Application Crash Reports
Location
private/var/mobile/Library/Logs/CrashReporter/Description
Directory containing .ips (JSON) and .crash (plain text) crash report files generated when applications or system processes crash. Each report includes the process name, bundle identifier, exception type, faulting thread backtrace, loaded binary images with UUIDs, and the device state at the time of the crash including memory usage and thermal state.
Forensic Value
Crash reports provide evidence of application instability that may indicate exploitation attempts, as memory corruption exploits frequently cause crashes during development or failed exploitation. The loaded binary images section lists every dynamic library and framework loaded by the crashing process, which can reveal injected malicious dylibs. Crash timestamps establish when issues occurred and repeated crashes of the same process may indicate ongoing exploitation attempts. Crash reports for system processes like Safari, Mail, or kernel extensions may indicate zero-day exploitation. The faulting thread backtrace provides technical detail about what the process was doing when it crashed.