Thesis Friday #1: AUL – FaceID authentication

The Apple Unified Log play a crucial role in our digital forensic investigations. It is crucial in uncovering system activities and user interactions. Apple Unified Log provide a detailed, timestamped record of system events across various processes and subsystems. However, interpreting the AUL requires an understanding of their structure.

It is Friday for me, I will start calling it thesis Friday. So I am doing my research on the AUL and I decided to pick out a artifact and explain it.

So lets dive in!

Apple Unified Log FaceID artifact:

2025-03-09 14:50:43.337360+0100 localhost kernel[0]: (AppleH13CameraInterface) PearlCamFrameReceived - isFaceDetected=1, isBracketedCaptureFrame=1, isUserEngaged=1, hasAttention=1, hasGlasses=1, hasOcclusion=0, hasEyeOcclusion=0, fIDfsmFDStatus=2, sensorTemp=30, isFIDValidFrame=1, isERDataValid=0, isMDDataValid=0, isAttnDataValid=1

Now we will break it down:

  • Timestamp: 2025-03-09 14:50:43.337369+0100 (Timestamp = timestamp UTC+1)
  • Process / Subsystem: kernel / AppleH13CameraInterface – This log entry originates from the AppleH13CameraInterface, the kernel-level interface managing the TrueDepth camera system (used by Face ID)
  • EventMessage:
PearlCamFrameReceived - isFaceDetected=1, isBracketedCaptureFrame=1, isUserEngaged=1, hasAttention=1, hasGlasses=1, hasOcclusion=0, hasEyeOcclusion=0, fIDfsmFDStatus=2, sensorTemp=30, isFIDValidFrame=1, isERDataValid=0, isMDDataValid=0, isAttnDataValid=1

The event message PearlCamFrameReceived indicates that a frame was captured by the camera, and it includes a set of Boolean and integer flags describing the frame’s metadata:

  • isFaceDetected=1: A face was successfully detected.
  • isBracketedCaptureFrame=1: The frame is part of a bracketed capture (used for depth sensing and HDR).
  • isUserEngaged=1: The user is actively engaging with the device.
  • hasAttention=1: Eye gaze detection confirms the user is looking at the screen.
  • hasGlasses=1: Glasses were detected on the user.
  • hasOcclusion=0, hasEyeOcclusion=0: No facial or eye occlusions detected.
  • sensorTemp=30: Sensor temperature was 30°C at the time of capture.

Forensic interpretation:

At this timestamp, the user’s face was detected by Face ID, the user was looking at the device, and no facial obstructions were present. This confirms active user engagement with the screen, potentially unlocking the device or interacting with secure apps.

By popular demand I will make more user interaction artifacts explanations and I hope this will trigger investigators to join our research on the AUL.

#Apple Unified Log #Apple #Digital Forensics

Licensed under CC BY-SA 4.0.

Feel free to share or adapt the work — with attribution and under the same license.

Leave a Reply

Your email address will not be published. Required fields are marked *