Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

Back in May 2019, along with my colleagues Heather Mahalik and Adrian Leong, we wrote the paper "Using Apple “Bug Reporting” for forensic purposes" and some scripts to parse data stored in Sysdiagnose logs.

The paper is still available for download and, for the most part, is still accurate. But time goes on, and new iOS versions have come on the market in recent years. I took a first look at a sysdiagnose generated on a freshly wiped iPhone with iOS 16 natively installed.

For sysdiagnose generation and extraction, nothing has changed since our paper. You can still generate it in a hardware or software way, and you can extract it with forensic tools (i.e. Elcomsoft iOS Forensic Toolkit) or with iOS device manager tools (i.e. 3uTools).

Once extracted, the sysdiagnose is a TAR file that contains various files in the root folder and different subfolders.


At first look, most of the files seem coherent with what we wrote in the paper. You can in fact find:
  • sysdiagnose.log
  • tasksummary.csv
  • disks.txt
  • mount.txt
  • ckksctl_status.txt
  • apfs_stats.txt
  • error_log.txt
  • pcstatus.txt
  • smcDiagnose.txt
  • hidutil.plist
  • vm_stat.txt
  • microstackshots
  • kbdebug.txt
  • taskinfo.txt
  • spindump-nosymbols.txt
  • ps.txt
  • ps_thread.txt
  • tailspin-info.txt
There are some new files, not seen in 2019. Probably they were added during the time in different iOS versions:
  • codecctl.txt
  • night-shift.log
  • otctl_status.txt
  • remotectl_dumpstate.txt, containing a lot of details about the device including model, iOS version and build, UDID, language, timezone, etc.
  • security-sysdiagnose.txt
  • swcutil_show.txt, related to iOS Universal Links
Some of the folders have the same content ("ASPSnapshots", "brctl", "crashes_and_spins" and "errors"), while others contain additional files or folders.

The "ioreg" folder contains 2 additional files:
  • IOPort.txt
  • IOService.txt
The "Preferences" folder contains 6 additional files:
  • Accessibility_Preferences.txt, containing Accessibility configuration info
  • CaptureSourceInfo_CurrentUser.txt
  • com.apple.avfoundation_CurrentUser.txt
  • com.apple.camera_CurrentUser.txt
  • com.apple.coremedia_CurrentUser.txt
  • ScreenTimeEnabled_CurrentUser.txt, containing info about ScreenTime (enabled or not)
The new "Personalization" folder is related in some way to the Personalization Portrait and the new 
"RunningBoard" folder is related in some way to the RunningBoard service introduced in MacOS Catalina.

The "system_logs.logarchive" still contains Apple logs that can be easily opened with the Mac OX C Console application.

The most interesting changes are in the "logs" and in the "WiFi" folders.

In the "logs" folder we can find some folders already available in 2019 and covered in our paper:
  • AccessiblityPrefs
  • appinstallation
  • AWD
  • itunesstored
  • keyboards
  • MobileActivation
  • MobileBackup
  • MobileContainerManager
  • MobileInstallation
  • MobileLockdown
  • Networking
  • olddsc
  • powerlogs
  • suggest_tool
  • SystemVersion
Also, some folders seem not available anymore:
  • AppConduit
  • AVConference
  • taispindb
Last, I found these new subfolders:
  • Accessibility, containing the TCC.db (Transparency, Consent and Control) database
  • ACLogs
  • AFK
  • AppSupport
  • Baseband
  • BatteryBDC
  • BatteryHealth
  • BatteryUIPlist
  • Bluetooth
  • CalendarPreferences
  • DCP
  • FDR
  • MCState
  • MemoryExceptions
  • MSU
  • NetworkRelay
  • OTAUpdateLogs
  • parseced
  • ProactiveInputPredictions
  • SensorKit
  • Sentry
  • SiriAnalytics, containing the SiriAnalytics.db
  • Splat
  • Trial
  • UserManagement, containing the "usermanagerd.log.0" file
In the "WiFi" folder we can find some files and folders already available in 2019 and covered in our paper:
  • awdl_status.txt
  • bluetooth_status.txt
  • debug-log.txt
  • leaky_ap_stats.txt
  • network_status.txt
  • wifi_scan.txt
  • wifi_scan_cache.txt
  • wifi_status.txt
The main difference is the new file format for Wi-Fi networks: the old com.apple.wifi.plist has now changed to com.apple.wifi.known-networks.plist. This file is also available in a traditional iTunes backup. Last, Wi-Fi logs are now stored in a file named "wifimanager.log.tgz"

Overall, the most interesting files you can find in a Sysdiagnose, to the best of my knowledge, are:
  • Mobile Installation Logs
  • Mobile Activation Logs
  • Mobile Container Manager Logs
  • Lockdownd Logs
  • WiFi Manager Logs
  • User Manager Logs
  • CurrentPowerLog.PLSQL (partial)
  • com.apple.MobileBackup.plist (also available in an iTunes backup)
  • TCC.db (also available in an iTunes backup)
  • com.apple.wifi.known-networks.plist (also available in an iTunes backup)
  • AppUpdates.sqlitedb (also available in an iTunes backup)
More research is needed on "User Manager Logs" as they seems containing useful timestamps to track device boot and application usage.


Comments

Popular posts from this blog

Huawei backup decryptor

Triaging modern Android devices (aka android_triage bash script)

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"