10-19, 15:30–16:00 (Europe/Luxembourg), Salle Europe
The talk will demonstrate how to use
Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposes
The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.
Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.
Intended audience: Incident handlers and forensic investigators.
For a long time, the incident response analysis of iOS devices has been… essentially challenging.
While the analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools only focus on collecting users’ data. Thus they often do not provide what the incident responder was looking for. Furthermore, the usual way to get access to the full device is by jailbreaking the device or using specialised (expensive) tools reserved for law enforcement. Jailbreaking has the downside of breaking the chain of custody and therefore the trust in the final state of the device as well as the immutability of the analysis is put into question.
This talk will focus on repurposing an Apple feature which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops.
The Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at.
Collecting Sysdiagnose artefacts
Sysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as:
- plist configuration files
- logs and output of commands
- sqlite databases with application histories etc.
The result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive.
Collecting Sysdiagnose archives on IOS
While the process is well described on Apple’s website, we will quickly show how to start the acquisition process on an iPhone and how to retrieve the data via a few different techniques ranging from AirDrop to typical forensic tools.
Collecting Sysdiagnose archives on other Apple devices
While the research motivating this talk is coming from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes:
- Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac…)
- Watch OS (Apple Watch)
- iPad OS (for tablets)
-TV OS (Apple TV)
Extracting information from Sysdiagnose archives and building a timeline
In this part we will present some Python scripts to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool
Splunk & Timesketch
In order to perform investigations on the gathered data, an easy solution is to import it into a dedicated SIEM. In this part, we will present how we standardise the outputs from our scripts to easily import them into tools like Splunk for further forensics analysis. We also developed a re-usable TimeSketch module to import the generated timeline in TimeSketch.
Sysdiagnose is calling different tools and commands to generate its output. Unfortunately, all those tools have their own output format, especially regarding timestamps. We will present some specificities of Sysdiagnose’s output and how we handled them.
Identifying IOS system tampering using Sysdiagnose artefacts
In this section we show practically how an iOS device can be analysed by using the Sysdiagnose artefacts and their value: applicate update history, running processes, memory mapping…
Examples of investigation
In this section we shows practical examples of analysis with Sysdiagnose. We did a few Sysdiagnose acquisitions on test devices to simulate scenarii and prove the effectivness of this analysis technique.
Issues and limits of Sysdiagnose
The Sysdiagnose process raises a few issues and concerns:
The data is collected by a process which runs on the investigated device. The output can only be trusted as long as it runs normally. Rootkits and binaries alteration could affect the results and lead to wrong conclusions.
The format of the files included into the archive depends on the version of iOS and running applications. The SQLite DB schema, for instance, can radically change with an application update. Keeping a working toolset therefore requires continuous research, testing and validation.
The Sysdiagnose output is mostly undocumented. Every single file needs to be manually analysed and understood to correctly interpret the results and avoid wrong conclusions.
Alternative ways to check integrity
In this last section we will discuss how integrity can be checked by using more intrusives methods that could be combined with a jailbreak. While those techniques give a full access, they will also question the value of the results from a forensic perspective due to their intrusiveness.
Incident responder for more than a decade, I'm now working for the European Commission since 2015. I'm currently in charge of the "Situational Awareness, Threat Intelligence and Malware Analysis" in the European Commission Internal CERT (EC Cybersecurity Operation Centre).
Aaron has been working at the national CERT of Austria between 2008 and 2020, he has a background in maths and computer science. Since 2020 he freelances mostly for EC-DIGIT-CSIRC, the IT security team of the European Commission. He is the co-founder of funkfeuer.at (community wifi mesh network), intelmq.org, a tool for automating the typical tasks of IT security teams. He believes in using automation, open source and machine learning for improving the lives of DFIR folks.