Application Crash Reports
Location
private/var/mobile/Library/Logs/CrashReporter/Description
Directory containing .ips (JSON) and .crash (plain text) crash report files generated when applications or system processes crash. Each report includes the process name, bundle identifier, exception type, faulting thread backtrace, loaded binary images with UUIDs, and the device state at the time of the crash including memory usage and thermal state.
Forensic Value
Crash reports provide evidence of application instability that may indicate exploitation attempts, as memory corruption exploits frequently cause crashes during development or failed exploitation. The loaded binary images section lists every dynamic library and framework loaded by the crashing process, which can reveal injected malicious dylibs. Crash timestamps establish when issues occurred and repeated crashes of the same process may indicate ongoing exploitation attempts. Crash reports for system processes like Safari, Mail, or kernel extensions may indicate zero-day exploitation. The faulting thread backtrace provides technical detail about what the process was doing when it crashed.
Tools Required
Collection Commands
idevicebackup2
idevicebackup2 backup --full /forensics/ios_backup/
iLEAPP
python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/
libimobiledevice
idevicecrashreport -e /forensics/crash_reports/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.