Community Edition
Download Form and FAQ
Download Evanole Community Edition Now
Frequently Asked Questions (FAQ)
What does this tool do?:
Evanole Community Edition acquires and parses real-time system traffic from iOS devices.
What is a Syslog?:
A Syslog is iOS System Log. This log closely monitors system functions, application crashes, and networking connections.
Who is this tool for?:
This tool is for both Digital Forensics and Incident Response examiners.
How is this log useful for examiners?:
Although the raw log is long, complex, and typically informational, certain bits and pieces of the log are indicative of key device information. This tool both gathers and presents information from the live logs. Please keep an eye open for updates to the tool that will include more data parsing.
What information can we expect to find in the log?:
General system information, network connection information, diagnostic application information, and much more may appear in the log. For a full walkthrough of expected Syslog artifacts, and how to parse them, check out our virtual live HMFA course or head over to our upcoming HEX-222 Sysdiagnose Log course.
Is Evanole Community Edition really free?
Yes! Evanole Community Edition is freeware. It is covered by our Terms and Conditions. As a freeware tool, the payment section of these terms is not applicable.
Release Notes
Evanole Community Edition Version 1.01.0019
New Artifacts
Will show default wallpaper for all devices (Older models require trust)
Airplane Mode Artifacts
Volume Artifacts
Ringer Artifacts
Flashlight Artifacts
Additional Lock State Artifacts
Added Camera Artifacts
Added Application State Artifacts
Platform Updates
Added eLEAPP for reporting
Updated device images
Added “iPad” icon if iPad is connected
Improved information gathering speed
User prompted with success popup when files are exported
Added multi-device support
Graphical Sizing Bug Fixes
Added Dropdown for Menus
Added About Section w Licensing
User can select which artifacts to look for
Graphical Sizing Bug Fixes
Save dialogs open full file explorer
Monitor always appends timestamps to all lines
Changed timestamp format to ISO 8601 Standard
Changed findings textbox to listbox
When clicking “eLEAPP Report” Evanole will
Have the user select an output directory
Create an input folder
Save device details to the folder
Save current log to the folder
Process all of the input with eLEAPP
This makes it so a user can keep appending logs to the same output folder if they wish and they will all be processed.
Fixed resizing of list box
Attached menu to upper right side of screen (for resizing)
2x Faster dropdown menu
Esc button can exit about menu
Buttons stay highlighted in views
Errors detected anywhere will append to application log
Added padding to analysis selection listbox to ensure letters are not cut off
Better device detection (should remove devices properly and work in any view)
Popup window will close with esc key
WIll only capture syslog for selected UDID
About contents contained in table
A click anywhere on any form will close the main menu if it is open
Changed wallpaper association to switch-case statement
If user tries to query log without trust will provide error in application log and stop monitor
Syslog output delay removed
If no udid selected when starting log monitor will not start monitor and will present error in settings
Invocation for current UDID
Pair and unpair buttons operational in settings pane
Put pair and unpair buttons in device groupBox
Handle pair when no device is detected
lockdown query and pair / unpair scripts turned into normal C# files (not windowed forms)
Analysis outputs to table
Export findings to csv instead of txt
Moved “Import Log” button to analysis view rather than monitor view
- Put play and stop buttons in a group box
- When performing live log will pass timestamp directly to output instead of splitting. Should always show the timestamp no more “ *N/A” unless user is importing malformed data
Added column in analysis view for device udid (Does not work for imported logs)
Entire program slightly larger to account for new column
Check for connected devices every 2 seconds (Used to be 4sec)
If selected device is removed another available device will be scanned
If no devices are connected will stop log before printing first line
Popup windows will not show up in taskbar
Popup windows will not have minimize or maximize buttons
Created error popup window
Error popup will trigger and redirect user to application config when scan begins and a device is not connected
Error popup will trigger and redirect user to application config when scan begins and a device is not trusted
Cleaned up installation and removed unnecessary dlls, copy required dlls as hidden files, all dlls readonly
Process device when successfully paired through config menu
Created local folder to manage pairing records
Button to open folder in application config
Unpairing a device will first attempt to save the pairing record to the local folder (if it is stored in the default Win10 OSDrive://ProgramData/Apple/Lockdown/<UDID>.plist location)
Button to pair device with pairing record
Pairing device will backup pairing record from default Win10 location after complete
Evanole runs as admin
Detects when device has been disconnected during monitor and halts monitor
Confirmation popup when unpairing devices
Confirm popup when clearing all logs
Changed versioning format
Labeled table in “About” Popup window
Clickable links in "About" Popup windows
Will check several times for null response before considering a device disconnected
Assorted Performance and Bug Fixes