Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

ios-triage Build Status Dependencies

Node.js cli for iOS incident response. Program will extract, process and report (including diffs) on iOS device and app telemetry.


Currently working on OSX and Linux. This program depends on the excellent libimobiledevice project.

OS specific steps


Make sure brew is installed. Then, install libimobiledevice from --HEAD otherwise I had problems connecting to lockdownd (as of Dec 2016):

brew install --HEAD libimobiledevice
brew install --HEAD ideviceinstaller

Linux (Ubuntu)

These instructions are based on a fresh Ubuntu 16.04 LTS install.

sudo apt-get install ideviceinstaller libimobiledevice-utils build-essential libssl-dev git

Install node (nvm)

Remaining steps are for both OSX and Linux.

curl -o- | bash

nvm install node
nvm use node

Clone ios-triage, install and link

git clone

cd ios-triage
npm install
npm link


When you run ios-triage, there are three primary steps:

  1. extract
  2. process
  3. report

Each command has various options. You can run ios-triage <cmd> --help for additional instructions. Below are examples of the most common options and workflow.


ios-triage will automatically create a directory with the device UDID and then a timestamp (epoch in ms) for each extraction. This allows you to collect telemetry over time and perform diffs. A good example would be if an individual is travelling overseas and might be a targeted. You could image the device prior to the trip and after to then compare the available device telemetry.

Note: you must connect the iDevice to your host and trust it from the device. Then, run the following:

ios-triage extract .


To process the device extraction, you have to point ios-triage at the top-level extraction directory structure is /. An example would be:

$ ios-triage process dc9363415e5fbf18ea8277986f3b693cf01827aa/1486829681725/


To produce an analyst report, you simple direct ios-triage at the top-level extraction directory:

$ ios-triage report dc9363415e5fbf18ea8277986f3b693cf01827aa/1486829681725/


If you have two extractions that you've already processed, you can include a second directory to the report command which will then populate the Diff page with a comparision of what has changed between the two extractions:

cd dc9363415e5fbf18ea8277986f3b693cf01827aa
ios-triage report 1485283295826/ 1486829681725/ 

Future work

There's quite a bit to do in the future. Also note that I used this project to teach myself nodejs so there's quite a bit of cruft in the code.

  • Move to a database backend
  • Create docker container to remove dependencies and perhaps run on Windows
  • Download iOS apps via iTunes and perform additional static analysis
  • Integrate third-party data sources
  • Allow upload and then comparision of non-PII data to crowsource our efforts


If you'd like to contribute to ios-triage, there are many ways to help:

  • Run the tool, file big reports, suggestions, etc.
  • Share non-PII data for comparitive analysis
  • UX help!!
  • Development of new features
  • Documentation