iLEAPP: an iOS logs, events, and plists parser

iLEAPP is a good iOS forensic tool developed by Alexis Brignoni. It’s composed by a set of python script previously developed by Alexis, collected in a single, useful, tool.

iLEAPP [1] is developed in order to help forensic analyst during the processing of iOS artifacts, and currently has this parsing capabilities:

  • Mobile Installation Logs.
  • Nested bplists inside a iOS KnowledgeC.db field.
  • LastBuildInfo.plist
  • IconState.plist
  • iOS version 11, 12, & 13 Notifications content
  • ApplicationState.db bundle ID to app GUID parsing and correlation.
  • Cellular Wireless Information Plists

This parsing tasks can be performed on a full disk image, but also on a logical device acquisition.


Installation

First, clone the repository:

$ git clone https://github.com/abrignoni/iLEAPP 

Then install tkinter:

$ sudo apt-get install python3-tk

Finally, install dependencies:

$ cd iLEAPP
$ pip install -r requirements.txt

If running the binaries provided in the version releases [2] no dependencies are needed.


Usage

$ python ileapp.py -t <zip | tar | fs | gz | itunes> -i <path_to_extraction> -o <path_for_report_output>

For installation and usage on macOS, please refers to this useful video by 13cubed:


References

  1. https://github.com/abrignoni/iLEAPP
  2. https://github.com/abrignoni/iLEAPP/releases

Related posts

  1. dfir_ntfs: a forensic parser for NTFS filesystems
  2. iOS Forensics: how to perform a logical acquisition with libimobiledevice
  3. How smartphones reacts to IMSI catching attacks?
  4. How to sort and organize files recovered by PhotoRec
  5. How many data are shared by iOS and Android telemetry?