Alexis Brignoni  May 19, 2025

🆕 New blog post on Apple Unified Logs (iOS) and how to query them effectively.
🪵 Learn how to generate a .logarchive using a macOS device, third-party tools, or straight from files in a full file system extraction.
🪵 Use a macOS device to convert the .logarchive into a JSON file for use outside of a macOS environment.
🪵 Process the JSON file with iLEAPP in order to query the data using SQLite.

If you are not looking at unified logs you are missing incredibly valuable evidence in your cases.

Thanks to the following researchers for their invaluable contributions:
🙏 Lionel Notari
🙏 Tim Korver
🙏 Johann POLEWCZYK
🙏 Heather Charpentier

Read the blog post here:

https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html

#DigitalForensics #DFIR #MobileForensics #UnifiedLogs #AppleForensics #iOSForensics #iLEAPP
#DigitalForensics

Extraction, Processing, & Querying Apple Unified Logs from an iOS Device

What are Apple Unified Logs and why are they important in my digital forensics examinations?  Introduction Unified logs keep pattern of life...

Dan Jun 15, 2023

I started documenting some of the log predicate filters I find helpful for Apple Unified Logs. I am just starting to record them and haven't gotten very far yet (I have a lot of notes, and some of my filters seem to no longer work in newer versions of macOS so I am testing each of them on 12.6 which takes longer), but please do share / link me to your favorite filters for inclusion! https://github.com/danzek/annotationis/blob/master/Operating%20Systems/macOS/UnifiedLogging.md

#macOS #UnifiedLogs #UnifiedLogging #DFIR

annotationis/Operating Systems/macOS/UnifiedLogging.md at master · danzek/annotationis

Various notes/memoranda. Contribute to danzek/annotationis development by creating an account on GitHub.

GitHub
Wes LambertDec 21, 2022

🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.UnifiedLogHunter

Link:
https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedloghunter

----

With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.

Read more here:

https://devstreaming-cdn.apple.com/videos/wwdc/2016/721wh2etddp4ghxhpcg/721/721_unified_logging_and_activity_tracing.pdf

These logs can be of great importance to investigators searching for artifacts of adversary activity.

----

@crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.

https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/

https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs

----

This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.

It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.

----

If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.

https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedlogparser/

----

This information provided by this artifact includes:

- Event time/message/type
- Message type
- Category
- Subsystem
- PID
- Process image Path/UUID
- Sender image Path/UUID
- Sender program counter
- Activity ID
- Parent activity ID

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting
#UnifiedLogs

MacOS.UnifiedLogHunter :: Velociraptor - Digging deeper!