• Stars
    star
    389
  • Rank 110,500 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created 11 months ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

iShutdown scripts: extracts, analyzes, and parses Shutdown.log forensic artifact from iOS Sysdiagnose archives

There are three Python3 scripts in this project, and each one has a different supporting role in analyzing a Sysdiagnose archive or Shutdown.log file.

  • iShutdown_detect.py: meant to analyze a Sysdiagnose tar archive for anomalous entries that can infer a potential malware indicator. This process does not extract the target Shutdown.log artifact, but rather the detection/analysis process happens in the background.
  • iShutdown_parse.py: meant to extract the Shutdown.log artifact from a target Sysdiagnose tar archive, and parses it. The output is a CSV file containing the entries in a readable format, along with the artifact's hashes (MD5, SHA1, SHA256) and processing timestamps.
  • iShutdown_stats.py: meant to extract reboot stats from a target Shutdown.log artifact. For example, first reboot, last reboot, reboots per month, etc.

For more information, please read Securelist

Contact: [email protected]

Prerequisites

The scripts relies on the following Python dependencies respectively:

  • datetime, os, re, sys, tarfile, termcolor
  • argparse, csv, datetime, hashlib, os, re, shutil, tarfile
  • argparse, collections, datetime, re

Installation

The scripts can be run as-is, provided the dependencies mentioned above are installed:

python3 <iShutdown_script>.py 

Usage

To make use of the scripts, it's essential to generate and collect a Sysdiagnose dump from a target iOS phone. Once the tar archive is available on your PC, you are ready for using the scripts.

iShutdown_detect

Usage: python3 iShutdown_detect.py /path/to/your/sysdiagnose_file.tar.gz

The script is straightforward and doesn't require much input except the target Sysdiagnose archive. It will check for anomalies we suspect they can detect potential iOS malware. For example, several delays before a reboot or a process under /private/var/db/ or /private/var/tmp/, are common anomalies across mobile malware infections we analyzed.

Example output:

+++ Detected 41 reboot(s). Good practice to follow.
*** Detected 29 reboot(s) with 3 or more delays before a reboot.
.......
.......
2021-mm-dd hh:mm:ss UTC
*** Suspicious processes in '/private/var/db/' occurred 4 time(s). Further 
investigation needed!
*** The suspicious processes are:
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
*** Detected during reboot(s) on:
2021-mm-dd hh:mm:ss UTC
+++ No suspicious processes detected in '/private/var/tmp/'. Last reboot 
was on: 2021-mm-dd hh:mm:ss UTC

iShutdown_parse

Usage: iShutdown_parse.py [-h] -e EXTRACT [-p] [-o OUTPUT]

A tool to extract and parse iOS shutdown logs from a .tar.gz archive. Expected output is a csv file, summary file, and the log file.

optional arguments:
  -h, --help            show this help message and exit
  -e EXTRACT, --extract EXTRACT
                        Path to the .tar.gz archive for extracting shutdown.log file.
  -p, --parse           Flag to indicate if the extracted log should be parsed.
  -o OUTPUT, --output OUTPUT
                        Path to save the output.

This script has several objectives. First it aim at extracting the Shutdown.log file from the Sysdiagnose tar archive, then if instructed, it will parse the log file and create a CSV file containing a human readable output. The CSV output contains the decoded reboot time in UTC, the process ID seen, and the respective system path of the process. At the end of the processing, there will be an extraction summary file that contains the processing timestamps, file paths, and related hashes.

Example output:

extraction_summary.txt
parsed_shutdown.csv
<shutdown.log hash>.log

iShutdown_stats

usage: iShutdown_stats.py [-h] logfile

Process an iOS shutdown.log file to create stats on reboots.

positional arguments:
  logfile     The path to the log file to be analyzed.

optional arguments:
  -h, --help  show this help message and exit

This script aims at creating a telemetry file of a target iOS device's reboots. It requires the log file to be extracted using iShutdown_parse script above.

Example output:

======================================================
Number of reboots in the log: 40
First reboot detected in the log: yyyy-mm-dd hh:mm:ss
Last reboot detected in the log: yyyy-mm-dd hh:mm:ss
======================================================
Reboots counts per month:
yyyy-mm: 1
yyyy-mm: 3
..........
..........
yyyy-mm: 4
yyyy-mm: 10

Updates: 22 January 2024

  • Updated README (typos and related Securelist link)
  • Fixed an issue in iShutdown_parse to handle cross-platform temp folder for extraction
  • Added cross-platform compiled versions for all scripts using Pyinstaller

To Do and Future Work

  • We are aiming to introduce more heuristics for detecting unusal processes in the Shutdown.log artifact
  • More research on iOS malware detection through Sysdiagnose analysis

More Repositories

1

TinyCheck

TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs). In order to make it working, you need a computer with a Debian-like operating system and two Wi-Fi interfaces. The best choice is to use a Raspberry Pi (2+) a Wi-Fi dongle and a small touch screen. This tiny configuration (for less than $50) allows you to tap any Wi-Fi device, anywhere.
Python
3,077
star
2

Kaspresso

Android UI test framework
Kotlin
1,789
star
3

klara

Kaspersky's GReAT KLara
PHP
689
star
4

triangle_check

Python
509
star
5

AdbServer

Adb Server for Espresso tests
Kotlin
119
star
6

ForensicsTools

Tools for DFIR
C++
117
star
7

VBscriptInternals

Scripts for disassembling VBScript p-code in the memory to aid in exploits analysis
Python
84
star
8

Apihashes

IDA Pro plugin for recognizing known hashes of API function names
Python
81
star
9

hrtng

C++
71
star
10

ActionScript3

Tools for static and dynamic analysis of ActionScript3 SWF files.
Python
45
star
11

BuildMigrator

C
34
star
12

uif

Integration Platform to build UI and Web Services
TypeScript
33
star
13

WinDbg-JS-Scripts

JavaScript
32
star
14

xtraining-re101

Code snippets for Reverse engineering training for xtraining platform
C
30
star
15

bitscout

Shell
20
star
16

OpenTIP-scanner

Open-source file scanner that sends requests and optionally uploads files to OpenTIP.kaspersky.com.
Python
17
star
17

Articles

C++
16
star
18

SafeBoard

Repository for general info and code samples for test tasks used in SafeBoard Hackatons in Kaspersky Lab.
C++
15
star
19

klogga

Opinionated logging-audit-tracing library. Data collected via klogga can be configured to be exported to different sources, including traditional text logs, but with emphasis on structured storages, primarily time-series databases and Open Telemetry.
Go
12
star
20

hb_dec

C
11
star
21

threat-intelligence

A repository dedicated to deliver a comprehensive set of tools for integration and convenient use of Kaspersky Threat Intelligence services
Python
9
star
22

grpc-kos

Shared C [core library], C++, Ruby, Python, PHP, C# (core library based), Objective-C
C++
4
star
23

RAM

Framework to manage the product state and configuration
Python
4
star
24

protobuf-kos

Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
C++
3
star
25

abseil-cpp-kos

Abseil is an open source collection of C++ libraries drawn from the most fundamental pieces of Googleโ€™s internal codebase.
C++
2
star
26

c-ares-kos

c-ares is a C library for asynchronous DNS requests (including name resolves)
C++
1
star
27

boringssl-kos

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
C++
1
star