Starting with macOS 10.12 Apple changed to a new Unified Log format.  Rather than relying on one file to track the logged information, the new Unified Logs track information in a number of files, across new directories.

Cellebrite Inspector can process unified logs from an image of a Mac computer (running macOS 10.12 and above) or an advanced collection from an iOS device.

However, some users collect logs from live computers (for information on collecting logs live see our blog: Making Sense of Unified Logs in Cellebrite Inspector

Tips on adding unified logs gathered live to Cellebrite Inspector

Live Logs from .logarchive Bundle

Unified logs collected from a live computer are saved in a .logarchive bundled folder.

To add the log files to Cellebrite Inspector, simply right-click the .logarchive bundle and select Show Package Contents.

Create a folder structure on your desktop in this format private/var/db.  Then inside the db folder create two folders, uuidtext and diagnostics. Your folder structure should look like this.

Copy the following files and folders to the diagnostics folder:

    • timesync
    • Special
    • Signpost
    • Persist
    • From the Extra folder
      • LiveData.tracev3
      • statistics.0.txt
      • plist
      • plist
      • log

Copy all remaining folders (mostly two-digit alphanumeric) including the dsc folder to the uuidtext folder:

Your folder structure should look like this: private/var/db/diagnostics and uuidtext.

Adding Logs to Cellebrite Inspector

In Cellebrite Inspector 2019 R3 (or higher) create a new case.

Select Add to add evidence to the case and navigate to the private folder structure that you created earlier.

Under Processing Options select OS Event/Security Logs

Processing unified logs can take time. It is not uncommon to have in excess of 20 million logs on a Mac computer, so be patient as the logs are processed.

Once completed, processed unified logs can be found in Cellebrite Inspector under SystemSystem LogsUnified Logs.  Cellebrite Inspector defaults to a filter that displays logs from the last date contained within the logs folder. This makes displaying results quicker on the first launch.

Advanced analysis of unified logs is covered extensively in Cellebrite’s Advanced Apple Forensic Investigations class. 

Share this post