Update 2024-04-16
Lionel Notari generously took the time to integrate feedback into the tool and released version 3 of the iOS Unified Logs Acquisition tool. I think that’s pretty awesome!
For details straight from the author, consider checking out Notari’s website and submitting a request to get the most recent version of the iOS Unified Logs Acquisition tool.
In summary, version 3 makes your life easier with the inclusion of:
- An easy to follow ReadMe file
- A simple shell script to install Homebrew, and libimobiledevice using Homebrew.
- Notable improvements for device identification and notation of those identifiers in the acquisition report.
Easy peasy.
I’ve been reading Lionel Notari’s blog posts over the last several weeks. In particular, I found his findings about WiFi signal quality intriguing. Just a few weeks ago, Notari shared his progress on his first digital forensics tool!
For background on Notari’s work, his interview with Forensic Focus is a great start.
With the release, and a public offer to try out the iOS Unified Logs Acquisition tool, it motivated me to experiment, learn more about the data to supplement logical iOS collections, and reach out to Notari for a version of the tool. The version of the tool Notari provided me is in-progress, runs on Python 3, and requires a handful of dependencies to run on macOS.
With a nearly new macOS machine (Sonoma v14.4), I installed Python 3 (v 3.12.2) and all the required dependencies. I initially attempted run the tool with the built-in Python package, but have since learned it is smoother to download and install the latest Python 3 stable release from python.org.
Just like that, I completed my _first_ iOS Unified log pull.
It’s a super cool package that got me going quickly. Even more, hashes of the .logarchive file and a statistics matrix of the logs were created. I initially didn’t appreciate the value of specifying the data range until I pulled *all the logs*.
While collecting the logs from the command-line is straight-forward, Notari’s project makes it even easier and has the benefit of calculating hashes for you.
What happens if you calculate the .logarchive file with md5? It’ll return “[name].logarchive: Is a directory”. Using tar c [.logarchive] | md5 also appears to have its challenges.
Following my experience with Notari’s iOS Unified Logs Acquisition tool, I considered how to query the iOS device’s name, or a way the tool could auto-detect/populate the name of the device or the device’s UDID. In Sarah Edwards’ blog, she mentions her preference of using the UDID in Quick & Easy Unified Log Collection from iOS Devices for Testing and references the FOSS library, libimobiledevice, to quickly retrieve that.
Notari acknowledged that auto-detection would be a great feature and will require further consideration on how he would implement it to ensure the tool is extracting logs from the correct device if multiple devices are present.
Curious about libimobiledevice, I started with a process referenced in a guide from freeCodeCamp here to install Xcode on my macOS machine.
- Installed Xcode via AppStore. Comes with Xcode CLI tools.
- Installed homebrew.
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# followed the instructions in “Next steps:”- Installed libimobiledevice
brew install -v automake autoconf libtool wget libimobiledevice
# references to --fresh from https://gist.github.com/alphanu1/7bb9aa30531e4b851eb066379850535c was removed since it doesn’t do anything.- Installed ideviceinstaller
brew install -v --HEAD --build-from-source ideviceinstaller
# references to --fresh from https://gist.github.com/alphanu1/7bb9aa30531e4b851eb066379850535c was removed since it doesn’t do anything.From here, I can run ideviceinfo as is, or grep the selected lines I’m interested in.
I’m super appreciative of Notari announcing the tool and allowing others the opportunity to experience what he developed so far, and eager to see this project progress. Notari’s passion for iOS Unified logs is evidentially contagious and I’m grateful for that.
mr. eerie 