Accessing Unified Logs from an Image
Update: BlackLight 2019 R3 parses Unified Logs. For more information see https://www.blackbagtech.com/blog/making-sense-of-unified-logs.
Starting with the release of macOS Sierra 10.12, Apple began changing over to a new log format. The idea of these logs is that they would essentially be the same across all Apple operating systems (iOS, watchOS, tvOS).
Most traditional log files will now store information within the new Unified Log format. For the time being, Apple has stated that there are no plans to allow developers of Third Party Applications to write to the Unified Logs. Many people have written about these logs, and we thank them for their efforts and research into this new log format.
Unified Logs are saved within several files that are located within /private/var/db.
Within each of the folders are located several files that are gathered and used to analyze the logs.
Gathering Logs Live
Access logs on a live Mac computer.
To gather the Unified Logs on a live running Mac computer, use the terminal command: sudo log collect. It will require the administrator password for the computer to gather these logs. Once the process has completed, a bundled folder will be created and named system_logs.logarchive.
Exporting Logs from a Case Image
Export log files from a case.
Using your forensic tool, export the contents of /private/var/db/diagnostics and /private/var/db/uuidtext to a folder on your desktop. Do not include the parent directory ‘diagnostics’ or ‘uuidtext’. Once these files have been exported, add the .logarchive extension to the name of the folder containing the exported files and folders. The folder will change to a bundled folder (.logarchive) that contains the log files.
Using the LogArchive
Again to analyze these logs a computer running macOS 10.12 (or later) is required. Using Terminal.app enter the following command to parse the Unified Logs:
log show <path to archive> --info --predicate <options>
Conversely you can point Console.app at the log archive folder. When using Console.app it may take a minute or two (depending on how many logs are contained within the archive) to fully add the logs. From either Terminal.app or Console.app, examiners can use keywords (commands) to access the logs.
One of the missing artifacts from Macs running macOS 10.12 was attached external devices or USB entries. Previously examiners would parse data from the system.log to access this information, however this information is now contained in the Unified Logs on systems running macOS 10.12. To gather external device entries either command can be entered into Terminal.app.
log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or processImagePath contains[cd] "fseventsd" or subsystem = “com.apple.imagecapture”'
log show <path-to-log> --info --predicate ' eventMessage contains[cd] "USBMSC" or eventMessage contains[cd] “manufacturer” or eventMessage contains[cd] “/Volumes”’
The result will display USBMSC entry information (as system.log did) as well as manufacturer information, and volume name. Within Console.app examiners can enter one of several keywords:
Lookup entries found using the keyword USBMSC.
This is one example of many other artifacts that can be parsed from these log files including:
- iCloud connected devices
- Email syncing
- Network connections
- Time Machine backups
For more information about this check out our Mac Essential Forensic Techniques Courses.