The summer break has officially started, which means I’ll be switching to a lighter posting rhythm for the coming weeks. Expect a new post every two weeks until the end of August. But even during the holidays, the Apple Unified Log doesn’t stop revealing.

This week’s post is short, but relevant: generating a sysdiagnose using AssistiveTouch.

AssistiveTouch as a Forensic Signal

AssistiveTouch is an accessibility feature on iOS that provides an on-screen menu to simulate hardware button functions. It’s often used when the screen is partially broken, or when the Home button is no longer functioning, especially on older devices like the iPhone 6.

But it also leaves a clear trace in the Apple Unified Log (AUL) when used to trigger system-level actions like creating a sysdiagnose. This can be for legitimate diagnostic purposes, or in a forensic context may indicate conscious user interaction during critical timeframes.

iPhone 12 mini (iOS 18.2.1) – AssistiveTouch triggers Sysdiagnose

Log artefact:

2025-03-09 14:57:06.895628  assistivetouchd / AccessibilityPhysicalInteraction  
(AccessibilityPhysicalInteraction) [com.apple.Accessibility:AXPhysicalInteraction] Generating sysdiagnose.

Breakdown:

• Timestamp: 2025-03-09 14:57:06.895628
• Process: assistivetouchd The background daemon managing AssistiveTouch actions on iOS.
• Subsystem: AccessibilityPhysicalInteraction Handles physical interactions through accessibility features, such as custom gestures or virtual button taps.
• Message: Generating sysdiagnose. Indicates that a sysdiagnose was explicitly triggered via AssistiveTouch, without pressing physical buttons.

Phone 6 (iOS 12.5.7) – Legacy Device, Same Signal

Log artefact:

2025-03-09 15:30:16.594426  assistivetouchd  
[com.apple.Accessibility:ASTCommon] Generating sysdiagnose from AssistiveTouch menu

Breakdown:

• Timestamp: 2025-03-09 15:30:16.594426
• Process: assistivetouchd
• Subsystem: ASTCommon A legacy module from the older iOS accessibility framework.
• Message: Generating sysdiagnose from AssistiveTouch menu Indicates that the sysdiagnose command was accessed through the on-screen AssistiveTouch menu.

Forensic Relevance

AssistiveTouch-triggered sysdiagnoses are user-driven actions. They show intent, interaction, and awareness. When encountered in the log, these artefacts help answer key questions like:

• Was the user actively interacting with the device?
• Was the sysdiagnose automated or manually initiated?
• Could this device have been used to deliberately capture a snapshot of its state?

Especially in contexts where hardware buttons are unavailable, this method of triggering becomes not just a usability aid, but a forensic clue.

Next post in two weeks — enjoy the break, but keep watching the logs.