The purpose of this post is to provide instructions for the capture of iOS crash logs, including sysdiagnose logs, after they’ve been created. These logs can also be highly relevant to a digital forensic analysis and thus it is important to create and capture these logs in every iPhone/iPad forensic collection. Crash logs may not be captured during a forensic acquisition and therefore must be collected separately after the acquisition. This can be done with MacOS, some forensic tools (e.g., Elcomsoft), or using a windows based utility like 3UTools, which is covered below. You can also share crash logs with a nearby iOS device, but this would be a tedious process as you cannot select/share more than one at a time and there will be a large number of them.
Before you collect crash logs be sure to trigger a sysdiagnose, which will include a rich set of volatile data (akin to windows memory) that will otherwise be unavailable when you capture crash logs. The order of operations here would be to; 1) trigger a sysdiagnose, 2) collect a forensic acquisition, 3) collect crash/sysdiagnose log data, and 4) Zip/Hash the collected crash logs.
Collecting Crash Logs Using 3UTools
3UTools is a Windows program that (in addition to capturing crash logs) is helpful for forensic analysts to:
Gather iOS device information
Jailbreak test devices
Help with forensic testing/documentation
Transfer files/data
View plist files
Many other functions
Following is a guide to capture crash logs from an iPhone using 3UTools:
- Connect the iOS device to a Windows computer with 3UTools installed and select trust on the device.
- Once the device information is populated click Details (next to crash analysis), then Files (on the crash analysis window).
- Select all files/folders displayed (ctrl-A) and hit export (be sure to create/chose a unique folder like [Case#-Evidence #-Crash_Logs] .
- Zip the folder, then hash the zipped file and note document the name, hash value, and storage location.
