Thesis Friday #12: AUL – First Glance at iOS 26

This week, I took my first forensic look at iOS 26 beta, using a brand-new test setup designed to replicate the conditions I used in previous analyses on iOS 18. By repeating the same interaction patterns, for example unlocks, gestures, and idle phases. I have built a baseline for comparison between the old and the new.

Let me start with both good and bad news

The good news? Apple now logs far more detail in the Unified Log.
The bad news? Apple now logs far more detail in the Unified Log.

From a digital forensic standpoint, this is excellent! The presence of new and expanded artifacts improves traceability. But from a research and triage perspective, the increase in log volume and complexity presents a real challenge.

Initial Focus: Face ID Unlock

My first target in iOS 26 was to observe the familiar Face ID unlock flow.

At first glance, many of the core artifacts (such as biometric matching and keybag transitions) remain consistent with iOS 18. Some log messages have minor formatting or phrasing changes, but the unlock process still follows a recognizable pattern

Example:

iOS 18 Face ID artefact:

2025-03-09 14:50:43.337360+0100 localhost kernel[0]: (AppleH13CameraInterface) PearlCamFrameReceived - isFaceDetected=1, isBracketedCaptureFrame=1, isUserEngaged=1, hasAttention=1, hasGlasses=1, hasOcclusion=0, hasEyeOcclusion=0, fIDfsmFDStatus=2, sensorTemp=30, isFIDValidFrame=1, isERDataValid=0, isMDDataValid=0, isAttnDataValid=1

iOS 26 beta Face ID artefact:

2025-06-27 14:04:10.557032+0200  localhost kernel[0]: (AppleH13CameraInterface) PearlCamFrameReceived - isFaceDetected=1, isBracketedCaptureFrame=0, isUserEngaged=1, hasAttention=1, hasGlasses=1, hasOcclusion=0, hasEyeOcclusion=0, fIDfsmFDStatus=1, sensorTemp=33, isFIDValidFrame=1, isERDataValid=0, isMDDataValid=0, isAttnDataValid=1

There are no changes noticeable in the Face ID artefact.

However, what stood out immediately in iOS 26 is the richness of context now surrounding those same artifacts.

iOS26 beta : Contextual Detail Around Face ID

Here are some examples of the expanded contextual signals now logged during Face ID unlock:

Distance Measurement from Face to Camera

    2025-06-27 14:04:10.557222+0200  localhost kernel[0]: (ApplePearlSEPDriver) [com.apple.BiometricKit:IOPearlFrameSupport] IOPearlCameraFrame::getFaceDetectInfo: FD Distance: 386, ER Distance: 0

    IOPearlCameraFrame::getFaceDetectInfo: Method that retrieves Face Detection (FD) and Eye Region (ER) information.

    FD Distance: 386: Measured value (in millimeters) of the distance between the face and the camera.

    ER Distance: 0: Indicates that the Eye Region probably was not detected.

    The system now logs the measured distance between the user’s face and the device, giving a new physical dimension to biometric events.

    Explicit User Presence Detection

    2025-06-27 14:04:10.561422+0200  localhost SpringBoard[35]: (CoverSheet) [com.apple.SpringBoard:DashBoard] [User Presence Monitor] Face in view.

    A clear confirmation that a face has entered the camera field of view. Something that was previously inferred, now explicitly stated.

    Disk Unlock Traces (APFS)

    2025-06-27 14:04:10.731426+0200  localhost kernel[0]: (apfs) handle_async_keybag_unlock:6567: disk1s8 apfs is being UN-locked!

    The Unified Log now reports which encrypted disk (volume) is being unlocked. This ties biometric actions to APFS disk-level access — a valuable correlation point.

    Observation

    This is just an early glance, but one thing is already clear:

    The artifacts themselves haven’t radically changed — but the world around them has.

    For future forensic analysis, this means:

    • We’ll need to update existing detection rules for the AUL artefacts
    • And then layer in the new contextual artifacts that surround those events

    These contextual traces provide a richer environment for interpretation, but also raise the bar for proper filtering and predicate design.

    Teaser: BIOME Logging

    One last detail worth teasing: AUL now includes logs involving Biome, Apple’s behavioural data engine:

    2025-06-27 14:04:10.299943+0200  localhost biomed[53]: (BiomeStreams) [com.apple.Biome:BiomeCompute] Wrote bookmark file for subscription <private> domain: User path: <private>

    The implications of this are wide open, but it suggests a connection between biometric activity and user behaviour tracking.

    More on this soon.

    Stay tuned. iOS 26 is shaping up to be the most verbose Apple log environment yet and that’s both a challenge and an opportunity.

    Happy hunting!

    Leave a Reply

    Your email address will not be published. Required fields are marked *