Instructions for Triggering iOS SysDiagnose Log Capture

By: |Published on: Jun 2, 2024|Categories: Uncategorized| 0 comments

The purpose of this post is to provide digital forensic examiners a user-friendly guide (available publicly here) for forensic analysts to trigger (capture on a iPhone/iPad) a “sysdiagnose” log of events. Capturing Android crash logs is covered in a separate post. Typically sysdiagnose is used by Apple and/or Developers to investigate and diagnose application/OS bugs. These logs can also be highly relevant to a digital forensic analysis and thus it is important to create and capture these logs in every iPhone/iPad forensic collection. Like computer ram, sysdiagnose logs are highly volatile and can be destroyed if not created and captured prior to powering off the phone and/or the forensic acquisition. Unlike some iOS crash logs that are automatically created, sysdiagnose logs are not available without specific user input.

Since tripping an iOS sysdiagnose using the volume/power buttons can be tricky, and varies with iPhone/iPad model and iOS version, the method below is suggested. 

Enable AssistiveTouch

  1. Navigate to settings go to accessibility > touch > assistiveTouch >

  2. select double tap > analytics  


    a little “button” will  appear on the screen (usually right side) .

  3. To trip a sysdiagnose double-tap the new button once (in later iOS versions a note will appear at the top of the screen showing “gathering analytics”).

  4. This will create a new sysdiagnose log on the device that will be available in approximately 8-10 minutes.
  5. Presence of the sysdiagnose logs on the device can be verified (prior to a forensic acquisition) by navigating to settings–> Privacy & Security–>Analytics & Improvements–>Analytics Data (the new log will show “sysdiagnose” and the current date/time in the new folder name – filter by typing “sys” in the search box).

  6. Crash and sysdiagnose logs may not be captured with a forensic image (including a full file-system) and must be separately captured and hashed (after creating a forensic image of the device).

    3U Tools (a helpful program for iOS forensic testing/documentation) can be used to capture the logs with a windows computer. The instructions for this can be found here.

    The logs can also be captured with a Mac computer.


Submit a Comment

Your email address will not be published. Required fields are marked *

Call Now Button