Android and iOS System Logs

Both Android and iOS has system logs that can be extracted that are not parsed by most forensic tools.

Android

Note - Acquire data first from device before using ADB as it can be invasive

These system logs run live on the device and commands via ADB need to be given and output to a text file for later review.

Android Triage Tool by Mattia Epifani can be used to extract these logs or they can be manually extracted

adb shell dumpsys > logdump.txt

The log files can contain thousands of rows of data and have to be manually parsed.

aLEAPP does parse certain of these logs.

These logs can be used to view installed apps, when apps were last run, wifi connections etc…

iOS

iOS system logs can be generated by pressing:

Vol Up > Vol Down > Power for 1 sec

This will generate and save sysdiagnose logs on the device. These can be found at

Live device: Settings > Privacy > Analytics and Improvement > Analystics Data > sysdiagnose_###

File System: Private/var/mobile/library/logs/Crashreporter/DiagnosticLogs

Generating these logs can take between 10-15 minutes.

After complete verify if the logs are in the paths specified above.

You can now start the acquisition process. Any acquisition will pull these logs.

Analyzing these logs will be beter on Mac, especially for Unified Logs. Log command on Mac works well but has steep learning curve.