Building a pipeline to analyse iOS devices at scale
2025-10-23 , Europe

Building a pipeline to analyse iOS devices at scale

Overview and Abstract

This talk will show how the DG DIGIT is bulding a pipeline to analyse devices at scale relying on 2 key pieces:
1. The sysdiagnose analysis framework developed jointly with CERT-EU.
2. A toolset to collect artifacts over the air via a self-developped App (in collaboration with an independent security researcher) or Computer app on a PC. The self-developped app is now available on all EC-owned devices.

Globabally this is a part of a larger "mobile cybersecurity programme" which is a deliverable of the European Commission Cybersecurity Strategy.

The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.

Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.


Building a pipeline to analyse iOS devices at scale

Overview and Abstract

This talk will show how the DG DIGIT is bulding a pipeline to analyse devices at scale relying on 2 key pieces:
1. The sysdiagnose analysis framework developed jointly with CERT-EU.
2. A toolset to collect artifacts over the air via a self-developped App (in collaboration with an independent security researcher) or Computer app on a PC. The self-developped app is now available on all EC-owned devices.

Globabally this is a part of a larger "mobile cybersecurity programme" which is a deliverable of the European Commission Cybersecurity Strategy.

The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach.

Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal.

A detailed explanation of what we will present is outlined below.

Intended audience

Incident handlers and forensic investigators.

Introduction

For a long time, the incident response analysis of iOS devices has been... essentially challenging.

While an analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools usually imply collecting users' data. Thus, they are very privacy invasive and due to the amount of information often do not provide what the incident responder was looking for. Furthermore, the common way to get access to the full device is by exploiting Operating System (OS) vulnerability either by manual jailbreaking techniques or by using specialised (expensive) tools reserved for law enforcement. Both have the downside of breaking the integrity of the device. Therefore, the trust in the final state of it as well as the potential impact on certain OS artefacts.

Enter Sysdiagnose...

This talk will focus on repurposing an Apple feature ("sysdiagnose") which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops. The Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at.

This approach was validated in 2021 by Amnesty Internal as a way to discover Pegasus on Apple devices.

Scaling up...

Being able to analyse the sysdiagnose files was a first step, but like for law enforcement acquisitions, it lacks the automation of handling more than a handful of devices. In this talk, we will also cover how we build our toolset to be able to cope with an significant amount of devices. To us, large scale analysis is key to identify APT compromission of phones.

Collecting Sysdiagnose artefacts

Sysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as:
* plist configuration files
* logs and output of commands
* sqlite databases with application histories
* etc.

The result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive.

Collecting Sysdiagnose archives on iOS

While the process is well described on Apple's website, we will quickly show how to start the acquisition process on an iPhone and how to copy over the dumps via a few different techniques ranging from AirDrop to typical forensic tools.

Collecting Sysdiagnose archives on other Apple devices

While the research motivating this talk stems from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes:
* Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac...)
* Watch OS (Apple Watch)
* iPad OS (for tablets)
* TV OS (Apple TV)
* ...

Collecting at scale

We will demonstrate how we have reach the next level by freeing ourselves from the usual toolset to build an automated pipeline.

The very first topic we tackled was to enable all potential actors with the required tooling to collect artefacts. Starting by:

  • Empowering end users whose mobile devices are registered in our Enteprise Mobility Management (EMM) no matter where they are located, by making available a mobile App into our EMM Application Store to guide them into generating the sysdiagnose file and sharing it with us for analysis;
  • (work in progress) And empowering IT Helpdesk with a computer application that will help them to support end users to collect extended diagnostic information (beyond Sysdiagnose) from their mobile devices and share it securely with us.

Extracting information from Sysdiagnose archives and building a timeline

In this part we will present an Open Source analytical framework to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool. The framework was enriched over the last year with many new parsers and extended analysis modules.

We today mostly rely on two ways to do a timeline analysis:
- via Splunk which allow to query all timeline at once;
- via Timesketch thanks due to a dedicated analysers.

We complement the absence of certain information in the timeline with dedicated analysers that focused on specific tasks.

The framework went under a complete refactoring since January 2024 and now includes
- 38 parsers (to parse specific logs contained in the sysdiagnose archive);
- 10 analysers (to conduct specific analysis)

We are also planning to offer a Jupyter Notebook to directly interact with the framework and equipped the analyst with a place to quickly build and test queries.

Future Work

We will talk about needed further research and launch a call for collaboration. All the tools demonstrated are or will be released under the European Public License (EUPL).

Note

This work can be presented as a presentation or as a workshop empowering audience to play with the tool directly.

David Durvaux is active in the incident response field for more than a decade. He has work on many IT security incidents and especially on computer forensics aspects. Since 2015 he is actively preparing the FIRST CTF. David presented in numerous conferences including hack.lu.