8 Log files you can collect from iOS and Android devices
If you tuned in to the 2024 MVS presentation, “Logging La Vida Loca,” or Episode 14 of Mobile Unpacked, then you may be wondering where you can get a cheatsheet or copy of all the locations and types of logging data you can gather in your investigations. Well, look no further than this blog post!
First, if you’re not sure what I’m talking about, be sure to check out Mobile Unpacked Episode 14.
This post will provide you with some quick references regarding log files you can collect from iOS and Android devices. As always, these log files can change from version to version, and some of these log collections may not be available for all devices.
5 Log Files you can collect from an iOS device
Let’s start with iOS. Here’s a quick reference of five log files you can collect from iOS devices.
Log Name | Purpose | SysDiagnose | FileSystem |
MobileActivation | Shows boot times and updates to OS. | ✔️ | ✔️ |
MobileInstallation | Shows installation/uninstallation of apps. | ✔️ | ✔️ |
Restore.log | Shows updates to the software. | ✔️ | |
Shutdown.log | Shows when shutdowns happen and what processes may hold them up. | ✔️ | |
Unified Logs | AirDrop records Mounted devices Unlocks SO MUCH MORE! | ✔️ | ✔️ |
As far as paths to the above mentioned files on a filesystem image, you can find them in the reference below.
MobileActivation - /private/var/mobile/Library/Logs/mobileactivationd/
MobileInstallation - /private/var/installd/Library/Logs/MobileInstallation/
Restore.log - /private/var/mobile/MobileSoftwareUpdate/
Shutdown.log - /private/var/db/diagnostics/
Unified Logs - /private/var/db/diagnostics/ & /private/var/db/uuidtext/
3 Log types you can collect from Android
Moving on to Android: I cover three types of log data in Mobile Unpacked Episode 14: Android Debug Bridge (adb), SysDump, and raw files.
First, let’s establish the adb commands used to acquire the logs data from any Android device so long as you have it unlocked and USB Debugging enabled.
Command | Purpose |
adb logcat | Dumps circular buffer memory data to the console. Does not track back to a file on device. |
adb shell getprop | Launches a shell into the device and queries the getprop (get properties) service. Collects information from the various setting files. |
adb shell dumpsys | Launches a shell into the device and queries the dumpsys services. Recommended to use the “-l” attribute to list out possible services to reduce amount returned. |
| grep [search term] | Allows for searching within the getprop or dumpsys output for specific key terms. |
As a reminder, the data returned from the adb commands are not going to match the log files on the device 1:1. They may contain similar or even the same information in some, but it won’t be formatted the same as in the raw files on the device. However, you should use these commands in ANY Android examination where a filesystem extraction is not possible. Some tools like Magnet Axiom automatically collect, format, and even parse these log files for valuable artifacts when performing a Quick image of the Android device.
Remember that not all of these files will be present on all devices for other log files. Some of them may be manufacturer-specific, like Samsung.
Log Data | Purpose | adb logs | SysDump | Filesystem |
sdp_log | Shows boots and unlocks of the device. | ✔️ | ✔️ | |
recovery_history.log | Shows data wipes and software updates. | ✔️ | ✔️ | |
power_off_reset_reason.txt | Device shutdowns and reasons. | ✔️ | ✔️ | |
vold-dump | Tracks mounting and unmounting of external media | ✔️ | ✔️ | |
SYSTEM_BOOT@[DateTime] | Shows boot times. | Shows last boot. | ✔️ | |
userlist.xml | Shows user accounts | Lists out users via “dumpsys user” | ✔️ | |
settings_[ ].xml | Shows various device settings. | Available through various outputs of “getprop” | ✔️ | |
packages.list|xml | Shows what apps are installed, where they came from, and some permissions. | Available via “dumpsys packages” or “pm list packages” once an adb shell is open. | ✔️ |
For the paths to the above mentioned files, you can find them at these mentioned paths. Please note that ones marked with (S) are for Samsung devices only.
Sdp_Log (S) - /data/log/
Recovery_History.log (S) – /data/log
Power_off_reset_reason.txt (S) - /data/log/
Vold-dump (S) - /data/log/vold-dump_[xx]
SYSTEM_BOOT@{DateTime} - /data/system/dropbox/
Userlist.xml - /data/system/users/
Settings_[xxx].xml - /data/system/users/[userID]/
Packages.xml|list - /data/system/
A vast wealth of data is available within log files across both iOS and Android. However, not every investigation will come down to the information stored within the operating system. Log data can be supportive evidence but may not ever be your ‘smoking gun.’ Since filesystem image collection can be limited from time to time as software security advances, it is key to know the other ways to extract the data when you can’t get the true filesystem image. Some log files can be very volatile, even if a device is sitting around powered on, such as the unified logs. Even when a full filesystem extraction is going to be available, capturing the logs and having them stored on the device can support your investigations in the future. As always, if there are questions about the above log files, please feel to reach out to me directly at Christopher.vance@magnetforensics.com! Until then, see you at the next episode of Mobile Unpacked.