-
Notifications
You must be signed in to change notification settings - Fork 103
Sample Usage ios_apt
Running the -h option will show you the optional and required parameters.
See output of `-h` option
C:\Users\khatri>python c:\mac_apt\ios_apt.py -h
usage: ios_apt.py [-h] [-i INPUT_PATH] [-o OUTPUT_PATH] [-x] [-c]
[-l LOG_LEVEL]
plugin [plugin ...]
ios_apt is a framework to process forensic artifacts on an iOS full file system extraction.
You are running iOS Artifact Parsing Tool version 0.9.dev
positional arguments:
plugin Plugins to run (space separated). 'ALL' will process every available plugin
optional arguments:
-h, --help show this help message and exit
-i INPUT_PATH, --input_path INPUT_PATH
Path to root folder of ios image
-o OUTPUT_PATH, --output_path OUTPUT_PATH
Path where output files will be created
-x, --xlsx Save output in excel spreadsheet(s)
-c, --csv Save output as CSV files (Default option if no output type selected)
-l LOG_LEVEL, --log_level LOG_LEVEL
Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)
The following 12 plugins are available:
APPS Gets App listing, install dates, sandbox locations
BASICINFO Gets basic system and OS configuration like SN,
timezone, device name, last logged in user, FS info,
etc..
FSEVENTS Reads file system event logs (from .fseventsd)
INETACCOUNTS Reads configured internet account (iCloud, Google,
Linkedin, facebook..) settings used by Mail, Contacts,
Calendar and other apps
NETUSAGE Reads the NetUsage (network usage) database to get
program and other network usage data
NETWORKING Gets network related information - Interfaces, last IP
addresses, MAC address, etc..
NOTES Reads Notes databases
SAFARI Gets internet history, downloaded file information,
cookies and more from Safari caches
SCREENTIME Parses application Screen Time data
SPOTLIGHT Reads spotlight indexes (user, volume, iOS)
TERMSESSIONS Reads Terminal (bash & zsh) sessions & history for every
user
WIFI Information about connected/stored wifi access points
----------------------------------------------------------------------------
ALL Runs all plugins
python ios_apt.py -i C:\ipadOS_FFS -o C:\output_folder ALL
The above example will run all plugins on the full file system extraction located at C:\ipadOS_FFS with output going to C:\output_folder. You get sqlite output by default, and can specify additional output types like excel or csv if needed (see below).
Here is how you can run one or more plugins. Let us assume a few parameters to understand this.
| Parameter | Desired Value/Type | Command |
|---|---|---|
| Input path | C:\sample_images\ios14 | C:\sample_images\ios14 |
| Output path (where output goes) | C:\output | -o C:\output |
| Optional Output type(s) | excel | -x |
| Plugins to run | wifi, fsevents, basicinfo | WIFI FSEVENTS BASICINFO |
It is best to write the commands out in this same order as shown below.
python.exe ios_apt.py -i C:\sample_images\ios14 -o C:\output -x WIFI FSEVENTS BASICINFO
ios_apt.exe -i C:\sample_images\ios14 -o C:\output -x WIFI FSEVENTS BASICINFO
The below examples exercise some of the other available options.
ios_apt.exe -i C:\sample_images\ios14 -o C:\output ALL
Now the same with DEBUG logging for more information (good when investigating bugs)
ios_apt.exe -i C:\sample_images\ios14 -o C:\output -l DEBUG ALL
Getting Started
- Introduction
- Installation
-
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
- Interpreting Output
- Issues & Workarounds
Plugins
- AUTOSTART
- BASICINFO
- BLUETOOTH
- DOMAINS
- FSEVENTS
- IDEVICEBACKUPS
- IDEVICEINFO
- IMESSAGE
- INETACCOUNTS
- INSTALLHISTORY
- MSOFFICE
- NETUSAGE
- NETWORKING
- NOTES
- NOTIFICATIONS
- PRINTJOBS
- QUARANTINE
- RECENTITEMS
- SAFARI
- SCREENTIME
- SPOTLIGHT
- SPOTLIGHTSHORTCUTS
- TERMINALSTATE
- TERMSESSIONS
- UNIFIEDLOGS
- USERS
- WIFI
Development
- Write a Plugin
- Plugin Helpers