Data - System logs
Android
System logs and "DumpSys" files can be extracted from Android phones. Android system keeps these files for debugging and monitoring purposes and the files can contain various system data like recent locations, recently connected Wi-Fi networks, recently launched and running applications, recent cell locations and signal info, current Bluetooth MAC address and name, etc.
These files are listed in the System Logs section within the HTML and PDF reports and can be directly opened by clicking on their filenames. Their content is also used for the analysis of Wi-Fi networks, Locations, and Notifications.
It is also possible to analyse device HW usage from the “DumpSys” logs, such as battery, flashlight, camera, screen, Wi-Fi, Bluetooth, or GPS.
Some logs can be acquired through developer options and ADB, others may be obtained with the addition of root access.
Example of System logs report (Android)
iOS / iPadOS
On iOS / iPadOS devices many different log types can be analysed providing information of:
Device unlocking events
Interaction with users of other devices
More geolocations
Network usage
Geolocation Map Tiles
Some data is extracted in an encrypted iTunes backup although more data can be obtained with a jailbroken device.
Sysdiagnose
Sysdiagnose is one such log and serves a similar purpose as diagnostic logs on other platforms. These logs are manually generated on an iOS device and can be extracted and analyzed for troubleshooting.
The sysdiagnose logs can be extracted from a live-connected jailbroken device or you can import sysdiagnose logs for analysis.
Follow these steps to create the sysdiagnose logs on a device:
1. Generate Sysdiagnose Logs:
a. using buttons on your phone:
Simultaneously press the Volume Up, Volume Down, and Power buttons.
Hold these buttons for approximately 1.5 seconds.
b. using AssistiveTouch > Analytics:
On iOS 5 or higher, you can create sysdiagnose logs via AssistiveTouch:
iOS versions 12 and below:
navigate to Settings > General > Accessibility > AssistiveTouch:
AssistiveTouch: ON
Customize Top Level Menu…
Select [+] > select “Analytics”
Use the activated AssistiveTouch button > select “Analytics”
The sysdiagnose protocol is preparing when the message "Gathering analysis" is displayed.
iOS / iPadOS versions 13 and above:
navigate to Settings > Accessibility > Touch > AssistiveTouch:
AssistiveTouch: ON
Customize Top Level Menu…
Select [+] > select “Analytics”
Use the activated AssistiveTouch button > select “Analytics”
The sysdiagnose protocol is preparing when the message "Gathering analysis" is displayed.
2. Wait for Sysdiagnose Logs to complete:
If done correctly, the sysdiagnose logs will be generated.
This process may take several minutes.
When it is complete, a notification will briefly appear at the top of the device screen.
3. Verify creation of Sysdiagnose Logs:
on iOS versions 12 and below, navigate to:
Settings > Privacy > Analytics > Analytics Data
on iOS / iPadOS versions 13 and above, navigate to:
Settings > Privacy > Analytics & Improvements > Analytics Data
then look for files with names starting with "sysdiagnose" to confirm that the logs were successfully generated.
4. How to locate the Sysdiagnose Logs:
When the iOS / iPadOS device is correctly connected to MOBILedit Forensic ULTRA/PRO/Standard:
use the [Browse content] button to open the File manager:
open this directory path:
Multi root (raw4)/%APPDATAROOT%/~CrashLogs/DiagnosticLogs/sysdiagnose