Accessing Unified Logs from an Image

Starting with the release of macOS Sierra 10.12, Apple began changing over to a new log format.  The idea of these logs is that they would essentially be the same across all Apple operating systems (iOS, watchOS, tvOS).

Most traditional log files will now store information within the new Unified Log format. For the time being, Apple has stated that there are no plans to allow developers of Third Party Applications to write to the Unified Logs. Many people have written about these logs, and we thank them for their efforts and research into this new log format.

Log Location

Unified Logs are saved within several files that are located within /private/var/db.

Unified Logs Location

Within each of the folders are located several files that are gathered and used to analyze the logs.

Gathering Logs Live

Access logs on a live Mac computer.

Gathering Unified LogsTo gather the Unified Logs on a live running Mac computer, use the terminal command: sudo log collect.  It will require the administrator password for the computer to gather these logs.  Once the process has completed, a bundled folder will be created and named system_logs.logarchive.

Exporting Logs from a Case Image

Export log files from a case.

Exporting Unified Logs

Using your forensic tool, export the contents of /private/var/db/diagnostics and /private/var/db/uuidtext to a folder on your desktop.  Do not include the parent directory ‘diagnostics’ or ‘uuidtext’. Once these files have been exported, add the .logarchive extension to the name of the folder containing the exported files and folders.  The folder will change to a bundled folder (.logarchive) that contains the log files.

Using the LogArchive

Again to analyze these logs a computer running macOS 10.12 (or later) is required.  Using Terminal.app enter the following command to parse the Unified Logs:

log show <path to archive> --info --predicate <options>

 

Conversely you can point Console.app at the log archive folder. When using Console.app it may take a minute or two (depending on how many logs are contained within the archive) to fully add the logs. From either Terminal.app or  Console.app, examiners can use keywords (commands) to access the logs.

External Devices

One of the missing artifacts from Macs running macOS 10.12 was attached external devices or USB entries. Previously examiners would parse data from the system.log to access this information, however this information is now contained in the Unified Logs on systems running macOS 10.12. To gather external device entries either command can be entered into Terminal.app.

log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or processImagePath contains[cd] "fseventsd" or subsystem = “com.apple.imagecapture”'

 

OR

log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or eventMessage contains[cd] “manufacturer” or eventMessage contains[cd] “/Volumes”’

 

USBMSC Entry Information

The result will display USBMSC entry information (as system.log did) as well as manufacturer information, and volume name. Within Console.app examiners can enter one of several keywords:

  • USBMSC
  • manufacturer
  • /Volumes
  • .fseventsd

Logarchive in Console App

Lookup entries found using the keyword USBMSC.

This is one example of many other artifacts that can be parsed from these log files including:

  • iCloud connected devices
  • Email syncing
  • Network connections
  • AirDrop
  • Time Machine backups

and more…

For more information about this check out our Mac Essential Forensic Techniques Courses.

Leave a Reply

Sorry, you must be logged in to post a comment.