Insights Blog

Accessing Unified Logs from an Image

Update:  BlackLight 2019 R3 parses Unified Logs.  For more information see

Starting with the release of macOS Sierra 10.12, Apple began changing over to a new log format.  The idea of these logs is that they would essentially be the same across all Apple operating systems (iOS, watchOS, tvOS).

Most traditional log files will now store information within the new Unified Log format. For the time being, Apple has stated that there are no plans to allow developers of Third Party Applications to write to the Unified Logs. Many people have written about these logs, and we thank them for their efforts and research into this new log format.

Log Location

Unified Logs are saved within several files that are located within /private/var/db.
Unified Logs Location
Within each of the folders are located several files that are gathered and used to analyze the logs.

Gathering Logs Live

Access logs on a live Mac computer.

Gathering Unified Logs
To gather the Unified Logs on a live running Mac computer, use the terminal command: sudo log collect.  It will require the administrator password for the computer to gather these logs.  Once the process has completed, a bundled folder will be created and named system_logs.logarchive.

Exporting Logs from a Case Image

Export log files from a case.
Exporting Unified Logs
Using your forensic tool, export the contents of /private/var/db/diagnostics and /private/var/db/uuidtext to a folder on your desktop.  Do not include the parent directory ‘diagnostics’ or ‘uuidtext’. Once these files have been exported, add the .logarchive extension to the name of the folder containing the exported files and folders.  The folder will change to a bundled folder (.logarchive) that contains the log files.

Using the LogArchive

Again to analyze these logs a computer running macOS 10.12 (or later) is required.  Using enter the following command to parse the Unified Logs:

log show <path to archive> --info --predicate <options>

Conversely you can point at the log archive folder. When using it may take a minute or two (depending on how many logs are contained within the archive) to fully add the logs. From either or, examiners can use keywords (commands) to access the logs.

External Devices

One of the missing artifacts from Macs running macOS 10.12 was attached external devices or USB entries. Previously examiners would parse data from the system.log to access this information, however this information is now contained in the Unified Logs on systems running macOS 10.12. To gather external device entries either command can be entered into

log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or processImagePath contains[cd] "fseventsd" or subsystem = “”'


log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or eventMessage contains[cd] “manufacturer” or eventMessage contains[cd] “/Volumes”’

USBMSC Entry Information
The result will display USBMSC entry information (as system.log did) as well as manufacturer information, and volume name. Within examiners can enter one of several keywords:

  • manufacturer
  • /Volumes
  • .fseventsd

Logarchive in Console App
Lookup entries found using the keyword USBMSC.
This is one example of many other artifacts that can be parsed from these log files including:

  • iCloud connected devices
  • Email syncing
  • Network connections
  • AirDrop
  • Time Machine backups

and more…
For more information about this check out our Mac Essential Forensic Techniques Courses.

BlackBag Team
Latest posts by BlackBag Team (see all)