Adding Unified Logs to BlackLight
By: Bruce Hunter, Senior Forensic Engineer
Starting with macOS 10.12 Apple changed to a new Unified Log format. Rather than relying on one file to track the logged information, the new Unified Logs track information in a number of files, across new directories.
BlackLight can process unified logs from an image of a Mac computer (running macOS 10.12 and above) or an advanced collection from an iOS device.
However, some users collect logs from live computers (for information on collecting logs live see our blog: https://www.blackbagtech.com/blog/accessing-unified-logs-image/). Here are some tips on adding unified logs gathered live to BlackLight.
Live Logs from .logarchive Bundle
Unified logs collected from a live computer are saved in a .logarchive bundled folder.
To add the log files to BlackLight, simply right click the .logarchive bundle and select Show Package Contents.
Create a folder structure on your desktop in this format private/var/db. Then inside the db folder create two folders, uuidtext and diagnostics. Your folder structure should look like this.
Copy the following files and folders to the diagnostics folder:
- From the Extra folder
Copy all remaining folders (mostly two-digit alphanumeric) including the dsc folder to the uuidtext folder:
Your folder structure should look like this: private/var/db/diagnostics and uuidtext.
Adding Logs to BlackLight
In BlackLight 2019 R3 or higher create a new case.
Select Add to add evidence to the case and navigate to the private folder structure that you created earlier.
Under Processing Options select OS Event/Security Logs
Processing unified logs can take time. It is not uncommon to have an excess of 20 million logs on a Mac computers, so be patient as the logs are processed.
Once completed, processed unified logs can be found in BlackLight under System➔System Logs➔Unified Logs. BlackLight defaults to a filter that displays logs from the last date contained within the logs folder, this makes displaying results quicker on first launch.
Advanced analysis of unified logs is covered extensively in BlackBag’s Advanced Apple Forensic Investigations class. For more information on BlackBag’s course offerings navigate to https://www.blackbagtech.com/training/ or contact BlackBag’s Training Team at firstname.lastname@example.org.