Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

By -

Back in May 2019, along with my colleagues Heather Mahalik and Adrian Leong, we wrote the paper "Using Apple “Bug Reporting” for forensic purposes" and some scripts to parse data stored in Sysdiagnose logs.

The paper is still available for download and, for the most part, is still accurate. But time goes on, and new iOS versions have come on the market in recent years. I took a first look at a sysdiagnose generated on a freshly wiped iPhone with iOS 16 natively installed.

For sysdiagnose generation and extraction, nothing has changed since our paper. You can still generate it in a hardware or software way, and you can extract it with forensic tools (i.e. Elcomsoft iOS Forensic Toolkit) or with iOS device manager tools (i.e. 3uTools).

Once extracted, the sysdiagnose is a TAR file that contains various files in the root folder and different subfolders.


At first look, most of the files seem coherent with what we wrote in the paper. You can in fact find:
  • sysdiagnose.log
  • tasksummary.csv
  • disks.txt
  • mount.txt
  • ckksctl_status.txt
  • apfs_stats.txt
  • error_log.txt
  • pcstatus.txt
  • smcDiagnose.txt
  • hidutil.plist
  • vm_stat.txt
  • microstackshots
  • kbdebug.txt
  • taskinfo.txt
  • spindump-nosymbols.txt
  • ps.txt
  • ps_thread.txt
  • tailspin-info.txt
There are some new files, not seen in 2019. Probably they were added during the time in different iOS versions:
  • codecctl.txt
  • night-shift.log
  • otctl_status.txt
  • remotectl_dumpstate.txt, containing a lot of details about the device including model, iOS version and build, UDID, language, timezone, etc.
  • security-sysdiagnose.txt
  • swcutil_show.txt, related to iOS Universal Links
Some of the folders have the same content ("ASPSnapshots", "brctl", "crashes_and_spins" and "errors"), while others contain additional files or folders.

The "ioreg" folder contains 2 additional files:
  • IOPort.txt
  • IOService.txt
The "Preferences" folder contains 6 additional files:
  • Accessibility_Preferences.txt, containing Accessibility configuration info
  • CaptureSourceInfo_CurrentUser.txt
  • com.apple.avfoundation_CurrentUser.txt
  • com.apple.camera_CurrentUser.txt
  • com.apple.coremedia_CurrentUser.txt
  • ScreenTimeEnabled_CurrentUser.txt, containing info about ScreenTime (enabled or not)
The new "Personalization" folder is related in some way to the Personalization Portrait and the new 
"RunningBoard" folder is related in some way to the RunningBoard service introduced in MacOS Catalina.

The "system_logs.logarchive" still contains Apple logs that can be easily opened with the Mac OX C Console application.

The most interesting changes are in the "logs" and in the "WiFi" folders.

In the "logs" folder we can find some folders already available in 2019 and covered in our paper:
  • AccessiblityPrefs
  • appinstallation
  • AWD
  • itunesstored
  • keyboards
  • MobileActivation
  • MobileBackup
  • MobileContainerManager
  • MobileInstallation
  • MobileLockdown
  • Networking
  • olddsc
  • powerlogs
  • suggest_tool
  • SystemVersion
Also, some folders seem not available anymore:
  • AppConduit
  • AVConference
  • taispindb
Last, I found these new subfolders:
  • Accessibility, containing the TCC.db (Transparency, Consent and Control) database
  • ACLogs
  • AFK
  • AppSupport
  • Baseband
  • BatteryBDC
  • BatteryHealth
  • BatteryUIPlist
  • Bluetooth
  • CalendarPreferences
  • DCP
  • FDR
  • MCState
  • MemoryExceptions
  • MSU
  • NetworkRelay
  • OTAUpdateLogs
  • parseced
  • ProactiveInputPredictions
  • SensorKit
  • Sentry
  • SiriAnalytics, containing the SiriAnalytics.db
  • Splat
  • Trial
  • UserManagement, containing the "usermanagerd.log.0" file
In the "WiFi" folder we can find some files and folders already available in 2019 and covered in our paper:
  • awdl_status.txt
  • bluetooth_status.txt
  • debug-log.txt
  • leaky_ap_stats.txt
  • network_status.txt
  • wifi_scan.txt
  • wifi_scan_cache.txt
  • wifi_status.txt
The main difference is the new file format for Wi-Fi networks: the old com.apple.wifi.plist has now changed to com.apple.wifi.known-networks.plist. This file is also available in a traditional iTunes backup. Last, Wi-Fi logs are now stored in a file named "wifimanager.log.tgz"

Overall, the most interesting files you can find in a Sysdiagnose, to the best of my knowledge, are:
  • Mobile Installation Logs
  • Mobile Activation Logs
  • Mobile Container Manager Logs
  • Lockdownd Logs
  • WiFi Manager Logs
  • User Manager Logs
  • CurrentPowerLog.PLSQL (partial)
  • com.apple.MobileBackup.plist (also available in an iTunes backup)
  • TCC.db (also available in an iTunes backup)
  • com.apple.wifi.known-networks.plist (also available in an iTunes backup)
  • AppUpdates.sqlitedb (also available in an iTunes backup)
More research is needed on "User Manager Logs" as they seems containing useful timestamps to track device boot and application usage.


Comments

Post a Comment

Popular posts from this blog

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

WhatsApp Xtract

By -
I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.
Keep reading