Skip to content
Switch branches/tags


Picture of Apple Log Loving Monkey

iOS devices have the ability to create numerous logs containing forensically useful information. These logs may contain volatile information which should be collected ASAP during forensic processing.

Mattia Epifani (Github: mattiaepi , Twitter: @mattiaep) , Heather Mahalik (Github: hmahalik , Twitter: @HeatherMahalik) and @Cheeky4n6monkey have written a document describing their initial research into these logs. This document is freely available from:

Big Thankyous to Peter Maaswinkel and Pranav Anand for their additional testing and document review.

Thanks also to David Durvaux (ddurvaux) for sharing his script -

Thanks to Silvia Spallarossa for her testing of the scripts and bug fixes for

It is strongly suggested that interested forensic monkeys first read the document BEFORE attempting to use these scripts. The document details the various iOS logs available, methods of generating and collecting those logs and how to use these scripts to extract forensically interesting information from them.

These scripts were written for Python3 (tested under Ubuntu 16.04 and macOS X Mojave) using test data from various iOS12 devices. They do not require any third party Python libaries.

Here is a usage summary of the available scripts:

NameDescriptionOutputUsage Example
sysdiagnose-sys.pyExtracts OS info from logs/SystemVersion/SystemVersion.plistCommand linepython3 -i SystemVersion.plist
sysdiagnose-networkprefs.pyExtracts hostnames from logs/Networking/preferences.plistCommand linepython3 -i preferences.plist
sysdiagnose-networkinterfaces.pyExtracts network config info from logs/Networking/NetworkInterfaces.plistCommand linepython3 -i NetworkInterfaces.plist
sysdiagnose-mobilecontainermanager.pyExtracts uninstall info from logs/MobileContainerManager/containermanagerd.log.0Command linepython3 -i containermanagerd.log.0
sysdiagnose-mobilebackup.pyExtracts backup info from logs/MobileBackup/ linepython3 -i
sysdiagnose-mobileactivation.pyMobile Activation Startup and Upgrade info from logs/MobileActivation/mobileactivationd.log.*Command linepython3 -i mobileactivation.log
sysdiagnose-wifi-plist.pyExtracts Wi-Fi network values from WiFi/
Use -t option for TSV output file
Command line and TSVpython3 -i -t
sysdiagnose-wifi-icloud.pyExtracts Wi-Fi network values from WiFi/
Use -t option for TSV output file
Command line and TSVpython3 -i -t
sysdiagnose-wifi-net.pyExtracts Wi-Fi network names to categorized TSV files from WiFi/wifi *.logTSV filespython3 -i wifi-buf.log
sysdiagnose-wifi-kml.pyExtracts Wi-Fi geolocation values and creates a KML from wifi*.logKMLpython3 -i wifi-buf.log
sysdiagnose-uuid2path.pyExtracts GUID and path info from logs/tailspindb/UUIDToBinaryLocationsCommand line (comma separated)python3 -i UUIDToBinaryLocations
sysdiagnose-net-ext-cache.pyExtracts app name & GUID info from logs/Networking/
Use -v option to print GUID info
Command linepython3 -i -v
sysdiagnose-appconduit.pyExtracts connection info from logs/AppConduit/AppConduit.log.*Command linepython3 -i AppConduit.log
sysdiagnose-appupdates.pyExtracts update info from logs/appinstallation/AppUpdates.sqlite.db.*Command linepython3 -i AppUpdates.sqlitedb


Scripts to parse various iOS sysdiagnose logs. Based upon the forensic research of Mattia Epifani, Heather Mahalik and Cheeky4n6monkey.






No releases published


No packages published