Are You Really Getting the Benefits of Unified Logs?

Unified Logs was introduced as a new logging system in macOS 10.12 and records a variety of information. For example, in macOS 11 and later, a command such as "log show --info --predicate 'eventMessage begins with "LAUNCH: 0x"'" can be used to extract logs of application bundle execution. This information is very useful because macOS does not have forensic artifacts such as Windows Prefetch files. Unified Logs are in binary format, but can be extracted as readable strings using the log command, commercial forensic products, or open source software. However, there is surprisingly little information on concrete analysis methods such as those described above, and even on the Internet they are rarely found. This presentation will provide an overview of Unified Logs, how to acquire artifacts, and tools to parse them. It will also explain the various methods of analyzing Unified Logs and touch on automating the analyzing process. In addition, I will also share how to manage Unified Logs: unlike Windows Event Logs, Unified Logs have a fixed limit on the number of log entries. This means that if too many unnecessary logs are recorded, there is a high likelihood that important logs will be lost, and I will explain how to reduce this.