How to extract sysdiagnose logs for forensic purposes on iOS

Sysdiagnose logs allow developers to extract information from iOS devices, and it is used for understanding bug occurrences.
However, this log is also useful for forensic purposes when a full device acquisition is not possible/available.

Sysdiagnose logs generation

Unlike crash Logs, sysdiagnose [1] logs are not written automatically by the operating system – the generation must be manually triggered by the user.

  1. Hold volume up + volume down + power for 250 milliseconds.
  2. Wait (up to 5 minutes)

With the described procedure a “basic” sysdiagnose will be generated.
Once generated, the result appears in “Settings -> Privacy -> Analytics -> Analytics Data”:

and will be stored in a TAR.GZ file stored under the Crash Logs folder within the path “/DiagnosticLogs/sysdiagnose”.
The file name will be similar to “sysdiagnose_2020.09.29_15-57-28+0200_iPhone_OS_iPhone_18A373.tar.gz”, indicating the date and time the sysdiagnose was generated, the device type (iPhone) and the iOS installed version (18A373 = iOS 14.0).


Sysdiagnose logs extraction

The best way for sysdiagnose extraction is using idevicecrashreport tool from libimobiledevice.
According to the website [2],

libimobiledevice is a cross-platform software library that talks the protocols to interact with iOS devices.
Unlike other projects, it does not depend on using any existing proprietary libraries and does not require jailbreaking.

Among the different tools provided with the library you can use “idevicecrashreport” to retrieve crash reports and sysdiagnose from a device. In order to preserve all data for further analysis, logs can be extracted with a “keep” (-k) option, without removing crash reports from the device.

First, resolve some dependencies:

$ sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller ifuse

Then connect the iPhone to usb port, accept the pair request on device and start pairing process on pc, with this command:

$ idevicepair pair
SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX

Finally, start logs acquisition:

$ idevicecrashreport -e -k ./

-e (extract logs) -k (keep logs on device)


References

  1. Sysdiagnose on Apple Developer (login required)
  2. https://github.com/libimobiledevice/libimobiledevice

Related posts

  1. Cybersecurity Roundup #17
  2. Technology Roundup #16
  3. Technology Roundup #15
  4. iOS Forensics: HFS+ file system, partitions and relevant evidences
  5. How secure and privacy-oriented is iOS?