Logging
UFADE offers various options for using the different logging functions of the connected Apple device:
Unified Logs
These logs have an unimaginably high level of detail and can - depending on the objective - be more relevant in the investigation process than a complete file system backup. UFADE offers the option of extracting all available logs or defining the time period to be backed up.
There are other ways to save Unified Logs (e.g Lionel Notaris iOS Unified Logs acquisition tool). However, these are usually only provided for macOS. UFADE is one of the few options available under Linux and Windows.
Some valuable tips on how to deal with an extracted log archive and where to find possible artifacts can be found here:
Lionel Notari - iOS Unified Logs
Tim Korver - Thesis Firday
Alexis Brignoni - Initialization Vectors Blog
Crash logs
Crash logs or crash reports mainly contain error reports and analysis data. They can also contain device information, information on paired devices or previously created sysdiagnose archives. UFADE extracts the CrashReporter directory from the device and makes it available as a ZIP archive.
Sysdiagnose
The creation of a sysdiagnose archive can be triggered by various key combinations on the devices themselves:
| device | display | combination |
|---|---|---|
| iPhone / iPod Touch |  | Press and hold the power or side button and both volume buttons for 1 - 1.5 seconds. If successful, the device vibrates briefly |
| iPad |  | Press and hold the power or side button and both volume buttons for 1 - 1.5 seconds. There is no feedback from the device. |
| Apple Watch |  | Press and hold the power button and crown button for 1 - 1.5 seconds. If successful, the device vibrates briefly |
| Apple TV |  | Press and hold Play/Pause and Volume Down on the remote control for 6 seconds. |
If the corresponding option is selected, UFADE recognizes the current sysdiagnose creation. The archive is automatically extracted from the device after creation and deleted from the device memory.
Projects dealing with the analysis of the sysdiagnose archive:
iLEAPP
EC-DIGIT-CSIRC/sysdiagnose
iOS_sysdiagnose_forensic_scripts
A sysdiagnose archive also contains a partial extraction of the unified logs. In tests, relevant user activities could be detected in these logs for approximately one day.
Live syslogs
Here, the syslogs are recorded live until the recording is aborted and transferred to a text file. These are the same entries that can subsequently be found by extracting the unified logs. This option is suitable for creating test data on comparison devices in preparation for analyzing the unified logs and for examining processes currently taking place on the device.