/iOS_sysdiagnose_forensic_scripts

Scripts to parse various iOS sysdiagnose logs. Based upon the forensic research of Mattia Epifani, Heather Mahalik and Cheeky4n6monkey.

Primary LanguagePython

iOS_sysdiagnose_forensic_scripts


Picture of Apple Log Loving Monkey

iOS devices have the ability to create numerous logs containing forensically useful information. These logs may contain volatile information which should be collected ASAP during forensic processing.

Mattia Epifani (Twitter: @mattiaep), Heather Mahalik (Twitter: @HeatherMahalik) and @Cheeky4n6monkey have written a document describing their initial research into these logs. This document is freely available from:

https://www.for585.com/sysdiagnose

Big Thankyous to Peter Maaswinkel and Pranav Anand for their additional testing and document review.

It is strongly suggested that interested forensic monkeys first read the document BEFORE attempting to use these scripts. The document details the various iOS logs available, methods of generating and collecting those logs and how to use these scripts to extract forensically interesting information from them.

These scripts were written for Python3 (tested under Ubuntu 16.04 and macOS X Mojave) using test data from various iOS12 devices. They do not require any third party Python libaries.

Here is a usage summary of the available scripts:

NameDescriptionOutputUsage Example
sysdiagnose-sys.pyExtracts OS info from logs/SystemVersion/SystemVersion.plistCommand linepython3 sysdiagnose-sys.py -i SystemVersion.plist
sysdiagnose-networkprefs.pyExtracts hostnames from logs/Networking/preferences.plistCommand linepython3 sysdiagnose-networkprefs.py -i preferences.plist
sysdiagnose-networkinterfaces.pyExtracts network config info from logs/Networking/NetworkInterfaces.plistCommand linepython3 sysdiagnose-networkinterfaces.py -i NetworkInterfaces.plist
sysdiagnose-mobilecontainermanager.pyExtracts uninstall info from logs/MobileContainerManager/containermanagerd.log.0Command linepython3 sysdiagnose-mobilecontainermanager.py -i containermanagerd.log.0
sysdiagnose-mobilebackup.pyExtracts backup info from logs/MobileBackup/com.apple.MobileBackup.plistCommand linepython3 sysdiagnose-mobilebackup.py -i com.apple.MobileBackup.plist
sysdiagnose-mobileactivation.pyMobile Activation Startup and Upgrade info from logs/MobileActivation/mobileactivationd.log.*Command linepython3 sysdiagnose-mobileactivation.py -i mobileactivation.log
sysdiagnose-wifi-plist.pyExtracts Wi-Fi network values from WiFi/com.apple.wifi.plist
Use -t option for TSV output file
Command line and TSVpython3 sysdiagnose-wifi-plist.py -i com.apple.wifi.plist -t
sysdiagnose-wifi-icloud.pyExtracts Wi-Fi network values from WiFi/ICLOUD.apple.wifid.plist
Use -t option for TSV output file
Command line and TSVpython3 sysdiagnose-wifi-icloud.py -i ICLOUD.apple.wifid.plist -t
sysdiagnose-wifi-net.pyExtracts Wi-Fi network names to categorized TSV files from WiFi/wifi *.logTSV filespython3 sysdiagnose-wifi-net.py -i wifi-buf.log
sysdiagnose-wifi-kml.pyExtracts Wi-Fi geolocation values and creates a KML from wifi*.logKMLpython3 sysdiagnose-wifi-kml.py -i wifi-buf.log
sysdiagnose-uuid2path.pyExtracts GUID and path info from logs/tailspindb/UUIDToBinaryLocationsCommand line (comma separated)python3 sysdiagnose-uuid2path.py -i UUIDToBinaryLocations
sysdiagnose-net-ext-cache.pyExtracts app name & GUID info from logs/Networking/com.apple.networkextension.cache.plist
Use -v option to print GUID info
Command linepython3 sysdiagnose-net-ext-cache.py -i com.apple.networkextension.cache.plist -v
sysdiagnose-appconduit.pyExtracts connection info from logs/AppConduit/AppConduit.log.*Command linepython3 sysdiagnose-appconduit.py -i AppConduit.log