macOS Login History Β· Authentication Forensics

Mac Login History & Authentication Forensics

Independent forensic reconstruction of every login, screen-unlock, sudo, SSH, screen sharing, and failed authentication on a Mac β€” with account attribution, method of authentication (password / TouchID / Apple Watch), and source (local console, network, remote).

← Canonical HubThis page is part of the Mac Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Mac Login History Forensics combines loginwindow events in the Unified Log, opendirectoryd authentication decisions, legacy ASL auth.log, wtmp/utmpx session records, and lastlog to answer four questions: who logged in, when, from where, and by what method. Every event ties to a short-name (username), UID, and β€” in modern macOS β€” the exact authentication mechanism: password, TouchID, Apple Watch proximity, Auto Unlock, or SSH publickey.

Where the login evidence lives

ArtifactPath / sourceWhat it records
loginwindow Unified Logcom.apple.loginwindow subsystemConsole login, logout, fast-user-switch, screen unlock, screensaver on/off
opendirectoryd Unified Logcom.apple.opendirectoryd subsystemEvery authentication attempt, success or failure, with reason
SecurityAgentcom.apple.securityagent subsystemAdmin-privilege prompts (system.preferences, etc.)
ASL auth/private/var/log/asl/*.aslHistorical authentication events on older systems
utmpx (current sessions)/private/var/run/utmpxLive tty / GUI sessions
wtmp / lastlogBSM audit trail (see below)Legacy login records
BSM audit trail/var/audit/*If auditd is enabled β€” full audit of authentication and file access
SSH sessionscom.apple.sshd + /var/log/system.logSource IP, key fingerprint, user
Screen sharingcom.apple.screensharing subsystemRemote unlock via ARD / Screen Sharing.app with source IP

Distinguishing physical presence from remote access

The correct answer to “was the user at the keyboard?” almost always depends on cross-referencing three streams:

  1. loginwindow β€” a Session Unlock or Screen Saver deactivated event without a preceding screen sharing session indicates the physical console.
  2. com.apple.screensharing β€” presence of a client IP and connection established in the same window is decisive proof the unlock was remote.
  3. SecurityAgent and com.apple.LocalAuthentication β€” TouchID / Watch unlock events are impossible from a remote session and prove physical proximity to the machine.

We also correlate with KnowledgeC.db /device/isLocked and /display/isBacklit streams (see User Activity Forensics) β€” the display state during the alleged event either supports or contradicts the login record.

Failed authentication and lockout

opendirectoryd emits explicit reasons for authentication failures: Kerberos KDC reported error, Password verification failed, Account is disabled, Password policy violation. Repeated failures against a single account within a short window β€” especially at the loginwindow at times the account holder is known to be elsewhere β€” are a signature indicator of unauthorized access attempts. Combined with the Unified Log com.apple.loginwindow “loginwindow displayed” markers, we can reconstruct the entire attack surface for a given day.

SSH and remote shell logins

SSH activity appears in the com.apple.sshd subsystem with source IP, user, and method (publickey/password). We cross-reference with:

  • /etc/ssh/sshd_config β€” was SSH enabled? PermitRootLogin? PasswordAuthentication?
  • /Library/Preferences/com.apple.RemoteLogin.plist β€” whether Remote Login is enabled in System Settings
  • ~/.ssh/authorized_keys β€” public keys authorized to log in (compare mtime and key comment)
  • ~/.ssh/known_hosts β€” where the user has SSH’d out from this Mac
  • Shell history β€” ~/.zsh_history (default since 10.15), ~/.bash_history

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.

Related Mac forensics pages

Frequently asked questions

Can you prove a specific person logged in?

We can prove the account logged in and, in modern macOS, the authentication method. TouchID / Apple Watch unlock place the credential holder physically at the machine. Password-only logins prove the credential was used but not necessarily by the account owner β€” that’s where cross-artifact correlation (KnowledgeC.db, media on the screen, keystrokes to specific applications) becomes decisive.

How far back can login history be reconstructed?

Unified Logs typically retain ~30 days. ASL, wtmp, install.log, and Time Machine / APFS snapshots frequently extend this to months. In matters where the incident date is older, we scope the analysis to the artifacts that survive the window.

Does macOS log Apple Watch auto-unlock separately?

Yes. LocalAuthentication subsystem records the mechanism as watchUnlock, distinct from password or biometric, and typically appears just before loginwindow session unlock.

Ready to move on your mac login history & authentication matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple: Manage user accounts. support.apple.com
  2. Apple: Log messages with the Console app. support.apple.com
  3. OpenBSD: sshd(8). man.openbsd.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#MacForensics #LoginHistory #Authentication #macOS #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder