Tool Review - Exploring iLEAPP for iOS Forensics

iLEAPP is an open-source tool designed specifically for parsing iOS artifacts. It extracts data from iOS device backups, file system extractions, and iTunes backups. The tool focuses on analyzing logs, events, and plist files, providing forensic investigators with actionable insights into user activity and system operations. It is particularly useful for law enforcement, corporate investigations, and incident response teams dealing with iOS devices. In this article, we will review the key features of iLEAPP and find how it can be useful to security professionals.
Mar 4 / Vikrant Chauhan

Key Features of iLEAPP

iLEAPP offers a comprehensive set of features that make it a powerful tool for iOS forensics:
  • Mobile Installation Logs: Parses logs related to app installations and updates.
  • iOS 12+ Notifications: Extracts and analyzes notifications from iOS 12 and later versions.
  • Build Information: Retrieves detailed information about the iOS version and build.
  • Wireless Cellular Service Info: Gathers data such as IMEI and phone numbers.
  • Screen Icons List: Lists screen icons by their screen and grid order.
  • ApplicationState.db Support: Correlates app bundle IDs with data container GUIDs.
  • Connected User and Computer Names: Identifies user and computer names that the iOS device has connected to, with updates by Jack Farley (@JackFarley248, http://farleyforensics.com/).
  • iLEAP Github repo: https://github.com/abrignoni/iLEAPP


Practical Applications in Digital Forensics

iLEAPP is instrumental in various forensic scenarios, including:

  • User Activity Analysis: By parsing logs and events, investigators can reconstruct user behavior and interactions with the device.
  • Data Recovery: The tool can recover deleted or hidden data, contributing to more comprehensive investigations.
  • Incident Response: In corporate environments, iLEAPP can assist in identifying unauthorized access or malicious activities on iOS devices.

How to Use iLEAPP

To use iLEAPP, run the following command:
Here, -t specifies the type of extraction (zip, tar, fs, or gz), -i is the path to the extraction, and -o is the path for the report output. The tool will generate a report containing the parsed data from the iOS extraction.

To run the graphical user interface (GUI) version of iLEAPP, use the following command:

Full file system extraction

To extract the full file system from an iOS device you will need a jailbroken device. Depending on how you are SSHing into the device, you can use the following command to create a tar file of the full file system:
It will take some time to create the tar file. You might notice an error "tar: Error exit delayed from previous errors" which you can ignore. Once it's done, there should be a dump.tar.gz file in your current directory on your local machine. You can then use iLEAPP to parse this file and generate a report.

Using CLI

Here, iLEAPP expects an existing output directory so we create one. The -t flag specifies the type of extraction (tar in this case), -i is the path to the tar file, and -o is the path for the report output. Once the command is executed, iLEAPP starts parsing the data and generates a report in the specified output directory.

Using GUI

Similarly, you can use the graphical interface to parse the data:
Once done, you will find the parsed data in the output directory. If you used graphical interface, you can simply click the button Open Report to view the report.
Simply open the index.html file in your browser to view the report.
The report can be navigated using the sidebar on the left, which contains various categories of parsed data. You can click on each category to view the detailed information. Here's what you can expect to find in the report:

Account Configuration

Contains settings related to user accounts, including configurations for Apple ID and associated services.

Account Data

Stores detailed information about user accounts, such as linked emails, phone numbers, and associated devices.  

Application Permissions

Lists permissions granted to apps, including access to location, contacts, and system features.

Biome DKEvent Airplane Mode

Logs instances when airplane mode is toggled on or off on the device.

Biome App Install

Records app installation events, including timestamps and application identifiers.

Biome Backlight

Tracks changes in screen brightness and backlight activity over time.

Biome Battery Percentage

Logs battery percentage changes, helping analyze device power usage trends.

Biome Device Plugged In

Records instances when the device is plugged in or unplugged from a power source.

Biome Hardware Reliability

Tracks hardware-related reliability data, including component failures or issues.

Biome DKEvent In Focus

Captures information about apps that are currently in focus or being interacted with.

Biome Intents

Stores system or user-initiated intents, such as opening an app or triggering an action.

Biome Location Activity

Logs movement and location-based activities detected by the system.

Biome Notifications Pub

Records details about notifications received, including timestamps and app sources.

Biome Now Playing

Captures information about media content currently being played on the device.

Biome Safari

Tracks Safari browser activity, including website visits and interactions.

Biome Sync - Devices

Logs device sync events, tracking connected Apple ecosystem devices.

Biome Text Input Session

Records details about text input activity, including typing patterns and sessions.

Biome User Activity Metadata

Stores metadata related to user activities, including interactions with apps and features.

Biome DKEvent WiFi

Logs events related to WiFi connections, including network changes and disconnections.

Biome Device WiFi

Tracks WiFi-related activities, such as connected networks and signal strength.

Calendar Events

Contains details about scheduled calendar events, including dates, times, and locations.

Calendar List

Stores information about available calendars and their associated settings.

Cellular Wireless

Logs details about cellular network usage, signal strength, and carrier information.

Timers

Records information related to system and user-defined timers, such as alarms.

Address Book

Contains contact details, including names, phone numbers, emails, and addresses.

Control Center Configuration

Stores user preferences and settings for the Control Center layout and toggles.

Connected Device Information - Connected Device and OS History

Tracks history of connected devices and their respective operating system versions.

Connected Device Information - Consolidated Connected Device History

Maintains a comprehensive record of all previously connected devices.

Device Data

Contains general information about the device, such as model, storage, and system details.

Applications

Lists installed applications along with metadata, such as version and developer information.

Duet Locations

Tracks location data collected by Apple's Duet framework for contextual awareness.

Map Tile Cache

Stores cached map tiles used in Apple Maps for offline accessibility.

MapsSync

Contains synced map data, including recent locations, searches, and preferences.

PD Place Cache

Caches location-based data, such as frequently visited places.

Health - Provenances

Logs sources of health data, detailing how and where health metrics were recorded.

Health - Steps

Tracks step count and related movement data collected from the Health app.

System Version plist

Stores details about the operating system version and build information.

iOS Information

Contains general iOS system information, including installed updates and configurations.

Backup Settings

Logs backup configurations, including iCloud and local backup settings.

IMEI - IMSI

Stores device identifiers such as IMEI (hardware ID) and IMSI (SIM-related ID).

Location Services

Tracks settings and permissions related to location services on the device.

Obliterated Time

Records timestamps for system resets, data wipes, or factory resets.

Preferences PList

Stores various system and application preference settings in plist format.

Timezone Information

Logs timezone settings and changes made by the user or system.

WIFI Identifiers

Contains unique identifiers for known WiFi networks the device has connected to.

iOS Message Retention

Stores retention policies and settings for iMessage and SMS history.

App Snapshots

Captures previews of apps as they appear when switching between tasks.

Application State

Stores the current state of applications, including background activity status.

Bundle ID by AppGroup & PluginKit IDs

Lists app bundle identifiers associated with AppGroups and PluginKit extensions.

iOS ATXDatastore

Contains data used by Apple's ATX (App Prediction) framework for app usage analysis.

LSC - clients.plist

Stores location service client preferences and history of location access.

LSC - com.apple.locationd.plist

Logs system location service settings and permissions granted to apps.

LSC - com.apple.routined.plist

Tracks routine location-based activities used for predictive features.

Mobile Activation Logs

Contains logs related to device activation and SIM card changes.

Mobile Container Manager

Manages app sandbox directories and storage containers on iOS.

Apps - Historical Combined

Maintains a combined history of installed and removed applications.

Apps - Historical

Stores historical records of installed applications, including timestamps.

Apps - Installed

Lists currently installed applications along with their metadata.

Apps - Uninstalled

Tracks applications that were previously installed and later removed.

State - Reboots

Logs device reboot history, including timestamps and causes.

Network Usage (netusage) - App Data

Records network data usage per app, detailing bytes sent and received.

Network Usage (netusage) - Connections

Tracks network connection events, including IP addresses and timeframes.

Notifications Duet

Stores notifications processed through Apple's Duet framework for cross-device syncing.

iOS Notifications

Contains a log of notifications received, including content and timestamps.

Migrations

Tracks migration-related changes, such as iOS upgrades and data transitions.

Ph80-Com-Apple-MobileSlideshow-Plist

Stores settings and metadata related to the Photos app.

Ph81-Com-Apple-Camera-Plist

Contains configuration details and settings for the Camera app.

Ph82-Com-Apple-MediaAnalysisD-Plist

Logs data related to media analysis and AI-based categorization.

Ph83-Com-Apple-PurpleBuddy-Plist

Tracks data related to the iOS setup assistant and initial device configuration.

Ph20.1-Album Records NAD-PhDaPsq

Stores structured album record data used in the Photos app database.

Ph20.2-Album Records NAD-SyndPL

Contains album synchronization metadata for shared albums.

Bookmarks

Stores saved website bookmarks from Safari and other browsers.

Favicons

Caches website favicons for faster browser loading.

Recent WebSearches

Logs recent search queries made through Safari and other search interfaces.

Safari Browser - History

Stores browsing history, including visited websites and timestamps.

Safari Browser - Tabs (BrowserState)

Tracks open browser tabs and their current state in Safari.

Search Terms

Records search queries entered in various system and app search bars.

ParseCD Cache

Caches parsed content from various sources for faster retrieval.

Sync.db - Devices

Stores sync-related data between Apple devices using iCloud or other services.

Sysdiagnose - Shutdown Log Processes

Logs system processes that were running during a device shutdown.

Sysdiagnose - Shutdown Log Reboots

Records details about system reboots, including causes and timestamps.

Keyboard Dynamic Lexicon

Stores user-specific keyboard predictions and learned words.

Keyboard Usage Stats

Logs keyboard usage statistics, including frequently used words and phrases.

WiFi BSS List

Contains information about nearby WiFi base stations and their details.

WiFi Known Networks Info

Stores details about known WiFi networks the device has connected to.

WiFi Known Networks Times

Logs timestamps for past connections to known WiFi networks.

WiFi Scanned Networks (Private)

Tracks recently scanned WiFi networks while maintaining user privacy.

Apps per Screen

Records the layout of apps across different home screen pages.

Final Thoughts

iLEAPP is a powerful tool for iOS forensics, offering a wide range of features to extract and analyze data from iOS devices. Its ability to parse logs, events, and plist files provides valuable insights into user activity and system operations. Whether you are conducting digital investigations, incident response, or corporate security assessments, iLEAPP can help you uncover critical evidence and make informed decisions. By following the installation and usage instructions outlined in this article, you can leverage iLEAPP to enhance your iOS forensic capabilities and streamline your investigative processes.