# Using Apple Sysdiagnose for mobile forensics and integrity checks ## Overview and Abstract The talk will demonstrate how to use Sysdiagnose for forensics purposes of Apple devices. Sysdiagnose is a tool which was originally intended for other purposes This approach was used successfully to detect the infamous Pegasus spyware on iOS devices. The presenters will share with the audience hands-on experiences and share what works and what does not work with this approach. Incident responders will leave the talk with a deeper understanding of Sysdiagnose and a novel tool in their IR arsenal. And they will understand how to detect Pegasus and similar spyware on their mobile phones. A detailed explanation of what we will present is outlined below. ## Intended audience Incident handlers and forensic investigators. ## Introduction For a long time, the incident response analysis of iOS devices has been... essentially challenging. While the analyst is usually interested in understanding what the system was doing (system logs), typical acquisition tools only focus on collecting users' data. Thus they often do not provide what the incident responder was looking for. Furthermore, the usual way to get access to the full device is by jailbreaking the device or using specialised (expensive) tools reserved for law enforcement. Jailbreaking has the downside of breaking the chain of custody and therefore the trust in the final state of the device as well as the immutability of the analysis is put into question. Enter Sysdiagnose... This talk will focus on repurposing an Apple feature which was originally intended for diagnostic and debugging purposed for developers as well as for repair shops. The Sysdiagnose process on Apple devices collects data on how the system behaves and is typically what an analyst wants to look at. This approach was validated in 2021 by Amnesty Internal as a way to discover Pegasus on Apple devices. ## Collecting Sysdiagnose artefacts Sysdiagnose is triggered by a user action and creates archives containing system information in various formats, such as: * plist configuration files * logs and output of commands * sqlite databases with application histories * etc. The result can be extended by pushing extra profiles to the device that turn on extra debugging and enhance the content of the archive. ### Collecting Sysdiagnose archives on IOS While the process is well described on Apple's website, we will quickly show how to start the acquisition process on an iPhone and how to retrieve the data via a few different techniques ranging from AirDrop to typical forensic tools. ### Collecting Sysdiagnose archives on other Apple devices While the research motivating this talk is coming from the need to analyse iOS devices, in practice the features which we are looking at will be available throughout all of Apple OSes: * Mac OS (MacBook Air, MacBook Pro, Mac Pro, iMac...) * Watch OS (Apple Watch) * iPad OS (for tablets) * TV OS (Apple TV) * ... ## Extracting information from Sysdiagnose archives and building a timeline In this part we will present some Python scripts to extract all timestamped information from the Sysdiagnose archive in order to build a timeline in your favorite timeline analysis tool ### Splunk & Timesketch In order to perform investigations on the gathered data, an easy solution is to import it into a dedicated SIEM. In this part, we will present how we standardise the outputs from our scripts to easily import them into tools like Splunk for further forensics analysis. We also developed a re-usable TimeSketch module to import the generated timeline in TimeSketch. ### Challenges Sysdiagnose is calling different tools and commands to generate its output. Unfortunately, all those tools have their own output format, especially regarding timestamps. We will present some specificities of Sysdiagnose's output and how we handled them. ## Identifying IOS system tampering using Sysdiagnose artefacts In this section we show practically how an iOS device can be analysed by using the Sysdiagnose artefacts and their value: applicate update history, running processes, memory mapping... ### Examples of investigation In this section we shows practical examples of analysis with Sysdiagnose. We did a few Sysdiagnose acquisitions on test devices to simulate scenarii and prove the effectivness of this analysis technique. ## Issues and limits of Sysdiagnose The Sysdiagnose process raises a few issues and concerns: * The data is collected by a process which runs on the investigated device. The output can only be trusted as long as it runs normally. Rootkits and binaries alteration could affect the results and lead to wrong conclusions. * The format of the files included into the archive depends on the version of iOS and running applications. The SQLite DB schema, for instance, can radically change with an application update. Keeping a working toolset therefore requires continuous research, testing and validation. * The Sysdiagnose output is mostly undocumented. Every single file needs to be manually analysed and understood to correctly interpret the results and avoid wrong conclusions. ## Alternative ways to check integrity In this last section we will discuss how integrity can be checked by using more intrusives methods that could be combined with a jailbreak. While those techniques give a full access, they will also question the value of the results from a forensic perspective due to their intrusiveness. ## References * https://www.jessesquires.com/blog/how-to-sysdiagnose-ios/ * https://www.manpagez.com/man/1/sysdiagnose/ * https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts * https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf * https://developer.apple.com/bug-reporting/profiles-and-logs/ * https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/