base on ## iShutdown scripts: extracts, analyzes, and parses Shutdown.log forensic artifact from iOS Sysdiagnose archives
There are three Python3 scripts in this project, and each one has a different supporting role in analyzing a Sysdiagnose archive or Shutdown.log file.
- iShutdown_detect.py: meant to analyze a Sysdiagnose tar archive for anomalous entries that can infer a potential malware indicator. This process does not extract the target Shutdown.log artifact, but rather the detection/analysis process happens in the background.
- iShutdown_parse.py: meant to extract the Shutdown.log artifact from a target Sysdiagnose tar archive, and parses it. The output is a CSV file containing the entries in a readable format, along with the artifact's hashes (MD5, SHA1, SHA256) and processing timestamps.
- iShutdown_stats.py: meant to extract reboot stats from a target Shutdown.log artifact. For example, first reboot, last reboot, reboots per month, etc.
For more information, please read [Securelist](https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/)
Contact: [
[email protected]](mailto:
[email protected])
## Prerequisites
The scripts relies on the following Python dependencies respectively:
- datetime, os, re, sys, tarfile, termcolor
- argparse, csv, datetime, hashlib, os, re, shutil, tarfile
- argparse, collections, datetime, re
## Installation
The scripts can be run as-is, provided the dependencies mentioned above are installed:
```
python3 <iShutdown_script>.py
```
## Usage
To make use of the scripts, it's essential to generate and collect a Sysdiagnose dump from a target iOS phone. Once the tar archive is available on your PC, you are ready for using the scripts.
### iShutdown_detect
```
Usage: python3 iShutdown_detect.py /path/to/your/sysdiagnose_file.tar.gz
```
The script is straightforward and doesn't require much input except the target Sysdiagnose archive. It will check for anomalies we suspect they can detect potential iOS malware. For example, several delays before a reboot or a process under /private/var/db/ or /private/var/tmp/, are common anomalies across mobile malware infections we analyzed.
Example output:
```
+++ Detected 41 reboot(s). Good practice to follow.
*** Detected 29 reboot(s) with 3 or more delays before a reboot.
.......
.......
2021-mm-dd hh:mm:ss UTC
*** Suspicious processes in '/private/var/db/' occurred 4 time(s). Further
investigation needed!
*** The suspicious processes are:
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
com.apple.xpc.roleaccountd.staging/mptbd/42286BD8-3758-3B85-B19F-6E1FDB2CB030)
*** Detected during reboot(s) on:
2021-mm-dd hh:mm:ss UTC
+++ No suspicious processes detected in '/private/var/tmp/'. Last reboot
was on: 2021-mm-dd hh:mm:ss UTC
```
### iShutdown_parse
```
Usage: iShutdown_parse.py [-h] -e EXTRACT [-p] [-o OUTPUT]
A tool to extract and parse iOS shutdown logs from a .tar.gz archive. Expected output is a csv file, summary file, and the log file.
optional arguments:
-h, --help show this help message and exit
-e EXTRACT, --extract EXTRACT
Path to the .tar.gz archive for extracting shutdown.log file.
-p, --parse Flag to indicate if the extracted log should be parsed.
-o OUTPUT, --output OUTPUT
Path to save the output.
```
This script has several objectives. First it aim at extracting the Shutdown.log file from the Sysdiagnose tar archive, then if instructed, it will parse the log file and create a CSV file containing a human readable output. The CSV output contains the decoded reboot time in UTC, the process ID seen, and the respective system path of the process. At the end of the processing, there will be an extraction summary file that contains the processing timestamps, file paths, and related hashes.
Example output:
```
extraction_summary.txt
parsed_shutdown.csv
<shutdown.log hash>.log
```
### iShutdown_stats
```
usage: iShutdown_stats.py [-h] logfile
Process an iOS shutdown.log file to create stats on reboots.
positional arguments:
logfile The path to the log file to be analyzed.
optional arguments:
-h, --help show this help message and exit
```
This script aims at creating a telemetry file of a target iOS device's reboots. It requires the log file to be extracted using iShutdown_parse script above.
Example output:
```
======================================================
Number of reboots in the log: 40
First reboot detected in the log: yyyy-mm-dd hh:mm:ss
Last reboot detected in the log: yyyy-mm-dd hh:mm:ss
======================================================
Reboots counts per month:
yyyy-mm: 1
yyyy-mm: 3
..........
..........
yyyy-mm: 4
yyyy-mm: 10
```
## Updates: 22 January 2024
* Updated README (typos and related Securelist link)
* Fixed an issue in iShutdown_parse to handle cross-platform temp folder for extraction
* Added cross-platform compiled versions for all scripts using Pyinstaller
## To Do and Future Work
* We are aiming to introduce more heuristics for detecting unusal processes in the Shutdown.log artifact
* More research on iOS malware detection through Sysdiagnose analysis
", Assign "at most 3 tags" to the expected json: {"id":"7069","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"