I know it's been a while since I last wrote – I've worked hard to share me in macOS Sierra and iOS 10 to add new items to my course. Here's something new that MacOS Sierra has to offer us forensic analysts!
macOS Sierra (10.12) introduced a new logging mechanism called Unified Logging. The developer's reference document indicates that the same mechanism will be used for iOS 10, tvOS 10 and watchOS 3.
The developer's documents also indicate that unified logs will take place for Apple System Logs as well as Syslog which are What rely heavily on logging analysis at 10.11 and older systems. As of 10.12.1 these logs still exist in / var / log so do not discount them yet. (As far as I know, audit logs are still fair games.)
The uniform logs are stored in two directories:
- / var / db / diagnostics /
- / var / db / uuidtext /
] The The first file path (/ var / db / diagnostics /) contains the log files. These files are named with a timestamp file name that follows the pattern log data.Persistent.YYYYMMDDTHHMMSS.tracev3. These files are binary files that we need to use a new tool on macOS to analyze them. This directory also contains some other files, including extra logs * .tracev3 files and others containing log metadata. The second file path (/ var / db / uuidtext /) contains files that are references in the main * .tracev3 log files.