesty, I don't use the software menu that much anymore. Go back to the plugins and scroll down a little bit. Okay, so here in the software menu, you can actually go ahead and stall Neto TV. So basically, once you install Neto TV, it's going to install all of its subsystems. You can install couch surfer, which is a version of Safari that was modified for use for the Apple TV. And of course, Sapphire, which is basically another interface for media player. I don't I don't really use it very much. And then XMBC launcher, which allow you to play or launch XMBC, of course, and boxy, which we're going to go over here in a second now. So anyway, the point being is that it's real freaking easy to go ahead and do this. Go ahead to launcher. Did you just install XMBC boxy or what? Yeah, see if my launcher menu is still there. Since we ran both ATV flash and ATV USB crater on this. Alright, try to try to launch boxy. We were doing we're so lucky for so long. Yeah, you know, reboot it. Yeah, reboot it. No, I just the main the main idea here is that, for people who don't know what the Apple TV is, give you an idea what the Apple TV is doing or can do. For people who are in law enforcement, and maybe doing investigations, it's a good idea to understand what the Apple TV is capable of so that you know where to start looking. So that's why we've kind of spent a little bit more time on the applications and the functionality just to kind of help people who need to find that that needle in the haystack. No, you don't want to do that because I'm not going to be able to log in here. I'm not I'm not going to put my credentials in reboot it. Reboot it see if my menu comes back if it doesn't, you guys can just visualize what boxy is supposed to look like. How paranoid is that I'm on the speaker land up here and I'm like, Yeah, no, I don't think so. You guys look dangerous to me. Sir, no, not they added a larger hard drive. I think it was last year. Yeah, I mean, that everyone's hoping for, you know, the the new Nvidia Nvidia GPU and, you know, things of that nature. But no, nothing. It's almost like it's been lost and forgotten by him. You know, we're the community was kind of excited because of the integration with the remote and everything else and the updates on the 2.4 for integration with the iPhone. But so far we haven't heard anything. It's that, you know, maybe, you know, after they're done with their netbook, we'll get one. I think there may have actually been I have the older the first version with the 40 gig hard drive, I think that they had a little bit faster CPU, but I don't think it was anything major. Quite honestly, I don't I don't track it is, you know, very closely as far as that goes. If you if it's probably easier to replace the hard drive as far as stability goes, just because the kernel extensions, sometimes they they load it startup. Sometimes they don't. So you'll have to reboot. You know, so for me, I have, you know, I have four kids at the house and generally it's a pain for them. You know, so I've had to teach them how to how to reboot the how to reboot Apple TV or turn the USB drive off and turn it back on. Well, they it's actually if you have some spray adhesive that you can get from the art store. When a you can just spray that back on. That's it. There's there's some Torx head screws underneath there's four Torx head screws. So no, it's not like if you've ever tried to open a Mac mini, you know, with the the spatulas and everything. Yeah, no, it's not like that. And it's not like one of the Mac books where it's like 18,000 screws either, right? Now it's four screws and then there's four screws that hold on the hard drive. Do we come back up? Great. I think we broke my Apple TV. There it goes. Now see if I have the launcher menu that's back. I mean, did no, go go down and see if it put it down on the bottom. Tip, do not use them together. Yeah, I actually had used them the when we were preparing for the talk, actually, it used both of them together. And it actually works fairly well that time. Did not this time. Someone had a question? Yeah. Yeah, you can actually install Apple file sharing SSH and FTP via needle TV. So right around the services menu. So it's it's pretty simple. Alright, so we can't do the boxy walkthrough. But you'll see some of the remnants from boxy here in just a second. Alright, so the other portion of this is that give you some information on on where your data is being stored on the Apple TV. And also the investigator an idea where to look. The high level issue here is that the way Apple is made the Apple TV with separate partitions is that it's kind of like a little data fairy came through and just sprinkled your shit everywhere all over the drive. It's all over this machine. Okay. So some of the big ticket items. So we're going to talk about a hardware analysis from a forensic examiner perspective. So what an examiner needs to understand and be aware of when they start doing an investigation. We're going to talk about a software somebody from summary from the same perspective. If you don't know by now, this is kind of part of what Randy and I do in our day job. So we're trying to kind of spread the joy. Talk about some of the file structures, some of the basic forensic considerations. And they're going to take a quick look at some of the important directories on the Apple TV and some of the areas where data is stored. The biggest issue on a hardware from the hardware side, it's a very small form factor and very low noise. There's no need for a fan or anything else on this box. The biggest issue as far as noise goes, if you want to count it as a noise is it emits a lot of heat. It radiates heat. Alright, so that's one key point. It has both 80211N, which of course includes BNG backwards compatibility. And it includes a 10100 Ethernet port. And actually, I think the new version I think actually has gig on it. And the video output from the device is processed via HDMI component video, and audio is via optical or RCA composite connections. So it has a lot of different ways it can connect and store data or transmit data. On the software side, from the examiner perspective, the high level stuff to know. Again, I can't put, you know, hit this too much or too heavy. It's built on a full version of OS X. So you can do just about anything with this machine. Sir? Oh, you mean that's not power PC? Yeah, that's true. That's right. Yeah, so it is it is built on on the x 86. So you don't have a lot of the strangeness that happens with the backwards compatibility for power PC. You know, it is, of course, the mock kernel. So that's a little bit more difficult to get used to. Dino does over yesterday, the black hat talk was talking about some root kits on OS X. And one of the points that he made was, you know, the great thing about OS X is that it makes you feel like you're learning Linux all over again. There's a two primary variants of the Apple TV OS. There's the version 1.0 series and the 2.0 series. Again, the 2.0 or take two, the biggest issue with that is they removed a lot of quote unquote unnecessary applications. From a software summary perspective, again, high level does have a GUID partition scheme. Formatted as HFS plus. And by default should have four separate disk partitions. So the first one is the extensible firmware interface, right? So that's where all your your data is stored so that your hardware knows what to do. The second one, which is of note is it has a recovery partition that recovery partition stores a unmodified copy of the original version of Apple TV OS that was installed by the factory. So you can always go back and recover from the hard drive as OS boot partition for all your boot files, supposedly, and a media partition for all your media files. Supposedly, sir. No, sir, patch tick does not whack the recovery partition. It is left completely alone. One of the major things that you'll find in Apple TV OS is it takes liberal advantage of symbolic links. This is on the screen over here. You can see pointers from the users to slash mount scratch users and mock to mock dot kernel. So you'll find that all over the Apple TV. Basic forensic considerations on the discovery side. One of the things that people tend to forget is with a device this small, with all of the wireless connections that can make it doesn't have to connect to the network that's in the house that you're in, right? It can connect to any freaking network. Right? So when you're going in, you're doing an investigation, do a wireless assessment, you know, look and find out all of the networks that are around in the area, document them, see if you can't get SSIDs and, you know, Mac addresses and IP addresses, signal strings, all of that good stuff. Because you don't know whether or not the Apple TV is actually connected to the one in the house. Yes, there is. The Apple TV loves you and it loves keeping track of you. Sir. Oh, I'm very sorry, guys. Yeah, thanks for stopping me. So the question is, is whether or not there is a log of the connections that the Apple TV makes. And there certainly is that's one of the the directories actually one of the log files we're going to point out here in a couple of minutes. So all right, the Apple TV does use property list or P list files. They are configuration files, just like an OS X. You can the best way of course, you know, if you're a forensic investigator, you're probably going to be using an Apple to do your investigation of this device. But if not, then okay, look, a P list file is an XML file. So you can just use any XML viewer or text pad if you want. OS X, this version of OS X, the Apple TV still does use net info databases. So the there is a Linux application that you can still find out there by and you can see it there by paddle software to allow you to open up net info files. Generally, you don't have to on an Apple TV. If you want to know what, you know, directories, this thing is connected to and what networks and things of that nature, the normal stuff that's stored in that info files, you can find it in the log files, you don't have to look at the net info information that to those databases. I'm, it's a lot of people in the in the community think that right now, this version of the Apple TV OS, including up to 2.4, which is the current version is built on 1048 and 1049. A lot of people think that it the next major version that they actually may go up to 10, five. So at that point, you don't have to worry about net info anyway. As we talked about earlier, the Apple TV kernel file must be patched in order to allow you to run kernel extensions. So that file is the first indicator that something is awry. Okay, you a quick MD five check some of that file of the file that exists on the Apple TV against your MD five check some of an unmodified Apple TV mock kernel tells you, okay, yep, that one's this this machine's been hacked. Generally, most of the patch sticks do you little favor by actually including the old original file on there. I'm not really too sure why they do that because you can't go back once you've already done it anyway. There's no run times or sub, you know, sub routines or anything like that and the patch sticks that allow you to go Oh, yeah, unpatch me. All new kernel extensions are loaded in OS boot system library extensions and two different places for secure for SSH for secure shell. If they did it manually, it's going to be in user bin, user S been I'm sorry, new patch sticks use a version of SSH called Drop Bear, which actually is pretty pretty functional. And that's dropped in user bin. Okay, most of your user data is in users front row. Okay, the default user on an Apple TV is the front row user. So just about everything that gets stored for your use is going to be in users front row. Most of the main applications anyway. However, as it says on the slide, your data is everywhere. Remember, we said that it has an OS boot partition, that's supposed to be for booting. It's not the Apple TV actually will store a lot of stuff in OS boot partition. Under the file systems area, if you know, fuse file system, you know, mount SSH shares as a drive, that's going to be in there. It's going to put it in OS boot. Things like how you enable AFS, or other types of file services, that's going to be an OS boot. A lot of the executable libraries that are loaded for use with the Nito TV with Parian, XMBC, a lot of those things are going to actually be over in user lib exec, right? So in general, if you're if you're following along, and you're used to working on a Mac, these directories at least should make sense and they should sound familiar. The difference here is that you're not on slash, you're on either slash OS boot or slash media. And if you're mounting it, it's going to look at you're going to see it actually includes seed scratch or scratch, which we'll, I think we'll see in a second. All right. Just like on a Mac, your photos are going to be stored in a photos directory. And it's going to have the same P, you know, XX for your information that is on media. It also keeps if you have anything mounted, that's set to mount it boot, so your auto mount, that P list is going to be on media, because it looks at it as one of your library preferences. Amazingly enough, it's not in, you know, user library preferences. It's in the main library. Let's see. And of course, we were talking about known networks. So the question, if you look at item number three media scratch library preferences system configuration. So that information about all of the airports that you've connected to and all of the networks that you've connected to are actually sitting right there for you. As far as I know, and I've been able to tell that is not cleared out at reboot. It saves I think the last 16 connections. So it's only cleared out whenever it gets a new network and it goes over that that field. Of course, you could go in and modify that P list to where it only keeps, you know, one, whatever. I don't know if you could drop it down to zero. I'm not sure I haven't tried that. And of course, resolve.conf. That one generally, it's primarily used just like on a Windows machine. So if you want to point the Apple update web address to 127.0.0.1, so it does an update, then you can do that manually. All right. The two main areas where most data resides is going to be in your logs. And it's going to be in the applications themselves. logs.osboot has a var log partition. And so does media. So generally, from what I can tell so far, all of your data is going to write to at least one of those places and possibly both. The worst part about it is the applications like Neto TV, Neto drops in a massive amount of data on as far as cache files onto the Apple TV. Boxy doesn't seem like it does that much. It does keep some of your preferences of, you know, your applications where you've gone and things of that nature. The data remnants, just from doing a in case, you know, I did an image real quick and in case, well, because I have in case, DD takes forever. And a real quick, you know, dump of some of the images that are left there, all I did was click on gallery in in case and say show me all of the pertinent JPEGs, TIFFs, whatever that are stored on this Apple TV. And I pulled out some gosh, I think it was over 150 160 images, and just grabbed a couple that the Apple TV happened to keep around. Right. So basically, the main gist of the talk on this part of the talk is the Apple TV stores just a massive amount of data. Most of that is in the logs, or in the application areas. If you're in law enforcement, and you want more data about that come see me or Randy, we are developing a tool for law enforcement, much like the Xbox 360 toolkit, so that it can actually go in and help determine if an Apple TV has been has been modified, and start pulling off sucking off some of the data, some of the pertinent information. We're hoping that we'll be unveiling that tool later on this year at DoD cyber crime, but we haven't been confirmed yet. Alright, so that concludes the talk. Sorry about the boxy issue. If you have any other questions, you know, let us know. Hopefully this has been of some benefit to everybody. Yeah. Okay. Thank you.