# iOS Unified Logs – Acquisition & Parsing Tools
By Lionel Notari – May 2025

## Description

This package contains two forensic tools for working with iOS Unified Logs:

- Acquisition Tool: to extract a .logarchive from an iOS device in a forensically sound manner.
- Parsing Tool: to convert the logarchive into a filtered and searchable SQLite database, along with a forensic report.

These tools are designed to help forensic analysts save time and extract the most relevant information from iOS logs.

---

## Content

The ZIP package includes:
- Acquisition folder – the extraction tool and its README
- Parsing/ folder – the parser, a custom_rules.json template, and this README
- requirements.txt – Python dependencies for the parser and the acquisition tool

---

## Requirements

- Python 3.9+
- Make sure the python3 command is installed in the PATH of your computer. If not installed, nothing will happen when the command to launch the tool is entered in the Terminal.
- macOS only (due to reliance on log show and log stats)

Install the required packages with:

    pip3 install --upgrade --force-reinstall -r requirements.txt

---

## Tool 1 – Acquisition

This tool allows you to forensically extract the unified logs from an iOS device using the log collect command. The generated .logarchive can then be analyzed using the parser tool.

The tool:
- Automatically detects the connected device
- Prompts the user to define a case name and extraction folder
- Computes SHA1 and MD5 hashes of the final .logarchive
- Generates a forensic report about the extraction

 Run the script with the command sudo python3 -m sourcedefender iOS_UnifiedLogs_acquisition_V3.pye

---

## Tool 2 – Parsing

This tool processes the .logarchive and builds:
1. A full SQLite database of all events
2. A filtered database of relevant logs (based on Lionel Notari's publications)
3. A forensic report detailing the results

You can:
- Select a .logarchive and output folder
- Set a custom name for your database
- Use a date range to reduce log volume (optional)
- Enable custom_rules.json to include your own filters and parse more unified logs!
- Export filtered logs database to CSV (optional)

 Run the script with the command python3 -m sourcedefender iOS_UnifiedLogs_parsing_V2.pye

---

## How it works

1. The tool runs log show command to export all logs into a large JSON file
2. It parses this JSON and inserts events into a full SQLite database
3. It applies filters to extract relevant logs into a second “filtered” database
4. It generates a text report with:
   - Summary of both databases
   - log stats comparison
   - Integrity hashes (MD5/SHA1)
   - Details of any custom_rules.json applied

---

## Features

- Supports millions of logs (tested with >20M)
- Rule-based filtering using internal logic or custom_rules.json
- Forensic report generated in .txt format
- CSV export option for filtered logs
- Date range support for faster export

---

## License

This project is not open source. All rights are reserved by the author, Lionel Notari. Redistribution or modification without permission is strictly forbidden. Any attempt to reverse-engineer the code is also prohibited.

---

## Author

Lionel Notari

## Contact

For questions, comments or feedback:
✉️ lionel.notari@ios-unifiedlogs.com
🌐 https://www.ios-unifiedlogs.com/blog
🔗 LinkedIn – Lionel Notari: https://www.linkedin.com/in/lionelnotari
