-
Notifications
You must be signed in to change notification settings - Fork 14
Artifacts of interest
kwouffe edited this page Mar 20, 2023
·
3 revisions
A list of files which may be relevant for forensics analysis of IOS devices.
| File | Path | IOS version | Comments |
|---|---|---|---|
| brctl-container-list | ./brctl/ | IOS16 | listing containers linked to iCloud account and path to local storage |
| brctl-dump.txt | ./brctl/ | IOS16 | Get more data about apps linked to cloud account |
| panic-full-*.ips | ./crashes_and_spins/Panics/ | IOS16 | crashdumps, seems more completre than stacks, json format, extracting procname would make sense |
| stacks-*.ips | ./crashes_and_spins/ | IOS16 | crashdumps, json format |
| IO* | ./ioreg/ | IOS16 | Contains list of processes or app ? To be checked |
| plist files | ./logs/ | IOS16 | A bunch of log files - needs to be extracted - plist format (XML once decoded) |
| appstored.sqlitedb | ./logs/appinstallation/ | IOS16 | SQLite DB containing list of installed apps |
| com.apple.AppSupport.plist | ./logs/AppSupport/ | IOS16 | Contains Support country code |
| *.CallSettings.calldump.gz | ./logs/Avconference/ | IOS16 | .gz files containing info on calls |
| awdd-*.consolidated.metriclog | ./logs/AWD/ | IOS16 | binary file (not sure how to properly decode yet) - contains DNS and IP addresses \o/ |
| bluetooth_status.txt | ./logs/Bluetooth/CoreCapture/ | IOS16 | txt file containing list of paired devices with MAC address |
| com.apple.mobilecal.plist | ./logs/CalendarPreferences/ | IOS16 | plist file containing Calendar prefs - it contains user info (name, email, ...) |
| containermanagerd.log.* | ./logs/MobileContainerManager/ | IOS16 | Logs about installed apps |
| mobile_installation.log.* | ./logs/MobileInstallation/ | IOS16 | Logs about installed apps |
| lockdownd.log | ./logs/MobileLockdown/ | IOS16 | Logs about cloud backup and pairing, wifi sync, USB, etc.. |
| com.apple.networkextension*.plist | ./logs/Networking/ | IOS16 | List of apps, depending on the exact file, XML path may be different |
| NetworkInterfaces.plist | ./logs/Networking/ | IOS16 | List of network interfaces |
| DSCSYM-* | ./logs/olddsc/ | IOS16 | List of drivers and load address |
| log_*.EPSQL | ./logs/powerlogs/ | IOS16 | powerlogs (to be extracted) - https://thinkdfir.com/2018/09/15/playing-with-the-ios-powerlog/ |
| powerlog_*.PLSQL | ./logs/powerlogs/ | IOS16 | powerlogs (to be extracted) - https://thinkdfir.com/2018/09/15/playing-with-the-ios-powerlog/ |
| SiriAnalytics.db | ./logs/SiriAnalytics | IOS16 | SiriAnalytics (SQLite3) |
| SystemVersion.plist | ./logs/Splat/OS/ | IOS16 | System info / version - useful |
| fileSystemMetadata.txt | ./logs/suggest_tool | IOS16 | some metadata ? |
| SystemVersion.plist | ./logs/SystemVersion/ | IOS16 | System info / version - useful |
| trial.log | ./logs/Trial/ | IOS16 | List of assets + path (may contain info on unwanted apps ?) |
| usermanagerd.log.0 | ./logs/UserManagement/ | IOS16 | Lots of timestamps data - not sure how useful |
| Keyboard_Preferences.txt | ./logs/Preferences/ | IOS16 | List of keyboards configured |
| diagnostic_summary.log | ./summaries/ | IOS16 | List of generated files by sysdiagnose - interesting folder |
| system_logs.logarchive | ./system_logs.logarchive | IOS16 | Log Archive - binary format |
| .WiFiDebug~sysdiag.tgz | ./WiFi/CoreCapture/Wifi/ | IOS16 | WiFi dump made by sysdiagnose - to be analysed |
| com.apple.wifi.*.plist | ./WiFi/ | IOS16 | plist files about known Wifi network, scanned ones, etc… Other files in this folder may contain same type of data |
| ckksctl_status.txt | ./ | IOS16 | json file - ? |
| fileproviderctl_dump.log | ./ | IOS16 | list of providers (MobileIron is listed) |
| mount.txt | ./ | IOS16 | mounted devices |
| ps.txt | ./ | IOS16 | PS :D |
| ps_thread.txt | ./ | seems empty in IOS16 ? | |
| remotectl_dumpstate.txt | ./ | IOS16 | Lots of info -> build version, product, etc… + list of services |
| spindump-nosymbols.txt | ./ | IOS16 | Dump file |
| swcutil_show | ./ | IOS16 | List of services related to shared web creds |
| transparency.log | ./ | IOS16 | |
| taskinfo.txt | ./ | IOS16 | Info on processes/tasks |
| lsaw.csstoredump | ./ | IOS16 | archive containing lsaw file - to be analysed - may be related to Apple launch/iOS cache data |
| File | Path | iOS version | Comment | Parser | Who |
|---|---|---|---|---|---|
| ps.txt | iOS12 + iOS13 | running processes | sysdiagnose-ps.py | D | |
| logs/tailspindb/UUIDToBinaryLocations | iOS12 + iOS13 | UUID & path | sysdiagnose-uuid2path.py | D | |
| system_logs.logarchive | iOS13 | D+E | |||
| taskinfo.txt | iOS13 | running tasks? always 0?? | sysdiagnose-taskinfo.py | D | |
| swcutil | iOS13 | Shared Web Credentials | sysdiagnose-swcutil.py | E | |
| ALL SQLITE | XXX | sqlite2json.py | D | ||
| spindump-nosymbols.txt | iOS12 + iOS13 | processes,UUID,thread,path ... | sysdiagnose-spindumpnosymbols.py | E | |
| ps_thread.txt | iOS12 + iOS13 | running processes + threads | sysdiagnose-psthread.py | E | |
| lsaw.csstoredump | iOS13 | archive containing lsaw file - to be analysed - may be related to Apple launch/iOS cache data | E | ||
| launchctl-print-system.txt | iOS13 (not always there ?!?) | already a JSON, contain list of started binaries at boot - nice !! | |||
| launchctl-list-0.txt | iOS13 (not always there ?!?) | txt flat - list of started services at boot + pID | |||
| .ips | iOS12 + iOS13 | crashdump | |||
| powerlogs | iOS12 + iOS13 | last 3 days of logs ! SQLITE3 | sysdiagnose-powerlogs.py | D | |
| /logs/olddsc/ | iOS12 + iOS13 | XML files - UUID+path | D | ||
| networkextension.plist | iOS12 + iOS13 | apps list | sysdiagnose-networkextension.py | E | |
| networkextension.cache.plist | iOS12 + iOS13 | apps list | sysdiagnose-net-ext-cache.py | E | |
| mobile_installation logs | iOS12 + iOS13 | install logs | sysdiagnose_mobileinstallation.py | E | |
| mobileactivation logs | iOS12 + iOS13 | install logs | sysdiagnose-mobileactivation.py | E | |
| containermanagerd logs | iOS12 + iOS13 | install logs | sysdiagnose-containermanager.py | E | |
| /logs/itunesstored/ | iOS13 | ?? | sysdiagnose-itunesstore.py | D | |
| ./logs/Accessibility/TCC.db | iOS13 | ? | sysdiagnose-accessibility-tcc.py | D | |
| ./logs/appinstallation/appstored.sqlitedb | iOS13 | ? | sysdiagnose-appinstallation.py | D |
| File | iOS version | |
|---|---|---|
| spindump-nosymbols.txt | iOS12 + iOS13 | contains a lot of data, no idea what it means - there are some MITM detection thingies |
| night_shift.log | iOS13 | night mode config ?!? |
the launchctl-* are present on the jailbroken dump, not on the others !!! is it the easiest way to detect jailbreak ever ? --> seems confirmed on iOS14 (not there on normal device)