Alexis Brignoni  May 19, 2025

๐Ÿ†• New blog post on Apple Unified Logs (iOS) and how to query them effectively.
๐Ÿชต Learn how to generate a .logarchive using a macOS device, third-party tools, or straight from files in a full file system extraction.
๐Ÿชต Use a macOS device to convert the .logarchive into a JSON file for use outside of a macOS environment.
๐Ÿชต Process the JSON file with iLEAPP in order to query the data using SQLite.

If you are not looking at unified logs you are missing incredibly valuable evidence in your cases.

Thanks to the following researchers for their invaluable contributions:
๐Ÿ™ Lionel Notari
๐Ÿ™ Tim Korver
๐Ÿ™ Johann POLEWCZYK
๐Ÿ™ Heather Charpentier

Read the blog post here:

https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html

#DigitalForensics #DFIR #MobileForensics #UnifiedLogs #AppleForensics #iOSForensics #iLEAPP
#DigitalForensics

Extraction, Processing, & Querying Apple Unified Logs from an iOS Device

What are Apple Unified Logs and why are they important in my digital forensics examinations?  Introduction Unified logs keep pattern of life...

kieczkowskaJun 27, 2024

Hey #iosforensics pals - is there a way to perform a physical acquisition of an iPhone without using any specialist commercial software?

I'd love to extend my research beyond the iPhone backup, but don't have access to any of the fancy ($$$) tools. ๐Ÿ˜ข

Alexis Brignoni  May 2, 2024

You after taking the IACIS Advanced Mobile Device Forensics course.

#DigitalForensics #MobileForensics #DFIR #iOSForensics #iOS

Alexis Brignoni  May 1, 2024

๐Ÿ“– Teaching SEGB v1 & v2 files today.

#DFIR #DigitalForensics #MobileForensics #iOSForensics #iOS

Alexis Brignoni  Dec 14, 2023

๐Ÿšจ The SEGB file format is a key data recovery source on devices that run iOS and macOS. SEGB version 2 comes in the most recent operating system implementations.

๐Ÿ”ฌ Understand the file format: https://cellebrite.com/en/understanding-and-decoding-the-newest-ios-segb-format/

๐Ÿ“„ Parse the file format using Python: https://github.com/cclgroupltd/ccl-segb

#DigitalForensics #MobileForensics #iOSForensics #SEGB #DFIR

Alexis Brignoni  Dec 14, 2023

๐Ÿ New Python parsers for Apple SEGB versions 1 & 2 file formats by Alex Caithness and CCL Solutions Group. Will be updating #iLEAPP soon to support both formats.

๐Ÿ“š These data structures are found in iOS and macOS operating systems. SEGB v2 are found on the latest versions of these operating systems.

๐Ÿ”Ž Important note: If you expect Protobuf as the data payload (it usually is) make sure to skip the first 8 bytes before decoding a SEGB v2 file. See line 17 in the attached image.

โ„น Notice how the script provides the offset, metadata offset, and timestamp along with the data.

๐Ÿ“Ž Get the code here: https://github.com/cclgroupltd/ccl-segb

๐Ÿ“– Thanks to Cellebrite for the file format research found here: https://cellebrite.com/en/understanding-and-decoding-the-newest-ios-segb-format/

#DigitalForensics #MobileForensics #iOSForensics #SEGB #DFIR

GitHub - cclgroupltd/ccl-segb: Module(s) related to reading SEGB (fka "Biome") data from iOS, mascOS, etc.

Module(s) related to reading SEGB (fka "Biome") data from iOS, mascOS, etc. - GitHub - cclgroupltd/ccl-segb: Module(s) related to reading SEGB (fka "Biome") data from iOS, mascO...

GitHub