Introducing the Hexordia Sysdiagnose Log Toolkit

A new functionality known as Sysdiagnose Logs was widely introduced with the 2016 release of iOS 10, Apple's premier mobile operating system. Forensic digital investigators continue to value the Sysdiagnose feature for a variety of reasons:

·         Log serves as one more data source to look into

·         Log may be accessed on locked and sleeping devices (Although PC pair required)

·         Log may contain key artifacts, timestamps, and device identifiers

·         Log is well-documented and highly researched

The Hexordia Sysdiagnose Toolkit is a convenient iOS log extraction tool. This tool extracts the logs which you may find on an iOS device in Settings > Privacy > Analytics & Improvements > Analytics Data. By default, the logs will remain on the device however the examiner may choose to remove the logs from the device through the toolkit settings.

 A log may be gathered from locked devices and sleeping devices permitted the device is connected to, and authenticated with, a PC.

Tool Functionality

 For a deep dive into Sysdiagnose log artifacts, consider checking out our Virtual Live HMFA course or heading over to our upcoming HEX-222 Sysdiagnose Logs course.

Support and Compatability

The tool partially supports older iOS versions; crash logs may be extracted but only newer (9.x+)OS versions support capturing Sysdiagnose logs.

The tool fully supports some later versions of iOS 9. While Sysdiagnose logs may not be found in the Settings application on these devices, they do support capturing and exporting Sysdiagnose logs over USB.

The tool fully supports mobile iOS devices running iOS 10 and greater. It has not yet been tested with Apple Watch and Apple TV devices although both support Sysdiagnose logs.

The tool is operable on Windows operating systems.