Making Sense of Unified Logs
By: Bruce Hunter, Senior Forensic Engineer
With the release of macOS 10.12 Sierra, Apple introduced a new form of logging referred to as Unified Logs. These logs would replace or at very least supplement most logging not only on macOS devices but iOS, watchOS, tvOS, and iPadOS devices.
Logs can be gathered on live macOS and iOS devices using various methods. When these logs are collected, they are saved in a logarchive format. This logarchive is a bundled folder, that can be opened on a Mac using the Console application or in Terminal.
Of course, most forensic cases involve the examination of a forensic image, making examining logs extremely difficult. BlackBag Technologies Training Team released a blog some time ago https://www.blackbagtech.com/blog/accessing-unified-logs-image showing examiners a method to extract the logs from a forensic image.
With the release of BlackLight 2019 R3, BlackLight parses Unified Logs. To process the Unified Logs from a Mac computer or iOS image (file system collection), select Event/Logs from Evidence Status in BlackLight, or OS Event / Security Logs during initial processing.
For processing logically extracted Unified Logs in BlackLight 2019 R3, add the /private folder containing /private/var/db/diagnostics and /private/var/db/uuidtext. The directory structure must be maintained for BlackLight to parse the Unified Logs.
Choose the OS Events / Security Logs processing option.
Unified Logs are fragmented, meaning that not one log contains all the information. It is quite common to find in excess of 20 million Unified Log entries on a Mac. Expect longer processing times when processing Unified Logs before or after processing is complete.
Once the Unified Logs are processed, BlackLight 2019 R3 will display the processed logs at: System ➔ System Logs ➔ Unified Logs.
Instead of displaying millions of Unified Log records, by default BlackLight displays a filter automatically showing the last date of the logs. It is recommended to use the filters to locate information of interest. Filtering will display the data quicker. To remove the filter, select the minus (-) and then Apply.
Remember that due to the sheer number of log entries, it can take a long time to display or filter Unified Logs.
USB device entries located in the Unified Logs are also parsed out and displayed in Actionable Intel ➔ Device Connections.
So, how can we possibly make sense of a 20 million log entries? Make no mistake, this is not for the faint of heart. There is a lot of chatter in these logs and it can be frustrating to find exactly what you are looking for.
When BlackLight parses Unified Logs, logs are categorized into ‘predicates’ or filters. BlackLight allows you to filter for specific information within the processed Unified Logs. This means an examiner is not restricted to what BlackLight wants to show you, all of the Unified Logs records are parsed BlackBag does not place limits the data you can view. Examiners can utilize the full power of these logs. Here is a description of some of the filters:
Knowing what predicate to use makes it easier for examiners to find a specific artifact. For example, knowing that AirDrop uses the process ‘sharingd’ will help filter through the millions of logs to hopefully focus the data to a more manageable amount.
To make things easier here are some examples of Unified Log filters:
BlackBag’s Advanced Apple®Forensic Investigations class covers Unified Logs in detail.