Hiding from the Investigator: Understanding OS X and iOS Code Signing to Hide Data

Presented at ShmooCon XII (2016), Jan. 15, 2016, 6 p.m. (30 minutes)

To hide data from a the forensic practitioner you need to exploit either a gap in their knowledge, their processes, and/or their tools. This is a talk about all three in regards to Apple OS X and iOS code signing. Much research has been conducted around code signing with respect to preventing malicious code execution at binary load time. This strictly about forensics, binary tampering, and data smuggling.

Presenters:

• Joshua Pitts
  Josh Pitts (@midnite_runr) likes to write code that patches code with other code via The Backdoor Factory. Sometimes this leads to the discovery of funny bugs and to Russians patching stuff over the Internet. He has worked for the military, the US government, private consulting, and startups doing pentesting, defending networks, designing secure systems, and breaking security products.

Links:

• https://infocon.org/cons/ShmooCon/ShmooCon 2016/Hiding From The Investigator.mp4
• https://infocon.org/cons/ShmooCon/ShmooCon 2016/Hiding From The Investigator.srt (subtitles)

Tags:

• iOS

Similar Presentations:

• RVAsec 2019 / Code Signing: A Security Control That Isn’t Secured
• BSidesDC 2019 / Signing your code the easy way
• Shakacon VIII (2016) / Windows Systems & Code Signing Protection