SkuggaheimarForensic ArtifactsmacOS Unified Logs
Forensic ArtifactmacOS

macOS Unified Logging System

Apple’s unified logging subsystem captures every system, application, and kernel event in structured tracev3 format — the single most comprehensive event source on modern macOS.

The Unified Logging system introduced in macOS Sierra captures all system, application, and kernel events in a structured binary format. It replaces the legacy ASL and syslog systems with a high-performance architecture that supports predicate-based filtering by subsystem, category, message content, and log level. Queryable via the log show and log collect commands.

What Is macOS Unified Logging System?

The Unified Logging system introduced in macOS Sierra captures all system, application, and kernel events in a structured binary format. It replaces the legacy ASL and syslog systems with a high-performance architecture that supports predicate-based filtering by subsystem, category, message content, and log level. Queryable via the log show and log collect commands.

Understanding this artifact is essential for forensic investigations involving filesystem activity, anti-forensics detection, and timeline reconstruction.

Key Forensic Insight

This artifact should be included in every forensic collection checklist. Its persistence characteristics make it uniquely valuable when other evidence sources have been destroyed.

Location & Format

PropertyDetail
Primary Path/var/db/diagnostics/ + /var/db/uuidtext/
FormatTracev3 compressed binary format
Default RetentionDays to weeks depending on log level (Default, Info, Debug)

What It Reveals

This artifact answers investigative questions about what activity occurred, when it occurred, and what evidence remains after cleanup.

Forensic Use Cases

1. Incident Response Triage

During initial triage, this artifact helps establish scope and timeline.

2. Insider Threat Investigation

Reveals user activity patterns and potential policy violations.

3. Anti-Forensics Detection

May survive cleanup operations that destroy other artifacts.

Acquisition Methods

Collection Note

Verify file lock status before live collection. Use forensic imaging for offline access.

Parsing Tools & Analysis

Multiple open-source and commercial tools support parsing this artifact.

Retention & Persistence

PropertyDetail
Default RetentionDays to weeks depending on log level (Default, Info, Debug)

Anti-Forensics Resilience

Most consumer anti-forensics tools do not target this artifact.

MITRE ATT&CK Detection

Consult MITRE ATT&CK Data Sources for technique mappings.

Related Artifacts

Cross-correlate with related artifacts in the Forensic Artifacts Encyclopedia.

References

  1. SANS Institute — DFIR Posters
  2. 13Cubed — Forensics Blog
  3. ForensicArtifacts.com — Artifact Definitions

Mjolnir Security — Digital Forensics & Incident Response

Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony.

Digital ForensicsIncident ResponseExpert Witness

mjolnirsecurity.com — 24/7: +1 833 403 5875