This week, I turned to an older Apple device: the iPhone 6, running iOS 12.5.7. Despite its age, the Apple Unified Log (AUL) on this device still reveals detailed interaction artifacts particularly around Touch ID usage, passcode unlocks and Home Button artefacts.
The physical Home button on the iPhone 6 is not just a navigation control; it contains a fingerprint sensor known as Touch ID. This allows users to unlock their device using a registered fingerprint. In the logs, this interaction leaves behind specific kernel-level artefacts.
Older iPhones like the iPhone 6 are increasingly encountered in forensic cases as so-called “burner” phones. Their legacy status, lower price point, and Touch ID-only authentication make them attractive for short-term or compartmentalized use. But they still generate meaningful logs for forensic examiners.
Touch ID Usage – Artefact Pattern
When a finger is placed on the Touch ID sensor, the Secure Enclave logs two events:
Touch ID – Finger placed on sensor
2025-03-09 15:24:33.093741+0100 kernel (AppleMesaSEPDriver) message: kAppleBiometricFingerOnEvent Timestamp: 2025-03-09 15:24:33.093741 (UTC+1)
Process: kernel
Subsystem: AppleMesaSEPDriver
EventMessage: kAppleBiometricFingerOnEvent
This marks the moment of physical contact with the fingerprint sensor.
Touch ID – Finger removed from sensor
2024-03-09 15:24:33.473797+0100 kernel message: kAppleBiometricFingerOffEvent Timestamp: 2025-03-09 15:24:33.473797 (UTC+1)
Process: kernel
EventMessage: kAppleBiometricFingerOffEvent
This records when the finger leaves the sensor. The duration between these two timestamps can reflect the fingerprint recognition window.
Passcode Unlock – Artefact Pattern
Passcode – Lock status changed
2025-03-09 15:24:47.831119+0100 localhost softwareupdateservicesd[139]: (SoftwareUpdateServices) [com.apple.softwareupdateservices:Common] Device lock status changed: passcodeLocked = NOTimestamp: 2025-03-09 15:24:47.831119 (UTC+1)
Process: softwareupdateservicesd
Despite its name, softwareupdateservicesd does more than just manage iOS software updates. On older versions of iOS, particularly iOS 12.x, it also serves as a system-level notifier for changes in device state, including lock and unlock transitions.
Passcode – Device unlocked
2025-03-09 15:24:47.831126+0100 localhost softwareupdateservicesd[139]: (SoftwareUpdateServices) [com.apple.softwareupdateservices:Common] Device unlockedTimestamp: 2025-03-09 15:24:47.831126 (UTC+1)
Process: softwareupdateservicesd
EventMessage: Device unlocked
Confirms that the unlock was fully completed and the UI is now accessible.
Home Button Press – Artefact Pattern
Touch ID interaction isn’t the only signal we can extract from the Unified Log. The physical act of pressing the Home button, a core part of user-device interaction on the iPhone 6, is also logged at kernel level.
Artefact – Home button physically pressed
2025-03-09 15:24:33.296311+0100 localhost kernel[0]: (AppleMesaSEPDriver) homeButtonEventServiceCallback: *** Home Button Was Pressed ***Timestamp: 2025-03-09 15:24:33.296311 (UTC+1)
Process: kernel
The kernel handles low-level communication between hardware and the operating system.
Subsystem: AppleMesaSEPDriver
This Secure Enclave-related driver registers physical security-related events like biometric touches and button presses.
EventMessage:
homeButtonEventServiceCallback: *** Home Button Was Pressed ***
This indicates that the Home button was physically pressed potentially to wake the device, activate Siri, or start an unlock attempt via Touch ID or passcode.
Forensic Relevance
These artefacts allow for a complete reconstruction of the unlock process:
- The Touch ID on/off events confirm a fingerprint-based interaction occurred — regardless of its outcome.
- The passcodeUnlocked logs mark the point of actual access.
- Correlating timestamps show whether a failed biometric led to fallback authentication.
This is particularly valuable when working with legacy or burner devices, where Face ID is unavailable and forensic artefacts are harder to retrieve.
Happy hunting!