Basic iOS Triage

Intro

In this blog post, we’re going to walk you through how to do some basic triage of an iOS device using an opensource tool, libimobiledevice. It is a “cross-platform FOSS library written in C to communicate with iOS devices natively”. Libimobiledevice can be installed on Linux, macOS and Windows. 

Setup

Since we already have homebrew installed on a mac from a previous blog post, we can go directly into using brew to install libimobiledevice. The command is “brew install libimobiledevice”.

If you haven’t used homebrew in a while, you’ll likely see output updating homebrew in addition to installing libimobiledevice.

Now we need to connect our iOS device to your computer and trust on both sides…on the computer side and on the phone side.

Commands

ideviceinfo

Now that we have libimobiledevice installed, we can start looking into the different commands and how we can do some basic triage of a device without physically touching the device itself. The command “ideviceinfo” will give us a long laundry list of information related to the connected device. Some relevant information includes your device name, model, product type, product version, etc.

idevice_id

Type in the command “idevice_id” to get the UDID of your iOS device. This will be unique for every device and libimobiledevice will let you know the connection type. In this instance, it was USB.

idevicecrashreport

The command “idevicecrashreport” will allow you to copy all the crash logs from the phone to your local computer. All you need to do is provide a local folder to copy the logs to. The command I entered was “idevicecrashreport /Users/cq/Desktop/crash_reports”.

Once the command is executed, you’ll see a bunch of logs being copied to your computer.

For a 128 GB iPhone, there were about 435 MB of logs copied to the computer.

Of the logs collected, some of the most useful logs are the sysdiagnose logs. You can extract valuable information such as Wi-Fi networks, installed applications, network data, etc. Once you have those collected, you can try parsers located here:

idevicebackup2

The command idevicebackup2 will create a backup of your connected iOS device. If you want to ensure a full backup, you can force it with the ‘--full’ parameter. The command is “idevicebackup2 backup --full /Users/cq/Desktop/mini_me_backup”.

You’ll see a nice display of the files being backed up and their statuses.

For a 32GB iPad mini, there was a 17.04GB backup created. You can run that backup in your forensic tools to complete the parsing of the data to read it properly.

idevicescreenshot

Finally, in some instances where you don’t want to interact with the phone but still need evidence of chats or files that you see on the device, you can take screenshots of the device and save those screen captures to your local machine. You can see my screenshot below on my local machine in red.

Conclusion

Using libimobiledevice is a quick and easy way to get some basic data from a connected device. You can get general information about a device like its iOS version, model and size. But you can also get some logs that could contain even more data from your device. And this can be done with minimal interaction of the physical device.