iOS Shutdown Log Analysis
Analyze iOS shutdown logs (sysdiagnose) to detect Pegasus, Predator, and other mercenary spyware infections on iOS devices.
iOS Shutdown Log Analysis
Submit an iOS shutdown log (from sysdiagnose archives) for forensic analysis. OrbGuard analyzes process artifacts, anomalous entries, and known spyware signatures to detect infections from Pegasus, Predator, Reign, Candiru, QuaDream, stalkerware, and other advanced persistent threats.
POST
/api/v1/forensics/ios/shutdown-logAnalyze an iOS shutdown log for spyware indicators and anomalies
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | string | Required | Unique identifier for the device being analyzed. Used for tracking scan history and correlating results. |
data | string | Required | Base64-encoded contents of the iOS shutdown.log file extracted from a sysdiagnose archive. |
Extracting the Shutdown Log
To extract the shutdown log from an iOS device: go to Settings > Privacy & Security > Analytics & Improvements > Analytics Data, and look for files starting with shutdown.log. Alternatively, trigger a sysdiagnose by pressing and holding both volume buttons and the power button for 1.5 seconds, then extract the archive via Finder or iTunes.
# Base64-encode the shutdown log and submit for analysis
SHUTDOWN_LOG=$(base64 -i /path/to/shutdown.log)
curl -X POST https://guard.orbai.world/api/v1/forensics/ios/shutdown-log \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d "{
\"device_id\": \"iphone-14-pro-abc123\",
\"data\": \"$SHUTDOWN_LOG\"
}"200Forensic analysis complete
{
"id": "scan_ios_8f7e6d5c4b3a",
"device_id": "iphone-14-pro-abc123",
"platform": "ios",
"scan_type": "shutdown_log",
"started_at": "2026-02-08T10:00:00Z",
"completed_at": "2026-02-08T10:00:12Z",
"duration_ms": 12450,
"total_anomalies": 4,
"critical_count": 2,
"high_count": 1,
"medium_count": 1,
"low_count": 0,
"anomalies": [
{
"id": "anom_001",
"type": "suspicious_process",
"severity": "critical",
"confidence": 96,
"title": "Known Pegasus Process Detected",
"description": "Process 'bh' found in shutdown log entries. This binary name is a well-documented Pegasus spyware component responsible for data exfiltration.",
"path": "/private/var/db/com.apple.xpc.roleaccountd.staging/bh",
"process_name": "bh",
"process_pid": 2847,
"timestamp": "2026-01-15T03:22:14Z",
"mitre_techniques": ["T1059", "T1005", "T1041"],
"evidence": "Shutdown log entry: 2026-01-15 03:22:14 +0000 SIGTERM: bh [2847]"
},
{
"id": "anom_002",
"type": "suspicious_process",
"severity": "critical",
"confidence": 94,
"title": "Pegasus Persistence Component",
"description": "Process 'roleaccountd' running from unexpected staging directory. This is consistent with Pegasus persistence mechanisms documented by Citizen Lab.",
"path": "/private/var/db/com.apple.xpc.roleaccountd.staging/roleaccountd",
"process_name": "roleaccountd",
"process_pid": 2846,
"timestamp": "2026-01-15T03:22:14Z",
"mitre_techniques": ["T1543", "T1547"],
"evidence": "Shutdown log entry: 2026-01-15 03:22:14 +0000 SIGTERM: roleaccountd [2846]"
},
{
"id": "anom_003",
"type": "anomalous_timing",
"severity": "high",
"confidence": 78,
"title": "Unusual Process Startup Pattern",
"description": "Multiple system processes restarted within a 2-second window at 3:22 AM, which is consistent with post-exploitation cleanup behavior.",
"path": null,
"process_name": null,
"process_pid": null,
"timestamp": "2026-01-15T03:22:12Z",
"mitre_techniques": ["T1070"],
"evidence": "8 processes terminated within 2-second window during unusual hours"
},
{
"id": "anom_004",
"type": "unknown_binary",
"severity": "medium",
"confidence": 65,
"title": "Unrecognized Binary in System Path",
"description": "Unknown process 'xpcd_helper' found running from a non-standard location. May be benign but warrants further investigation.",
"path": "/private/var/tmp/xpcd_helper",
"process_name": "xpcd_helper",
"process_pid": 3102,
"timestamp": "2026-01-14T22:10:05Z",
"mitre_techniques": ["T1036"],
"evidence": "Shutdown log entry: 2026-01-14 22:10:05 +0000 SIGTERM: xpcd_helper [3102]"
}
],
"timeline": [
{
"timestamp": "2026-01-14T22:10:05Z",
"event": "Unknown binary xpcd_helper detected",
"severity": "medium"
},
{
"timestamp": "2026-01-15T03:22:12Z",
"event": "Anomalous process restart pattern",
"severity": "high"
},
{
"timestamp": "2026-01-15T03:22:14Z",
"event": "Pegasus processes bh and roleaccountd detected",
"severity": "critical"
}
],
"infection_likelihood": 0.94,
"detected_threats": [
{
"name": "Pegasus",
"type": "pegasus",
"confidence": 0.94
}
],
"recommendations": [
"Immediately isolate the device from all networks.",
"Do not factory reset the device -- preserve forensic evidence.",
"Contact your organization's security team or a qualified forensic investigator.",
"Enable Lockdown Mode on the device if available (iOS 16+).",
"Review all accounts accessed from this device and rotate credentials.",
"Consider submitting a full sysdiagnose archive for deeper analysis.",
"Report the infection to relevant authorities if you are a journalist or activist."
]
}400Invalid request data
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid base64 encoding in data field. Ensure the shutdown.log file is properly base64-encoded."
}
}Detected Threat Types
The forensic analysis engine can identify the following threat types:
| Threat Type | Description |
|---|---|
pegasus | NSO Group's Pegasus spyware |
predator | Cytrox/Intellexa's Predator spyware |
reign | QuaDream's Reign spyware |
candiru | Candiru (Saito Tech) spyware |
quadream | QuaDream surveillance tools |
stalkerware | Commercial stalkerware applications |
generic_spyware | Other known spyware variants |
unknown_apt | Unknown advanced persistent threat indicators |
Upload Shutdown Log (Multipart)
Upload an iOS shutdown log file directly as multipart form data. This is an alternative to the base64 JSON endpoint and is more convenient for file uploads from web interfaces or mobile apps.
POST
/api/v1/forensics/ios/shutdown-log/uploadUpload an iOS shutdown log file for forensic analysis via multipart form data
Authentication:Bearer Token
| Parameter | Type | Required | Description |
|---|---|---|---|
file | file | Required | The shutdown.log file to analyze. Sent as multipart form data. |
device_id | string | Required | Unique identifier for the device being analyzed. Sent as a form field. |
curl -X POST https://guard.orbai.world/api/v1/forensics/ios/shutdown-log/upload \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "file=@/path/to/shutdown.log" \
-F "device_id=iphone-14-pro-abc123"200Forensic analysis complete (same response format as JSON endpoint)
{
"id": "scan_ios_upload_1a2b3c4d",
"device_id": "iphone-14-pro-abc123",
"platform": "ios",
"scan_type": "shutdown_log",
"started_at": "2026-02-08T10:05:00Z",
"completed_at": "2026-02-08T10:05:08Z",
"duration_ms": 8200,
"total_anomalies": 0,
"critical_count": 0,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"anomalies": [],
"timeline": [],
"infection_likelihood": 0.02,
"detected_threats": [],
"recommendations": [
"No significant threats detected. Continue monitoring with regular scans.",
"Enable Lockdown Mode for additional protection if you are in a high-risk category.",
"Keep your device updated to the latest iOS version."
]
}Processing Time
Forensic analysis can take between 5 and 60 seconds depending on the size of the shutdown log and current server load. Set your HTTP client timeout to at least 120 seconds.