Apple Unified Logs was first implemented with Mac OS Sierra (10.12), launched on September 2016, Apple implemented a log system that is present not only in its laptops/desktops, but also on iOS devices (iPhone, iPad, iPod), Apple watches and Apple TV. The purpose was to unify and standardize the OS system logs.

Apple Unified Logs contain information useful for all sorts of forensics analysis, like user logins, use of terminal, processes that were running in the context of certain events of interest, register of time machine backups including start and end time, network usage, external media used (mount and unmount events), connections of printers or iPhones, e-mail accounts sync, and in general, data for most user interaction with the system.

Unified Logs (Location and Retention)

AULs are comprised of multiple files in two main groups: tracev3 files and support files. The former group is found in the /var/db/diagnostics directory and the latter in the /var/db/uuidtext directory. AULs retention period is around 28-30 days and may include millions of records. AULs can be obtained both from a live Mac computer and from a forensics image. Because the retention period is relatively short, it is important to examine Macs as quickly as possible following an incident

Mac Forensics and Unified Logs

To make sense of the huge volume of information usually seen in AULs, the forensics investigator needs both specialized forensics tools to parse the AUL, and a thorough understanding of the recorded AUL events.

One of the most common artifacts examiners must review in data exfiltration cases, regardless of OS (Windows or Mac OS) is the mounting of any USB devices and the Apple unified logs are the primary source when it analyzing Macs.