- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic reconstruction of every login, screen-unlock, sudo, SSH, screen sharing, and failed authentication on a Mac β with account attribution, method of authentication (password / TouchID / Apple Watch), and source (local console, network, remote).
Quick Answer. Mac Login History Forensics combines loginwindow events in the Unified Log, opendirectoryd authentication decisions, legacy ASL auth.log, wtmp/utmpx session records, and lastlog to answer four questions: who logged in, when, from where, and by what method. Every event ties to a short-name (username), UID, and β in modern macOS β the exact authentication mechanism: password, TouchID, Apple Watch proximity, Auto Unlock, or SSH publickey.
| Artifact | Path / source | What it records |
|---|---|---|
| loginwindow Unified Log | com.apple.loginwindow subsystem | Console login, logout, fast-user-switch, screen unlock, screensaver on/off |
| opendirectoryd Unified Log | com.apple.opendirectoryd subsystem | Every authentication attempt, success or failure, with reason |
| SecurityAgent | com.apple.securityagent subsystem | Admin-privilege prompts (system.preferences, etc.) |
| ASL auth | /private/var/log/asl/*.asl | Historical authentication events on older systems |
| utmpx (current sessions) | /private/var/run/utmpx | Live tty / GUI sessions |
| wtmp / lastlog | BSM audit trail (see below) | Legacy login records |
| BSM audit trail | /var/audit/* | If auditd is enabled β full audit of authentication and file access |
| SSH sessions | com.apple.sshd + /var/log/system.log | Source IP, key fingerprint, user |
| Screen sharing | com.apple.screensharing subsystem | Remote unlock via ARD / Screen Sharing.app with source IP |
The correct answer to “was the user at the keyboard?” almost always depends on cross-referencing three streams:
Session Unlock or Screen Saver deactivated event without a preceding screen sharing session indicates the physical console.connection established in the same window is decisive proof the unlock was remote.com.apple.LocalAuthentication β TouchID / Watch unlock events are impossible from a remote session and prove physical proximity to the machine.We also correlate with KnowledgeC.db /device/isLocked and /display/isBacklit streams (see User Activity Forensics) β the display state during the alleged event either supports or contradicts the login record.
opendirectoryd emits explicit reasons for authentication failures: Kerberos KDC reported error, Password verification failed, Account is disabled, Password policy violation. Repeated failures against a single account within a short window β especially at the loginwindow at times the account holder is known to be elsewhere β are a signature indicator of unauthorized access attempts. Combined with the Unified Log com.apple.loginwindow “loginwindow displayed” markers, we can reconstruct the entire attack surface for a given day.
SSH activity appears in the com.apple.sshd subsystem with source IP, user, and method (publickey/password). We cross-reference with:
/etc/ssh/sshd_config β was SSH enabled? PermitRootLogin? PasswordAuthentication?/Library/Preferences/com.apple.RemoteLogin.plist β whether Remote Login is enabled in System Settings~/.ssh/authorized_keys β public keys authorized to log in (compare mtime and key comment)~/.ssh/known_hosts β where the user has SSH’d out from this Mac~/.zsh_history (default since 10.15), ~/.bash_historyElite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.
We can prove the account logged in and, in modern macOS, the authentication method. TouchID / Apple Watch unlock place the credential holder physically at the machine. Password-only logins prove the credential was used but not necessarily by the account owner β that’s where cross-artifact correlation (KnowledgeC.db, media on the screen, keystrokes to specific applications) becomes decisive.
Unified Logs typically retain ~30 days. ASL, wtmp, install.log, and Time Machine / APFS snapshots frequently extend this to months. In matters where the incident date is older, we scope the analysis to the artifacts that survive the window.
Yes. LocalAuthentication subsystem records the mechanism as watchUnlock, distinct from password or biometric, and typically appears just before loginwindow session unlock.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant