Introduction to the iShutdown Project
The iShutdown project is an innovative toolset designed to extract, analyze, and parse the Shutdown.log forensic artifact from iOS Sysdiagnose archives. This project facilitates the detection of potential malware on iOS devices by examining the shutdown logs. It consists of three Python scripts, each tailored for a specific function in handling Sysdiagnose archives.
Overview of the Scripts
iShutdown_detect.py
This script is crafted to identify any irregular entries in a Sysdiagnose archive that could hint at possible malware indicators. It does not extract the Shutdown.log file directly but processes the data in the background to flag any anomalies. Examples of such anomalies include unexpected delays before a reboot or activities in suspicious directories like /private/var/db/
or /private/var/tmp/
.
iShutdown_parse.py
The primary role of this script is to extract the Shutdown.log from a Sysdiagnose archive and convert it into a readable format. It outputs a CSV file containing the extracted entries, including details like the decoded reboot time, process ID, and system path. It also provides a summary file with processing timestamps and file hashes such as MD5, SHA1, and SHA256.
iShutdown_stats.py
This script analyzes the extracted Shutdown.log file to produce statistics around device reboots. It gives insights like the total number of reboots recorded, the first and last reboot dates found in the logs, and a monthly breakdown of reboot occurrences.
Usage and Prerequisites
The iShutdown scripts require Python3 and several dependencies such as datetime
, os
, re
, sys
, and others as specified for each script. Users need to generate a Sysdiagnose dump from the target iOS device and run the scripts on a PC after retrieving the tar archive.
Example Commands
-
To detect anomalies:
python3 iShutdown_detect.py /path/to/your/sysdiagnose_file.tar.gz
-
To extract and parse logs:
python3 iShutdown_parse.py -e /path/to/sysdiagnose_file.tar.gz -p -o /desired/output/path
-
To generate reboot statistics:
python3 iShutdown_stats.py /path/to/extracted_logfile
Updates and Future Work
As of January 22, 2024, updates have been made to fix platform-specific issues and enhance the cross-compatibility of the tools. Future developments aim to refine heuristics for better anomaly detection and explore more methods of detecting iOS malware via Sysdiagnose analysis.
For detailed insights and technical support, users are encouraged to explore resources available on Securelist or reach out via [email protected].