Apple’s unified logging system offers a wealth of information for forensic investigators analyzing iOS, iPadOS, watchOS, tvOS, and other devices from Apple ecosystems. Originally designed for debugging and diagnostics, these logs capture a continuous stream of detailed system activity – including app behavior, biometric events, power state changes, and connectivity transitions. In digital forensics, where traditional sources of evidence like backups or app data may be encrypted or inaccessible, unified logs provide an alternative and often untapped reservoir of forensic artifacts. This article explores the content, availability, and forensic value of Apple unified logs across different device types, focusing on practical methods for extraction and analysis using modern forensic tools.

Forensic value of Apple unified logs

Apple’s unified logging system is a powerful forensic resource, especially when conventional evidence sources are missing or inaccessible. However, the logs are not just useful when other data is not available; they perfectly complement the other types of data, often providing a continuous timeline of user activities. Originally designed for system diagnostics and performance monitoring, these logs continuously capture an extraordinary level of detail about the inner workings of iOS, watchOS, and other Apple platforms. Forensic investigators can take advantage of this by interpreting key artifacts that reflect both user activity and system behavior.

Per Apple’s documentation:

The unified logging system provides a comprehensive and performant API to capture telemetry across all levels of the system. This system centralizes the storage of log data in memory and on disk, rather than writing that data to a text-based log file. You view log messages using the Console app, log command-line tool, or Xcode debug console. You can also access log messages programmatically using the OSLog framework.

One of the most valuable categories of artifacts includes biometric and authentication events. For example, Face ID entries record when a face was detected, whether the user was attentive (looking at the screen), whether they were wearing glasses, and even the temperature of the Face ID sensor at that moment. These entries can confirm a user’s physical presence and intent to unlock the device at a particular point in time. Similarly, Touch ID interactions are also logged in great detail. Events indicating a finger being placed on or removed from the sensor can be found in the logs, along with contextual information such as whether the interaction was part of a successful authentication sequence.

Unified logs also provide a detailed timeline of unlock attempts, both successful and failed, across biometric and passcode methods. Entries from the SpringBoard process, which manages the iOS home screen, often record whether the device was unlocked using a passcode or biometric factor. These logs, too, can be used to identify when a device was accessed and how.

In addition to authentication data, system state changes such as device restarts, shutdowns, and firmware loading events are recorded. These events can be crucial in determining whether a device was intentionally powered down or restarted during a particular time window. For instance, an unexpected shutdown followed by a boot log can indicate tampering or forced rebooting during seizure.

Unified logs also capture contextual behavioral data that can help investigators infer how a device was used. For example, orientation changes like “FaceUp to Portrait” or “Portrait to LandscapeLeft” are recorded by CoreMotion and can indicate how a phone was held or manipulated during use. These subtle indicators of physical device handling are rarely found in other artifacts but can be critical in reconstructing a timeline of activity.

Additionally, logs may contain traces of AirDrop activity, Continuity sessions, app launch events, and changes in network connectivity, all of which can corroborate a user’s presence or help reconstruct sequences of events. These types of information can be particularly valuable when app-level logs are missing due to deletion or encryption, offering an alternative lens through which to assess device usage.

Ultimately, unified logs serve as a forensic goldmine for constructing high-resolution timelines of user interaction, device activity, and system behavior. With precise timestamps and comprehensive system coverage, these logs can often bridge gaps left by inaccessible or missing data sources, making them a vital resource in modern mobile forensic investigations.

Extracting unified logs

Apple’s unified logs are not persistently stored by default and must first be generated on the device via a specific procedure. This process differs depending on the device type – iPhone, iPad, Apple Watch, Apple TV, and so on – and will be covered in later sections.

After logs are generated, they can be extracted using various methods. Apple’s official documentation describes various techniques that, while suitable for developers, are not designed for forensic workflows. Third-party tools like UFADE and iOS Unified Log Tool can be used instead.

We in turn will use our own tool, Elcomsoft iOS Forensic Toolkit (EIFT), a command-line tool purpose-built for mobile investigations. Once the target device is unlocked and paired with the forensic workstation (requiring the device passcode on iOS/iPadOS), unified logs can be extracted using the following command (Windows):

eift_cmd normal dumpcrash -o FILEPATH\FILENAME

For Linux and macOS, the following syntax should be used instead:

./eift_cmd normal dumpcrash -o FILEPATH/FILENAME

This command retrieves diagnostic data and saves it in to a file specified via the ‘FILENAME’ parameter at a specified path (‘FILEPATH’). Note that the logs will be saved into a single TAR archive, so your FILENAME should be named something like “unifiedlogs.tar”. We’ll use that file name in all future examples.

Notes:

1. If you are using Windows, you must have Apple Devices (previously iTunes) installed on your computer and run it at least once.
2. The logs must be generated on-device prior to extraction. On some platforms one must wait for several minutes before the logs are gathered.
3. Device must be unlocked and paired to the forensic workstation, which requires a passcode (iOS/iPadOS).
4. /DiagnosticLogs/sysdiagnose/sysdiagnose extraction can be slow if there is a high number of records. You may have to wait for half an hour or more. If your wait time is much longer than that, try using a different cable or connection.

Analyzing the logs

After unified logs have been extracted from a device (EIFT saves them into a .tar archive), the next step is to analyze the contents and extract relevant forensic artifacts. For this purpose, we use iLEAPP (iOS Logs, Events, And Plist Parser), an open-source tool developed specifically for parsing iOS artifacts, including unified logs.

iLEAPP is designed to automate the extraction and interpretation of data from iOS diagnostic dumps, crash reports, sysdiagnose archives, and more. It supports multiple artifact categories, such as screen unlock attempts, biometric activity, system and app usage, orientation changes, and power events, many of which are captured in Apple’s unified logs.

If you used iOS Forensic Toolkit to extract the logs, you will need to extract sysdiagnose logs first from the tar archive. The sysdiagnose logs are usually located in the following folder in the tar archive:

your-extracted-logfile.tar\private\var\mobile\Library\Logs\CrashReporter\DiagnosticLogs\sysdiagnose

In that folder, you will find a gzipped tar archive, e.g.

sysdiagnose_2025.06.24_11-01-29+0200_iPhone-OS_iPhone_22F76.tar.gz

Extract that file. You can either extract the .tar file from it (in which case you will pass the -t tar argument to iLEAPP), or just use it as is (in which case the argument will be -t gz).

To analyze a log archive and generate a report, use the following command:

python3 iLEAPP.py -t tar -o /path/to/output/folder -i /path/to/sysdiagnose.tar

Alternatively, if you are using the executable version of the tool downloaded from the Releases page, use the following command:

ileapp.exe -t tar -o /path/to/output/folder -i /path/to/sysdiagnose.tar

If you are passing the compressed file, use the following command:

ileapp.exe -t gz -o /path/to/output/folder -i /path/to/sysdiagnose.tar.gz

-t tar tells iLEAPP that the input is a .tar archive, such as the one produced by the eift_cmd normal dumpcrash command.

-i specifies the path to the input archive.

-o specifies the path to the output directory where the report will be saved.

The generated report includes a number of browsable HTML pages, CSV exports, and extracted artifacts grouped by category. iLEAPP’s modular plugin architecture allows it to surface key data points from the logs with minimal manual intervention.

Devices that produce unified logs

Apple’s unified logging system is built into virtually every device in the company’s ecosystem. While the log format and logging infrastructure are consistent across platforms, each device class generates logs specific to its role, capabilities, and hardware. For forensic purposes, the most relevant unified logs come from mobile and consumer-facing Apple devices.

The iPhone and iPad are the most commonly examined devices in mobile forensic investigations, and both platforms generate extensive unified logs. These logs cover biometric authentication events (such as Face ID and Touch ID), unlock attempts, app launches, system state changes, and many other user- and system-level activities. They are generated continuously and can provide a minute-by-minute record of device usage when captured properly.

The Apple Watch also produces unified logs, particularly focused on health, motion, connectivity, and communication events. These logs are less detailed than those on iOS but can still include valuable artifacts, especially when paired with a host iPhone. Because the Apple Watch lacks the backup daemon, its logs can provide rare insight into user activity in otherwise data-sparse environments.

Apple TV devices generate unified logs that include system state changes, media playback, network activity, and user interface interactions. While Apple TVs are less frequently the subject of forensic examinations, their logs can be relevant in cases involving shared household devices, establishing physical presence, or media consumption patterns.

HomePod logs primarily focus on Siri interactions, network behavior, audio playback, and user presence detection. Forensic interest in HomePod logs typically centers on voice assistant activity, location context, and household usage trends. At very least, HomePod logs can be used to establish physical presence.

Though not the primary focus of this article, it is important to mention that macOS devices also make extensive use of unified logging. In fact, macOS generates a broader and deeper range of log entries than iOS due to its more open architecture and wider range of background services. Logs from macOS systems are especially useful in all kinds of forensic investigations, and can include everything from user logins to file system events and network connections. However, due to differences in log access methods, macOS logs are not covered in depth here.

In the following chapters, we will examine how unified logs can be generated and extracted from each of these device classes, and what types of forensic artifacts can be expected from each platform.

iPhone & iPad (iOS / iPadOS)

Forensic Potential

iPhones and iPads generate extensive unified logs that cover a wide range of user and system activities. Logs reveal biometric events (Face ID and Touch ID scans and results), unlock attempts (both successful and failed), app launch times, screen orientation changes, network activity, and power state transitions. These entries provide a high-resolution view into user behavior – especially valuable when app-level logs or backups are inaccessible or encrypted.

Generating sysdiagnose Logs

There are several methods to produce logs for these devices. Apple recommends the following procedure:

Triggering a Sysdiagnose With Buttons

Trigger a sysdiagnose by simultaneously pressing and releasing both volume buttons + the Side (or Top) button for 250 milliseconds. Holding too long (>1s) will lock the device instead.

Notes:

• A screenshot will also be taken when the buttons are pressed and released.
• The sysdiagnose is triggered upon button release.
• On an iPhone you will feel a short vibration when a sysdiagnose is successfully triggered. (The vibration will not occur on an iPad).

Wait 10 minutes for the diagnostic gathering to complete.

There is also an alternative procedure, which is significantly more complex and should be used only if there is a mechanical malfunction preventing the creation of the logs via buttons.

Enabling Logging Using AssistiveTouch

1. Enable AssistiveTouch by going to Settings > Accessibility > Touch > AssistiveTouch. – Notice the floating home button that appears on the screen.
2. Go to Settings > Accessibility > Touch > Customize Top Level Menu.
3. Select Custom > Analytics. A small checkmark (✓) will appear next to your selection.
4. Trigger a sysdiagnose by using the CUSTOM ACTION you selected above. (Example: Double-Tap).

Notes:

• A gray bar will appear along the top indicating that the log gathering has started, and another will appear when its complete.
• It can take up 10 minutes for the diagnostic gathering to complete.

Apple Watch (watchOS)

Forensic Potential

Apple Watch unified logs capture motion and health data, connectivity events, app interactions, and pairing information with the host iPhone. While less verbose than iOS, these logs can still shed light on physical activity, user presence, and watch-based authentication or app use – even if minimal data is stored locally.

Generating sysdiagnose Logs

Apple documents how to capture Watch logs via a developer profile. A .mobileconfig profile is installed on the paired iPhone, enabling future logging. After installation, triggering sysdiagnose on the Watch itself collects unified logs tied to watchOS processes.

• Profiles: Apple Developer (one will need an Apple developer account for that, even a free one will suffice).

Detailed Instructions

First, you will need to enable logging. To do that, you will need to install the watchOS logging profile to the paired iPhone. (Note: The profile will expire after 3 days.)

Then, follow these steps (from sysdiagnose_Logging_Instructions.pdf):

1. Download the watchOS logging profile to the paired iPhone.
2. Tap the profile in the body of the email.
3. Choose ‘Apple Watch’ when prompted.
4. Tap Install (enter passcode, if prompted), agree to the consent form and tap Install.
5. Restart the device.
6. Trigger a sysdiagnose by pressing and holding both the Side and Digital Crown buttons on the Watch for two seconds and release.

Gathering the Logs

There are several methods for accessing the logs. Choosing one or another depends on twhether or not you have an adapter to connect the Watch to your workstation.

If you have an adapter

If you have a custom adapter, you can simply connect and pair the watch to your workstation, then use iOS Forensic Toolkit to collect the logs in exactly the same way you’d use it with an iPhone.

If you don’t have an adapter

If you do not have an Apple Watch adapter, you can still access the logs by making the watch send them to the tethered iPhone, then extracting the logs from the iPhone.

1. Place the Apple Watch on the charging puck.
2. Make sure the iPhone is within range of the watch.
3. Wait for up to 15 minutes for the Apple Watch to sync the files to the iPhone.

Notes:

• Depending on the Watch hardware, generating logs may take significant time (10 minutes or more).
• First-generation model (Series 0) is particularly slow.
• You can only connect the Watch directly to your workstation if you have a dedicated adapter. Otherwise, use the workaround described above.

Apple TV (tvOS)

Forensic Potential

Apple TV unified logs include media playback metadata, user interface navigation, network communications, AirPlay events, and system state transitions. In forensic scenarios involving shared devices, these logs can help establish physical presence and offer insights into usage times, content accessed, and remote control activities.

Generating sysdiagnose Logs

Apple provides developer-focused instructions for creating sysdiagnose archives. Using a tvOS-specific sysdiagnose profile from the Profiles Portal, logs can be triggered remotely via a paired Mac or through Apple Configurator once enabled.

Alternatively, logs can be produced (on the 4th generation Apple TV at least) by pressing and holding the PLAY/PAUSE and VOL- buttons on the remote for 6 seconds. After you release the buttons, a dialog confirmation will appear on the TV screen. You can then use AirDrop to transfer the logs to your Mac. (sysdiagnose_Logging_Instructions.pdf)

Notes:

• If you are investigating a 4th generation Apple TV with a USB-C port, or if you have a dedicated adapter to connect the Apple TV, you can use that port or adapter to connect the device to your workstation and extract the logs with iOS Forensic Toolkit.
• If there is no USB-C port available, you can produce the logs and AirDrop them onto a Mac.

HomePod (audioOS)

Forensic Potential

HomePod unified logs emphasize Siri interactions, network behavior, audio playback, voice intent, and home automation events. Investigators can use these logs to identify when Siri was activated, commands were issued, and how users interacted with their HomePod devices in a forensic context.

Generating sysdiagnose Logs

Like tvOS, HomePod requires a developer profile from Apple’s Profiles and Logs portal. Once a logging profile is installed, sysdiagnose captures relevant unified logs when manually triggered via the Home app or pairing signals.

Apple provides the following instructions.

1. Download the profile and install it on the iOS device. Important: Install logging profile onto the iOS device, not the HomePod. If the profile is installed on the HomePod the ‘Export Analytics’ button will not show up when collecting logs.
2. Restart the device if prompted.

Then, trigger a sysdiagnose using the following steps:

1. Open the ‘Home’ app on the iOS device.
2. Long press on the HomePod tile to reveal options.
3. Tap ‘Settings’ (Previously called ‘Details’).
4. Tap ‘Analytics’.
5. Tap ‘Export Analytics’.
6. Keep iOS device unlocked until AirDrop from HomePod is received and wait for the logs to finish gathering. When logs are collected, the HomePod will AirDrop them to the iOS device.
7. From the AirDrop menu, choose ‘iCloud Drive’ or the ‘Files app’ and tap ‘Add’.
8. Tap ‘Done’ when the file transfer has completed.

Extracting the logs

If you have an adapter to connect the HomePod to your workstation, extracting the logs from the HomePod is no different than obtaining them from the iPhone, iPad, or Apple TV; please refer to the “Extracting unified logs” chapter above. If you don’t have an adapter, use the sequence described above (via the ‘Home’ app on the iOS device).

More information

Apple unified logs are well-studied; there is no lack of information about them. We selected several publications we found particularly interesting.

Tools for parsing and analyzing Apple unified logs:

• cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts: Mattia Epifani, Heather Mahalik and Cheeky4n6monkey
• EC-DIGIT-CSIRC/sysdiagnose: Forensic toolkit for iOS sysdiagnose feature
• Hexordia Sysdiagnose Log Toolkit — Hexordia
• abrignoni/iLEAPP: iOS Logs, Events, And Plist Parser

General information:

• #UFADE now also offers a “slimmed down” version of the PRFS backup for Apple Watches (and Apple TVs). | Christian Peter
• Heather Mahalik-Using Apple Bug Reporting for Forensic Purposes
• Checkra1n Era – Ep 6 – Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes)
• Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
• iOS Crash Dump Analysis, Second Edition
• Sysdiag -who? | WithSecure™ Labs
• 8 Log files you can collect from iOS and Android devices – Magnet Forensics
• Initialization vectors: Extraction, Processing, & Querying Apple Unified Logs from an iOS Device
• iOS Mobile Installation Logs · DFIR Review

What’s inside unified logs:

• Understanding Apple Unified Log: interpreting Key Artifacts – FaceID
• iOS Unified Logs – Introduction, Screen Unlock and App opening
• Don’t Trust the Clock: Timestamp Discrepancies in iOS Unified Logs
• Logs in a Sysdiagnose – It’s about time…
• Understanding Apple Unified Log: interpreting Key Artifacts – FaceID
• Thesis Friday #2:Screen Orientation as a Forensic Artefact in Apple Unified Logs

macOS logs:

• The ultimate diagnostic tool: sysdiagnose – The Eclectic Light Company
• More useful information gleaned from sysdiagnose – The Eclectic Light Company

Final remarks

An updated release of iOS Forensic Toolkit with marked improvements in the log extraction is just around the corner. Stay tuned!