Don’t Overlook the Significance of AirDrop Logs in iOS Analysis

A client once came to me with a concern for his privacy, as he started receiving his own private photos sent to him from a friend that he had a falling-out with. He did not know how his ex-friend could have these photos in their possession, and he was worried that his iPhone had been hacked somehow. I analyzed his phone over the course of two weeks and did not find any proof of spyware on the device. I did however find AirDrop transfers to an iPad, and he did not own an iPad. This was very likely his ex-friends doing and would explain the blackmail style messages he was receiving. This highlighted the high value in analyzing these logs from iOS devices.

AirDrop logs are stored within the sysdiagnose log archive on iOS devices, and contain a plethora of valuable information. These logs can contain useful information showing files transferred to and from the device via AirDrop. Depending on phone use, these logs can show data going back a few days to possibly 2 weeks, so time is an important factor when analyzing these logs.

In any investigation or eDiscovery matter, obtaining a copy of the sysdiagnose log archives is a good idea; however, obtaining them can be challenging if access to the device is limited. These logs can be generated within the device and then (ironically) AirDropped to an Apple computer for review. Alternatively, the logs can be obtained from a forensic image if the device is jailbroken. If the device is jailbroken, that means that a physical image can be acquired, which pulls many additional system logs, including the sysdiagnose log archive.