hack.lu 2023

Intended audience: Incident handlers and forensic investigators.

Introduction:

For a long time, the incident response analysis of iOS devices has been… essentially challenging.

While the analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools only focus on collecting users’ data. Thus they often do not provide what the incident responder was looking for. Furthermore, the usual way to get access to the full device is by jailbreaking the device or using specialised (expensive) tools reserved for law enforcement. Jailbreaking has the downside of breaking the chain of custody and therefore the trust in the final state of the device as well as the immutability of the analysis is put into question.

Enter Sysdiagnose…

This talk will focus on repurposing an Apple feature which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops.
The Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at.

Collecting Sysdiagnose artefacts

Sysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as:
- plist configuration files
- logs and output of commands
- sqlite databases with application histories etc.

The result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive.

Collecting Sysdiagnose archives on IOS

While the process is well described on Apple’s website, we will quickly show how to start the acquisition process on an iPhone and how to retrieve the data via a few different techniques ranging from AirDrop to typical forensic tools.

Collecting Sysdiagnose archives on other Apple devices

While the research motivating this talk is coming from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes:
- Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac…)
- Watch OS (Apple Watch)
- iPad OS (for tablets)
-TV OS (Apple TV)
- …

Extracting information from Sysdiagnose archives and building a timeline

In this part we will present some Python scripts to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool

Splunk & Timesketch
In order to perform investigations on the gathered data, an easy solution is to import it into a dedicated SIEM. In this part, we will present how we standardise the outputs from our scripts to easily import them into tools like Splunk for further forensics analysis. We also developed a re-usable TimeSketch module to import the generated timeline in TimeSketch.

Challenges

Sysdiagnose is calling different tools and commands to generate its output. Unfortunately, all those tools have their own output format, especially regarding timestamps. We will present some specificities of Sysdiagnose’s output and how we handled them.

Identifying IOS system tampering using Sysdiagnose artefacts

In this section we show practically how an iOS device can be analysed by using the Sysdiagnose artefacts and their value: applicate update history, running processes, memory mapping…

Examples of investigation

In this section we shows practical examples of analysis with Sysdiagnose. We did a few Sysdiagnose acquisitions on test devices to simulate scenarii and prove the effectivness of this analysis technique.

Issues and limits of Sysdiagnose

The Sysdiagnose process raises a few issues and concerns:

The data is collected by a process which runs on the investigated device. The output can only be trusted as long as it runs normally. Rootkits and binaries alteration could affect the results and lead to wrong conclusions.

The format of the files included into the archive depends on the version of iOS and running applications. The SQLite DB schema, for instance, can radically change with an application update. Keeping a working toolset therefore requires continuous research, testing and validation.

The Sysdiagnose output is mostly undocumented. Every single file needs to be manually analysed and understood to correctly interpret the results and avoid wrong conclusions.

Alternative ways to check integrity

In this last section we will discuss how integrity can be checked by using more intrusives methods that could be combined with a jailbreak. While those techniques give a full access, they will also question the value of the results from a forensic perspective due to their intrusiveness.

References

https://www.jessesquires.com/blog/how-to-sysdiagnose-ios/
https://www.manpagez.com/man/1/sysdiagnose/
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf
https://developer.apple.com/bug-reporting/profiles-and-logs/
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/