Share this Post
A few weeks ago a FOR585 alumni posted a question in the mailing list regarding the Apple sysdiagnose function on iOS devices. More specific, if the output of it was of any forensic value. Within a matter of hours multiple people replied with their experiences or offered to help finding out. After sharing a test sysdiagnose dump a few users teamed up to do some further research on this subject, and requested other FOR585 alumni to join.
Because of my own curiosity, I couldn’t resist responding to this request! After reading the initial question, I already had performed a sysdiagnose dump on some personal iOS test devices, and already scraping the results to find interesting forensic data. Based on the iOS version (10.x vs 12.x) I quickly realized that there is a difference in the amount of output sysdiagnose generates. The former seams to have a lot less data in it. This is probably because Apple has extended the sysdiagnose function in later versions of iOS.
In the following weeks I didn’t have much time available to further investigate my personal sysdiagnose dumps, and those that where posted as test-data. I had to focus on preparing for my GIAC Reverse Engineering Malware (FOR610) exam, which was rapidly closing in on me.
About three weeks later, I got a message that the team had a concept document and a set of parsing scripts ready for external review and testing. Because my lack of time and participation earlier, I committed myself to (at least) assist in this part of the process. After getting access to the concept documents and scripts, I really was impressed by the amount of work the team had done, and the results they had delivered.
The reviewing and testing was a great opportunity to get a better understanding of the sysdiagnose function, and getting some hands-on with the scripts created by the team to parse the generated dataset. Two days after I returned my feedback, the team made the results of the research publicly available. Examples of interesting forensic findings in the sysdiagnose data are geolocation information (see post header image), SSIDs (see figure 2) extracted from the WiFi logs, and information related to the (un-)installation of apps on the device.
Links to the document and scripts for parsing the sysdiagnose output are provided below.