Investigating Apple Crash Logs
15/03/2024 Friday
Apple crash logs reports are diagnostic files generated by iOS and macOS devices when an application unexpectedly terminates. These logs provide detailed information about the circumstances leading to the crash, including but not limited to the device model, and operating system version. Crash logs aid in optimizing app performance by highlighting areas where code optimizations or improvements can be made. Overall, Apple crash logs play a crucial role in the continuous improvement of app quality and reliability on iOS and macOS platforms.
Digital Forensics Value of Apple Crash Logs
Apple crash logs reports hold significant value in the field of digital forensics for several reasons. Firstly, they can assist investigators in reconstructing timelines and understanding user interactions leading up to an application crash. Additionally, these logs serve as valuable digital evidence in legal proceedings, containing timestamps, device information, and other metadata crucial for corroborating claims. Moreover, crash logs can help identify potential security breaches or malicious activities on a device by revealing patterns or anomalies indicative of unauthorized access attempts or malware infections.
Location and Structure of Apple Crash Logs Artifacts
Apple Crash Logs artifact can be found at the following location:
*/*.ips
If the bug_type property of the metadata object of any “.ips” file is equal to 309, it means that this file stores a crash log report.
Analyzing Apple Crash Logs Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Apple Crash Logsartifact from iOS device's files and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Apple Crash Logsartifact:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Apple Crash LogsApp artifact in ArtiFast.
Apple Crashlogs
- Process Name: The name of the process the report applies to.
- Bundle ID: The bundle identifier of the process the report applies to.
- Bundle Version: The bundle version string of the process the report applies to.
- Report Generation Date/Time: A date and time the log system generates for report tracking.
- Platform: The platform the process was running on.
- VM Region Information: Information about the virtual memory regions for terminations due to a memory access issue.
- VM Region Summary: Summary of the virtual memory in use by the process.
- Process Role: The task role assigned to the process at the time of termination.
- Time Awake Since Boot: The time, in seconds, the system has been running since it booted.
- Process Path: The location of the executable on disk.
- Process Launch Date/Time: The date and time the process launched.
- Process ID: The identifier of the process that crashed.
- Parent Process: The name of the process that launched the crashed process.
- Parent Process ID: The identifier of the process that launched the crashed process.
- Hardware Model: The specific device model the process was running on.
- Is Crach Originate from HW: Indicates Whether the crash originated from a hardware trap or not.
- Is Terminated by OS: The process didn’t crash, but the operating system might have subsequently requested termination of the process.
- Is Terminated: Indicates Whether the crash caused in terminating the process or not.
- Device Crash Reporter Key: An anonymized per-device identifier. Two reports from the same device contain identical values.
- CPU Type: The CPU architecture of the process that crashed.
- Crash Date/Time: The date and time of the crash.
- Exception Codes: Processor-specific information about the exception encoded into one or more 64-bit hexadecimal numbers.
- Exception Message: Additional human-readable information extracted from the exception codes.
- Exception Subtype: The human-readable description of the exception codes.
- Exception Type: The type of the exception that terminated the process.
- OS Version: The build number of the operating system.
- Release Type: The type of release.
- Is Embedded Platform: Indicates Whether the operating system is for an embedded platform or not.
- Termination Process ID: The identifier of the terminating process.
- Termination Process Name: The name of the terminating process.
- Termination Reason Namespace: A namespace the system uses to categorize the reason for termination.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
