Lmst
Login

#UnifiedLogs

Alexis Brignoni :python: :donor:abrignoni@infosec.exchange
2025-05-19

🆕 New blog post on Apple Unified Logs (iOS) and how to query them effectively.
🪵 Learn how to generate a .logarchive using a macOS device, third-party tools, or straight from files in a full file system extraction.
🪵 Use a macOS device to convert the .logarchive into a JSON file for use outside of a macOS environment.
🪵 Process the JSON file with iLEAPP in order to query the data using SQLite.

If you are not looking at unified logs you are missing incredibly valuable evidence in your cases.

Thanks to the following researchers for their invaluable contributions:
🙏 Lionel Notari
🙏 Tim Korver
🙏 Johann POLEWCZYK
🙏 Heather Charpentier

Read the blog post here:

abrignoni.blogspot.com/2025/05

#DigitalForensics #DFIR #MobileForensics #UnifiedLogs #AppleForensics #iOSForensics #iLEAPP
#DigitalForensics

Dan :dumpster_fire:4n68r@infosec.exchange
2023-06-15

I started documenting some of the log predicate filters I find helpful for Apple Unified Logs. I am just starting to record them and haven't gotten very far yet (I have a lot of notes, and some of my filters seem to no longer work in newer versions of macOS so I am testing each of them on 12.6 which takes longer), but please do share / link me to your favorite filters for inclusion! github.com/danzek/annotationis

#macOS #UnifiedLogs #UnifiedLogging #DFIR

Wes Lambertweslambert@infosec.exchange
2022-12-21

🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.UnifiedLogHunter

Link:
docs.velociraptor.app/exchange

----

With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.

Read more here:

devstreaming-cdn.apple.com/vid

These logs can be of great importance to investigators searching for artifacts of adversary activity.

----

@crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.

crowdstrike.com/blog/how-to-le

mandiant.com/resources/blog/re

----

This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.

It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.

----

If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.

docs.velociraptor.app/exchange

----

This information provided by this artifact includes:

- Event time/message/type
- Message type
- Category
- Subsystem
- PID
- Process image Path/UUID
- Sender image Path/UUID
- Sender program counter
- Activity ID
- Parent activity ID

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting
#UnifiedLogs

Exchange.MacOS.UnifiedLogHunter artifact overviewSome of the available filter options for Exchange.MacOS.UnifiedLogHunter, including a custom filter and several pre-defined filtersExample of a custom filter (also known as 'predicate') used with the 'log' command. In this case, processes including the name 'whoami' are targeted.Results from the artifact collection, including process names containing the text 'whoami' and Xprotect scanning activity

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst