Another research opportunity came out of the Cellebrite CTF last week. Reading through some writeups I came across Williams Kosasi's breakdown (read it, it's really good). In answering the iOS version question, he came across the restore.log at the path:
private/var/mobile/MobileSoftwareUpdate/restore.log
There are a lot of unfamiliar log files found on iOS devices that I haven't found or researched and this was one of them. In taking a peek at the one from the Cellebrite image for Beth, we can see a lots of information but only certain sections seemed relevant to me. Within are potentially a few different hits on embedded JSON blobs, searching for "data = ".
Figure 1: Sample of embedded JSON in restore.log
Dumping this out to a separate text file and running a JSON format plugin (JSTool) on it we get a little more reader friendly output.
Figure 2: JSON formatted in NotePad++
Here we see some keys and values that would good to have in a report. I decided to make an iLEAPP parser to pull out the following:
- eventTime - timestamp in Unix epoch of when the phone was updated
- originalOSVersion - this is the originating build number of the OS
- currentOSVersion - this is the current build number of the OS post update
- event - event that took place to add an entry, most appeared to be "updateFinished"
- deviceClass - type of device, here we see iPhone
- deviceModel - model of the device, D221AP relates to iPhone X
- batteryIsCharging - true or false value, if the phone was plugged in for charging at the time of update
I used a chart to map out the OS versions to the OS build numbers pulled from the log to add it all to the report.
Figure 3: iLEAPP report for Restore Log
Other potential items of interest include device capacity and free space, as well as battery level. More test data will need to be created to see what else may be included in this log for future use. Grab the latest version of iLEAPP now.