Analysis of sysdiagnose in iOS 15 to identify the sending phone number of AirDrop data.

Modern cell phones allow for easy communication and transfer of data between devices. Unfortunately, some of the data transferred can be of unwelcomed, illicit, or threatening imagery and other files; digital forensic examiners are often asked to identify the source of these files. In this project, we developed a method to gain insights into the device used to send a file via Apple AirDrop. Our method brute forces the partial SHA256 hash entries found in the receiving Apple device's sysdiagnose logs to reveal the sender's phone number, even if that phone number was not known by the receiving device. This research publishes a method to generate permutations of the partial hash values using potential US area codes to identify the complete phone number of the sending device. In this research project, exemplar photographs were transmitted via AirDrop between Apple devices running iOS 15. A sysdiagnose was then generated on the receiving phone and exported by AirDrop to a MacBook Air for analysis. The analysis of the generated sysdiagnose archive found a partial SHA-256 hash of the sending device's phone number. This research identified a method to generate permutations of the partial SHA-256 hashes using a possible country and area code for the sending device in order to successfully identify the sending device's phone number. As a result, it was found that the sender of an unknown AirDrop file's phone number can be identified from the receiving device's sysdiagnose log files.