With the release of macOS 10.12 Sierra, Apple introduced a new form of logging referred to as “Unified Logs”.  These logs would replace or, at very least, supplement most logging not only on macOS devices but on iOS, watchOS, tvOS, and iPadOS devices.

Logs can be gathered on live macOS and iOS devices using various methods.  When these logs are collected, they are saved in a logarchive format.  This logarchive is a bundled folder, that can be opened on a Mac using the Console application or in Terminal. 

Of course, most forensic cases involve the examination of a forensic image, making examining logs extremely difficult.

With the release of Cellebrite Inspector 2019 R3, Unified Logs are now parsed.  To process the Unified Logs from a Mac computer or iOS image (file system collection), select Event/Logs from Evidence Status in Cellebrite Inspector, or OS Event / Security Logs during initial processing.

For processing logically extracted Unified Logs in Cellebrite Inspector 2019 R3, add the /private folder containing /private/var/db/diagnostics and /private/var/db/uuidtext.  The directory structure must be maintained for Cellebrite Inspector to parse the Unified Logs.

Choose the OS Events / Security Logs processing option.

Unified Logs are fragmented, meaning that not one log contains all the information.  It is quite common to find in excess of 20 million Unified Log entries on a Mac.  Expect longer processing times when processing Unified Logs before or after processing is complete.

Once the Unified Logs are processed, Cellebrite Inspector 2019 R3 will display the processed logs at System ➔ System Logs ➔ Unified Logs.

Instead of displaying millions of Unified Log records, by default Cellebrite Inspector displays a filter automatically showing the last date of the logs.  It is recommended to use the filters to locate information of interest.  Filtering will display the data quicker.  To remove the filter, select the minus (-) and then Apply.

Remember that due to the sheer number of log entries, it can take a long time to display or filter Unified Logs.

USB device entries located in the Unified Logs are also parsed out and displayed in Actionable Intel  ➔ Device Connections.

So, how can we possibly make sense of 20 million log entries?  Make no mistake, this is not for the faint of heart.  There is a lot of chatter in these logs and it can be frustrating to find exactly what you are looking for.

When Cellebrite Inspector parses Unified Logs, logs are categorized into “predicates” or filters.  Cellebrite Inspector allows you to filter for specific information within the processed Unified Logs.  This means an examiner is not restricted to what Cellebrite Inspector wants to show you. All of the Unified Logs records are parsed and Cellebrite does not place limits on the data you can view.  Examiners can utilize the full power of these logs. Here is a description of some of the filters:

Knowing what predicate to use makes it easier for examiners to find a specific artifact.  For example, knowing that AirDrop uses the process ‘sharingd’ will help filter through the millions of logs to hopefully narrow the data to a more manageable amount.

To make things easier here are some examples of Unified Log filters:

Cellebrite’s Advanced Apple®Forensic Investigations class covers Unified Logs in detail.

Through hands-on learning and case-based scenarios depicting real-life issues, this course teaches you advanced techniques for performing detailed, in-depth analysis of operating and file system data artifacts on macOS and iOS devices.

Taught by experts in the field, you will benefit from gaining knowledge of integral macOS and iOS device areas at a low level. You will also be introduced to a comprehensive look at macOS and iOS operating systems, HFS+ and APFS file systems, accounts, encryption, and application data are covered with an interactive, hands-on learning method.

Learn more about how Cellebrite Inspector and Cellebrite Digital Collector (for analyzing Mac devices) can help you in your investigations, here.

Share this post