Thesis Friday #16: Unlocking a MacBook with the Touch ID Sensor

The summer break is officially over, and it’s time to continue digging deeper into the Apple Unified Log (AUL). Up until now, my focus has been mostly on iPhones, but this week I shifted towards MacBook artefacts. What makes this interesting is that Apple shares much of its logging structure across devices, meaning artefacts familiar on iOS can also be found on macOS.

For this research, I worked on a MacBook M4 Pro running macOS 15.6.1, where I successfully unlocked the system using the built-in Touch ID sensor. By searching specifically for the keyword “TouchID” in the Unified Log, I was able to identify several artefacts that form a consistent unlock sequence.


Artefact 1: Sensor was previously Finger OFF

2025-08-22 13:38:07.908097+0200  localhost kernel[0]: (AppleBiometricSensor) handleStateMachine: Finger off in pause mode but the sensor is not idle, force Idle
  • Timestamp: 2025-08-22 13:38:07.475548
  • Process: kernel
  • Subsystem: AppleBiometricSensor
  • EventMessage: handleStateMachine: Sensor was previously in Finger OFF state This marks the starting state of the biometric sensor: idle, waiting for interaction.

Artefact 2: Finger detected on Touch ID sensor

2025-08-22 13:38:07.475561+0200  localhost kernel[0]: (AppleBiometricSensor) setFingerOnState: FingerON
  • Timestamp: 2025-08-22 13:38:07.475561
  • Process: kernel
  • Subsystem: AppleBiometricSensor
  • EventMessage: setFingerOnState: FingerON

This entry confirms that the sensor has detected a fingerprint placed on the Touch ID reader. It marks the start of the biometric verification sequence.

Artefact 3: Display wake due to input

2025-08-22 13:38:07.476078+0200  localhost powerd[336]: [com.apple.powerd:assertions] Display is asleep on activity tickle. Lets turn it on
  • Timestamp: 2025-08-22 13:38:07.476078
  • Process: powerd
  • Subsystem: assertions
  • EventMessage: Display is asleep on activity tickle. Lets turn it on The system attempts to wake the display due to detected user activity.

Artefact 4: BiometricKit latency event

2025-08-22 13:38:07.476452+0200  localhost biometrickitd[412]: [com.apple.BiometricKit:Latency] [TALt] BKDM::Accy: kBiometricKitStatusFinger(1): transportInterval:0(us)
  • Timestamp: 2025-08-22 13:38:07.476452
  • Process: biometrickitd
  • Subsystem: BiometricKit
  • EventMessage: [TALt] BKDM::Accy: kBiometricKitStatusFinger(1): transportInterval:0(us) The biometric subsystem has acknowledged the finger-on event and provides diagnostic timing info.

Artefact 5: User activity confirmed

2025-08-22 13:38:07.476372+0200  localhost powerd[336]: [com.apple.powerd:assertions] Process WindowServer.394 TurnedOn UserIsActive "com.apple.iohideventsystem.queue.tickle serviceID:100000b1b
  • Timestamp: 2025-08-22 13:38:07.476372
  • Process: powerd
  • Subsystem: assertions
  • EventMessage: Process WindowServer.394 TurnedOn UserIsActive “com.apple.iohideventsystem.queue.tickle serviceID:100000b1b The WindowServer process confirms user input and sets the state to active.

Artefact 6: Display wake (confirmation)

2025-08-22 13:38:07.476912+0200  localhost powerd[336]: [com.apple.powerd:assertions] Display is asleep on activity tickle. Lets turn it on
  • Timestamp: 2025-08-22 13:38:07.476912
  • Process: powerd
  • Subsystem: assertions
  • EventMessage: Display is asleep on activity tickle. Lets turn it on A second wake event confirms that the system ensures the display is active during authentication.

Artefact 7: Core Authentication receives finger-on

2025-08-22 13:38:07.477810+0200  localhost coreauthd[646]: (MechTouchId) [com.apple.LocalAuthentication:Server,Interactive,Biometry] MechanismTouchId[18](run) has received finger-on from <BKMatchTouchIDOperation: 0xcb80add80>
  • Timestamp: 2025-08-22 13:38:07.477810
  • Process: coreauthd
  • Subsystem: LocalAuthentication / Biometry
  • EventMessage: MechanismTouchId[18](run) has received finger-on from <BKMatchTouchIDOperation> The central authentication daemon acknowledges the finger-on event and starts verification.

Artefact 8: Device unlocked

2025-08-22 13:38:07.570259+0200  localhost powerd[336]: [com.apple.powerd:coreSmartPowerNap] Device is unlocked/active
  • Timestamp: 2025-08-22 13:38:07.570259
  • Process: powerd
  • Subsystem: coreSmartPowerNap
  • EventMessage: Device is unlocked/active This is the key forensic marker confirming that the MacBook has transitioned into an unlocked state.

Artefact 9: Sensor was previously Finger ON

2025-08-22 13:38:07.666855+0200  localhost kernel[0]: (AppleBiometricSensor) handleStateMachine: Sensor was previously in Finger ON state
  • Timestamp: 2025-08-22 13:38:07.666855
  • Process: kernel
  • Subsystem: AppleBiometricSensor
  • EventMessage: handleStateMachine: Sensor was previously in Finger ON state This entry shows the biometric sensor transitioning out of active state after the successful unlock.

Artefact 10: Display status updated

2025-08-22 13:38:07.682780+0200  localhost kernel[0]: (AppleMesaSEPDriver) performSpecificCommandGated: Display status changed: 1
  • Timestamp: 2025-08-22 13:38:07.682780
  • Process: kernel
  • Subsystem: AppleMesaSEPDriver
  • EventMessage: performSpecificCommandGated: Display status changed: 1 Final confirmation that the display state is fully active after unlock.

Forensic Relevance

Together, these artefacts create a complete timeline of a Touch ID unlock on macOS:

  1. The biometric sensor reports its idle state.
  2. A finger is detected and passed into BiometricKit.
  3. powerd and WindowServer confirm user interaction and wake the display.
  4. coreauthd initiates the Touch ID verification process.
  5. The system confirms the device is unlocked.
  6. The biometric sensor and display return to their normal active/idle states.

This provides both user interaction evidence (finger placed, sensor state changes) and system state changes (device unlocked, display wake).

Conclusion

By searching for “TouchID” in the Unified Log, I was able to reconstruct the full lifecycle of a Touch ID unlock on a MacBook running macOS 15.6.1. The artefacts clearly show the fingerprint interaction, the biometric verification, and the final confirmation that the device was unlocked.

What stands out is that the unlock sequence also includes several “tickle” artefacts, where the system reports that the display is woken up by activity. While this might sound almost playful, these tickle events provide valuable forensic context, as they confirm user interaction and the moment the display was reactivated during authentication.

This highlights once again how Apple’s artefacts are not only consistent across devices but also contain rich, sometimes quirky, markers of user activity that can strengthen forensic analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *