- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of macOS Unified Logs (.tracev3), Apple System Log (ASL), and legacy syslog. We reconstruct authentication events, service activity, remote access, kernel and security subsystem behavior, and detect evidence of log tampering.
Quick Answer. Mac System Log Forensics is the structured examination of macOS logging subsystems. Since macOS 10.12 (Sierra), Apple has used the Unified Logging system, storing compressed binary tracepoints in /var/db/diagnostics/*.tracev3 with supporting strings in /var/db/uuidtext/. Older ASL logs live in /private/var/log/asl/*.asl, and plain-text syslog rotations remain under /private/var/log/. Every entry carries a monotonic timestamp, subsystem, category, process ID, sender image UUID and thread ID, producing a tamper-evident record chain admissible under FRE 702 and 901.
| Path | Format | What it holds |
|---|---|---|
| /var/db/diagnostics/Persist/*.tracev3 | Unified Log (binary) | Long-lived events; ~30 days on typical volume, longer on servers |
| /var/db/diagnostics/Special/*.tracev3 | Unified Log (binary) | High-priority events retained separately |
| /var/db/diagnostics/Signpost/*.tracev3 | Unified Log (binary) | os_signpost intervals from apps and frameworks |
| /var/db/uuidtext/XX/* | Format strings | Required to decode format specifiers in tracev3 records |
| /private/var/log/asl/*.asl | ASL (binary) | Legacy Apple System Log β auth, install, kernel messages |
| /private/var/log/system.log | text | Human-readable tail on older systems |
| /private/var/log/install.log | text | macOS updates and pkg installs |
| /private/var/log/wifi.log | text | Wi-Fi association events |
| /private/var/log/DiagnosticMessages/*.asl | ASL | DiagnosticMessages stream β daemon output |
| /Library/Logs/DiagnosticReports/ | text/ips | Crash and hang reports (kernel panics, spindump) |
Filtering by subsystem is the core of Unified Log analysis. Every relevant matter reviews these subsystems for the case window:
com.apple.securityd β keychain and Security framework operationscom.apple.SkyLight / com.apple.WindowServer β display, screen unlock, screen sharingcom.apple.opendirectoryd β local and network authenticationcom.apple.authorization β sudo, admin prompts, TCC promptscom.apple.TCC β Transparency, Consent, Control (privacy prompts and grants)com.apple.loginwindow β console login/logout, screensaver unlockcom.apple.screensharing / com.apple.RemoteDesktop β Screen Sharing and ARDcom.apple.sshd β SSH connections and authenticationcom.apple.usbmuxd / com.apple.iokit.IOUSBFamily β USB device connect/disconnectcom.apple.kernel β kexts, mounts, hardware eventsBaseline query used in every intake: log show --style syslog --info --debug --predicate 'subsystem == "com.apple.opendirectoryd" OR subsystem == "com.apple.loginwindow" OR eventMessage CONTAINS "authentication"' --start "YYYY-MM-DD HH:MM:SS".
Live host: sudo log collect --output /Volumes/EVIDENCE/logs.logarchive --last 30d preserves the tracev3 store and uuidtext together as a portable .logarchive bundle we can analyze offline.
Dead-box acquisition: we mount the source volume read-only and copy /var/db/diagnostics/ and /var/db/uuidtext/ together β the tracev3 files are unusable without the matching uuidtext strings. Analysis is performed with log show --archive path.logarchive against the copied archive, never against the original volume.
Every command executed is captured in an examination log so the reconstruction is repeatable and defensible.
| Event | Where recorded | Meaning |
|---|---|---|
| Console login | loginwindow subsystem + ASL auth.log | Successful GUI login with short-name of user |
| Screensaver unlock | loginwindow “SessionAgentNotificationCenter” | Physical presence at the keyboard |
| sudo invocation | com.apple.sudo / auth.log | User, tty, command executed |
| Admin authentication prompt | authorization / SecurityAgent | Right requested (system.preferences etc.) and result |
| TouchID / Watch unlock | securityd + loginwindow | Biometric unlock, differentiates from password |
| SSH login | com.apple.sshd + auth.log | Source IP, user, publickey/password method |
| Screen sharing | com.apple.screensharing | Client IP, session start/stop |
| Failed authentication | opendirectoryd | Bad password, unknown user, or locked account |
/var/db/diagnostics or /var/db/uuidtext β recovered via APFS local snapshots (see Mac File System Forensics) and Time Machine.com.apple.system.timesync and com.apple.system.launchd boot events; the Unified Log preserves both monotonic boot time and wall-clock time.~/.zsh_history / ~/.bash_history deletion is recoverable from APFS snapshots and Time Machine.Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.
Unified Log Persist typically retains ~30 days on a desktop and can span several months on lightly used systems. Special stream, ASL, install.log, and wifi.log often reach further back. Time Machine and APFS local snapshots frequently extend the window.
Often yes. loginwindow console-unlock events with a specific short-name, correlated with KnowledgeC.db /app/inFocus and TouchID/Watch unlock records, place a specific user account (and frequently their biometric) at the machine at a specific moment.
The Unified Log is not user-editable through the standard tools without root; even root deletion is recoverable from APFS local snapshots and Time Machine. sudo, launchctl unload, and file-delete actions themselves leave records in the earlier chunks that survive.
Only when run against a preserved .logarchive with the source uuidtext included. Running log show live against the running host is fine for triage but not for a preservation of record.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant