iOS devices have the ability to create numerous logs containing forensically useful information. These logs may contain volatile information which should be collected ASAP during forensic processing.
Mattia Epifani (Github: mattiaepi , Twitter: @mattiaep) , Heather Mahalik (Github: hmahalik , Twitter: @HeatherMahalik) and @Cheeky4n6monkey have written a document describing their initial research into these logs. This document is freely available from:
https://www.for585.com/sysdiagnose
Big Thankyous to Peter Maaswinkel and Pranav Anand for their additional testing and document review.
Thanks also to David Durvaux (ddurvaux) for sharing his script - sysdiagnose-appupdates.py
Thanks to Silvia Spallarossa for her testing of the scripts and bug fixes for sysdiagnose-networkinterfaces.py.
It is strongly suggested that interested forensic monkeys first read the document BEFORE attempting to use these scripts. The document details the various iOS logs available, methods of generating and collecting those logs and how to use these scripts to extract forensically interesting information from them.
These scripts were written for Python3 (tested under Ubuntu 16.04 and macOS X Mojave) using test data from various iOS12 devices. They do not require any third party Python libaries.
Here is a usage summary of the available scripts:
Name | Description | Output | Usage Example |
sysdiagnose-sys.py | Extracts OS info from logs/SystemVersion/SystemVersion.plist | Command line | python3 sysdiagnose-sys.py -i SystemVersion.plist |
sysdiagnose-networkprefs.py | Extracts hostnames from logs/Networking/preferences.plist | Command line | python3 sysdiagnose-networkprefs.py -i preferences.plist |
sysdiagnose-networkinterfaces.py | Extracts network config info from logs/Networking/NetworkInterfaces.plist | Command line | python3 sysdiagnose-networkinterfaces.py -i NetworkInterfaces.plist |
sysdiagnose-mobilecontainermanager.py | Extracts uninstall info from logs/MobileContainerManager/containermanagerd.log.0 | Command line | python3 sysdiagnose-mobilecontainermanager.py -i containermanagerd.log.0 |
sysdiagnose-mobilebackup.py | Extracts backup info from logs/MobileBackup/com.apple.MobileBackup.plist | Command line | python3 sysdiagnose-mobilebackup.py -i com.apple.MobileBackup.plist |
sysdiagnose-mobileactivation.py | Mobile Activation Startup and Upgrade info from logs/MobileActivation/mobileactivationd.log.* | Command line | python3 sysdiagnose-mobileactivation.py -i mobileactivation.log |
sysdiagnose-wifi-plist.py | Extracts Wi-Fi network values from WiFi/com.apple.wifi.plist Use -t option for TSV output file | Command line and TSV | python3 sysdiagnose-wifi-plist.py -i com.apple.wifi.plist -t |
sysdiagnose-wifi-icloud.py | Extracts Wi-Fi network values from WiFi/ICLOUD.apple.wifid.plist Use -t option for TSV output file | Command line and TSV | python3 sysdiagnose-wifi-icloud.py -i ICLOUD.apple.wifid.plist -t |
sysdiagnose-wifi-net.py | Extracts Wi-Fi network names to categorized TSV files from WiFi/wifi *.log | TSV files | python3 sysdiagnose-wifi-net.py -i wifi-buf.log |
sysdiagnose-wifi-kml.py | Extracts Wi-Fi geolocation values and creates a KML from wifi*.log | KML | python3 sysdiagnose-wifi-kml.py -i wifi-buf.log |
sysdiagnose-uuid2path.py | Extracts GUID and path info from logs/tailspindb/UUIDToBinaryLocations | Command line (comma separated) | python3 sysdiagnose-uuid2path.py -i UUIDToBinaryLocations |
sysdiagnose-net-ext-cache.py | Extracts app name & GUID info from logs/Networking/com.apple.networkextension.cache.plist Use -v option to print GUID info | Command line | python3 sysdiagnose-net-ext-cache.py -i com.apple.networkextension.cache.plist -v |
sysdiagnose-appconduit.py | Extracts connection info from logs/AppConduit/AppConduit.log.* | Command line | python3 sysdiagnose-appconduit.py -i AppConduit.log |
sysdiagnose-appupdates.py | Extracts update info from logs/appinstallation/AppUpdates.sqlite.db.* | Command line | python3 sysdiagnose-appupdates.py -i AppUpdates.sqlitedb |