Before getting to the heart of the matter, let's start with the basics, understand what kind of digital traces we are talking about when we talk about logs.
From a strictly technical standpoint, logs can be summarized as follows: Log Files, which are text files that structure in a chronological way all the events that have taken place on all types of computer systems as well as the different consequences resulting from them.
Not very informative, is it not?
In essence, and with due technical accuracy, it can be stated that each and every action undertaken on a digital device in one's daily routine - such as unlocking a mobile phone, installing software on a computer, conducting online searches, or composing a message on a messaging application - engenders the creation of a textual record referred to as a "log". These log files meticulously document, in chronological order, the series of events executed on the respective device.
Let's take a concrete example to make this even clearer:
On January 1, 2021 at 00:01 am you unlock your iPhone generating a text file in which it will be written: 00:01 am: The phone has been unlocked. In computer language, this action is called "logging an activity".
Undoubtedly, there is a sense of trepidation associated with the realisation that our every action is meticulously preserved in such a manner.
Nevertheless, there is no cause for alarm. In an era characterised by heightened concerns surrounding data protection, it is essential to reassure oneself regarding the implications of logs. It is important to note that logs are stored in the memory of your device and are solely accessible to developers or proficient users for diagnostic endeavours in the event of malfunctions or irregularities. They remain inaccessible to third parties for advertising or any other purposes, primarily due to their unintelligible nature.
The example given above only serves as an illustration to provide a basic understanding of logs. However, it is important to acknowledge that the process of unravelling logs is significantly more intricate and nuanced. Rest assured, it entails a complex endeavour that requires a specialised knowledge and expertise.
Finally, you should know that logs are not stored forever on your digital device, which would take too much space. Each log has a certain lifespan, for example, five days. When the five days are up, the log will be deleted and a newer log will take its place. This is called a rotating record.
Logs, unified logs ... I don't get it anymore!
Unified logs made their appearance on Mac computers during the Sierra update in September 2016 replacing the classically used logs that were in the form of text files (Oakley, 2018). These unified logs are therefore unique to Apple and are not used by any other brands. Why? Simply because Apple "invented" them. And what's so special about these logs? We'll get into that, don't worry.
Regarding iOS, they were introduced around the same time when iOS 10.0 was released (Szymanski and Lucas, 2016). According to Apple's communication, this logging change has several purposes, the main ones being:
Collect as much data as possible (as if they weren't already collecting enough but, remember, logs are not shared)
Compress them so that they take up less memory space.
Implement a log system that is compatible with the different digital products (watches, televisions, smartphones, tablets, computers) they offer for sale (Szymanski and Lucas, 2016). These log files are therefore all very similar, regardless of the system that generated it.
By this change, the logs are no longer stored as text files on the devices but in a compressed format called tracev3. If the fact of compressing these records allows the logs to be kept in memory longer (Oakley, 2017a), it is however impossible to access them directly because this compression format is proprietary to Apple and no documentation is provided about them (Oakley, 2017b), thus making the use of tools provided by the Apple firm mandatory in order to read them (Oakley, 2018). These logs, in a compressed format, are stored on the mobile device for approximately 10 days, employing a rotational approach. Primarily, they reside within the following two directories: /var/db/diagnostics/ and /var/db/uuidtext, the first of which contains the logs in compressed form (Edwards, 2016) and the second a set of folders named 00 to FF containing logs for special events whose records require more than one line of writing (Oakley, 2017b).
Each log contains a very important amount of information (Edwards, 2017), the most interesting of which, in the context studied, are the Timestamp, which provides the date and time the log was recorded, the Process Name, which indicates which process generated the log, and the Message, which contains details pertaining to the specific event that occurred. These three variables will allow investigators to determine when a user interaction with the phone occurred. In addition, the name of the process can provide information about the application used.
At present, Mr. Oakley offers tools on his website to investigate these logs, but they are only dedicated to the macOS7 operating system. There are gaps that need to be filled for iOS and the different articles that will be published on this site, intended for specialists in digital forensics of the different fonts, are therefore in line with this logic.
Edwards S (2016) New macOS Sierra (10.12) Forensic Artifacts – Introducing Unified Logging. Consulté sur : http://www.mac4n6.com/blog/2016/11/13/new-macos-sierra-1012-forensic-artifacts-introducing-unified-logging.
Oakley H (2017) Browsing the unified log in difficult circumstances. The Eclectic Light Company. Consulté sur : https://eclecticlight.co/2017/09/25/browsing-the-unified-log-in-difficult-circumstances/
Oakley H (2017) Sierra’s unified log evolves: more persistent, and a valuable log log. The Eclectic Light Company. Consulté sur : https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent-and-a-valuable-log-log/
Oakley H (2018) macOS Unified log: 1 why, what and how. The Eclectic Light Company. Consulté sur : https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/ (accessed 10 February 2020).
Szymanski S and Lucas M (2016) Unified Logging and Activity Tracing. Consulté sur : https://devstreaming-cdn.apple.com/videos/wwdc/2016/721wh2etddp4ghxhpcg/721/721_unified_logging_and_activity_tracing