forensic-analysis incident-response-tooling python

Sysdiagnose analysis framework

Installation

Note that you will need Python 3.6 or higher.

Create a virtual environment:

 virtualenv --python python3.10 venv
 source venv/bin/activate

Install dependencies:

pip install -r requirements.txt
sudo apt install graphviz

Quickstart

Add new sysdiagnose case

$ python initialyze.py file test-data/iOS12/sysdiagnose_2019.02.13_15-50-14+0100_iPhone_OS_iPhone_16C101.tar.gz 
d280f515593b3570a781890296b2a394b3dffc298212af0d195765a7cf1cd777
Sysdiagnose file has been processed
New case ID: 1

List available parsers and cases

$ python parsing.py list parsers
Parser Name      Parser Description                Parser Input
---------------  --------------------------------  --------------
sysdiagnose-ps   Parsing ps.txt file               ps
sysdiagnose-sys  Parsing SystemVersion plist file  systemversion

$ python parsing.py list cases
#### case List ####
  Case ID  Source file                                                                          SHA256
---------  -----------------------------------------------------------------------------------  ----------------------------------------------------------------
        1  test-data/iOS12/sysdiagnose_2019.02.13_15-50-14+0100_iPhone_OS_iPhone_16C101.tar.gz  d280f515593b3570a781890296b2a394b3dffc298212af0d195765a7cf1cd777

Run parsers

$ python parsing.py parse sysdiagnose-ps 1
Execution success, output saved in: ./parsed_data/1/sysdiagnose-ps.json

$ python parsing.py parse sysdiagnose-sys 1
Execution success, output saved in: ./parsed_data/1/sysdiagnose-sys.json

Tested On:

python 3.8.5, 3.10
iOS13
iOS14
iOS16
iOS17

Timesketch

You might want to visualise timelines which you can extract via sysdiagnose in Timesketch. Note that for a reasonable sysdiagnose log output, we recommend the following base requirements:

Ubuntu 20.04 or higher
128GB of RAM
4-8 virtual CPUs
Minimum 64 GB of HDD space just for timesketch data (add some more GBs for the OS and OS upgrades, etc.)
SSDs (NVMEs) for the data.

Contributors

David DURVAUX (European Commission - EC DIGIT Cybersecurity Operation Centre)
Aaron KAPLAN (European Commission - EC DIGIT Cybersecurity Operation Centre)
Emilien Le Jamtel (CERT-EU)

License

This project is released under the European Public Licence https://commission.europa.eu/content/european-union-public-licence_en

About

Forensic toolkit for iOS sysdiagnose feature

forensic-analysis incident-response-tooling python

European Union Public License 1.2

Languages

Language:Python 100.0%