Thesis Friday #6: Acquiring the Apple Unified Log – Terminal

Why use the terminal?


I write this guide based on years of experience as a digital forensic specialist. What you’re reading is not just a general how-to. It’s the exact approach I use in my own investigations, including when working with reference datasets.

Apple’s Unified Logging system records events in a binary format from various sources — system processes, user applications, background daemons, and kernel extensions. It’s structured and indexed, but also extremely verbose. The log-command provides direct, scriptable access to this data, allowing for precise filtering without relying on a GUI or dealing with limited export capabilities.

There are excellent tools available that can help you extract and interpret this data. But in this case, I want to focus on understanding what those tools actually do under the hood. How they acquire the data, step by step.

What do you need?

To acquire the Apple Unified Log, you’ll need:

  • A macOS device with Terminal access — this is where you’ll run the commands.
  • A target device to acquire logs from — this can be the same macOS device, or a separate one if you’re collecting logs from another system (e.g. in a lab or forensic scenario).

If you’re working on a single Mac, you can both execute the commands and collect the logs on that same device. For remote acquisitions, ensure you have proper access and permissions to run commands on the target machine.

Terminal commands

In this command we will acquire the AUL from a device that is connected to the macOS device:

$ sudo log collect --device --output /path/to/filename.logarchive

Let’s break this down:

  • sudo Required for elevated privileges. Without it, the system won’t allow access to protected log data.
  • log collect This tells macOS to initiate a collection of the Unified Log.
  • –device This flag specifies that you’re collecting logs from a connected device (e.g. an iPhone or another Mac in target disk mode). ⚠️ Without this flag, the command collects logs from the local system by default.
  • –output /path/to/filename.logarchive This defines the destination and filename for the log archive. Example: ~/Desktop/target_logs.logarchive

To maintain a clean audit trail and support chain-of-custody documentation, Apple provides additional parameters:

  • –device-name Use this to specify the name of the connected device. This is the human-readable device name shown in Finder or Apple Configurator.
  • udid This is the universally unique identifier assigned to the device by Apple. Unlike the name, the UUID cannot be modified by the end user and is ideal for forensic tracking. 

We now have an evidence file: a .logarchive bundle acquired directly from the target device. This file is considered our original.

From this point forward, we do not touch the original file.

Instead, we work exclusively with forensic copies to preserve integrity and avoid accidental modification. This is a standard practice in digital forensics, always protect your source, always document your workflow. You can hash the file for chain of custody integrity.

Preparing the logarchive for analysis

Now that we’re working from a forensic copy of the original .logarchive, we can start slicing the data. This is ideal for timeline reconstruction, correlation with other sources, or import into forensic tools. It also dramatically reduces file size compared to dumping the entire .logarchive.

Extracting a timeline

Let’s say you want to narrow your focus to a specific timeframe. You can extract only the log entries between two timestamps using the –start and –end flags:

$ log show --archive /path/to/working_copy.logarchive --start "2025-05-27 12:00:00" --end "2025-05-27 13:00:00" > filename.log

Let’s break it down:

  • log show This is the base command used to read and display log data from either the live system or an archive.
  • –archive /Path/to/working_copy.logarchive Specifies the path to the .logarchive file we’re analyzing. In this case, it’s the forensic working copy.
  • –start “2025-05-27 12:00:00” Sets the beginning of the time window you want to extract. This means: only show log entries after this timestamp.
  • –end “2025-05-27 13:00:00” Sets the end of the time window. Together with –start, this extracts exactly one hour of log activity.
  • > filename.log Redirects the output of the command to a file named scoped.log. This keeps your Terminal clean and saves the result for further analysis or archiving.

Convert the .logarchive to json

If you need to work with the log data in a structured format, for example to import it into a forensic timeline tool or parse it with Python. You can convert the .logarchive to JSON. The –style json flag outputs each log entry as a structured JSON object, and adding –info includes metadata about the archive.

Keep in mind: JSON exports grow fast. Always define a narrow time window to avoid creating massive files.

$ log show --archive /path/to/working_copy.logarchive --start "2025-05-27 12:00:00" --end "2025-05-27 13:00:00" --style json --info > filename.json

Let’s break it down:

  • log show The base command for reading logs.
  • –archive /path/to/working_copy.logarchive Points to the .logarchive copy you’re analyzing.
  • –start “2025-05-27 12:00:00” and –end “2025-05-27 13:00:00” Limits the output to a 1 hour time window. Always use these to reduce volume and keep your dataset relevant.
  • –style json Converts the log entries into structured JSON format — ideal for automation, searching, or parsing in other tools.
  • –info Includes additional metadata (e.g. timezone info, archive context, system information). This can be valuable in forensic scenarios where context matters.
  • > filename.json Redirects the output to a .json file on disk.

⚠️ Warning: File Size Can Explode

JSON exports are not compressed and contain verbose field names. Even a short time window can result in unexpectedly large files.

I will cover soon how to do your analysis on the AUL with tools and without.

33 Comments

  1. uujl Official Site: Best Slot Online in the Philippines. Quick uujl Login, Register, & App Download. Welcome to the uujl Official Site, the #1 destination for slot online in the Philippines. Experience seamless uujl login, quick uujl register, and uujl app download for the ultimate gaming experience. visit: uujl

  2. [9273]2ezbet Casino Philippines: Top 2ezbet Slot Games, Fast 2ezbet Login, Easy Register & Official 2ezbet App Download. Experience 2ezbet Casino Philippines! Enjoy fast 2ezbet login, easy 2ezbet register, and top 2ezbet slot games. Get the official 2ezbet app download for 24/7 gaming. visit: 2ezbet

  4. [2073]Arena Plus PH: The Best Online Gambling Site for Sports Betting and Online Casino in the Philippines. Experience Arena Plus PH, the best online gambling site PH for top-tier sports betting Philippines and online casino Philippines action. Use your ArenaPlus login to start winning today! visit: arenaplusph

  5. [2839]Phswerte Online Casino Philippines: Quick Login, Easy Register, Top Slots, and App Download for the Ultimate Gaming Experience. Experience Phswerte Online Casino Philippines! Enjoy quick phswerte login, easy phswerte register, and top phswerte slots. Get the phswerte app download for the ultimate gaming experience today. visit: phswerte

  6. [2382]Jiliccc Online Casino Philippines: Best Jiliccc Slots, Easy Login, Register & App Download Experience Jiliccc Online Casino Philippines: the top choice for Jiliccc slots. Enjoy a seamless Jiliccc login, fast register, and official app download. Play now! visit: jiliccc

  7. [5982]JollyPH Online Casino: Easy Login, Register, and App Download for the Best PH Slots. Experience the best PH slots at JollyPH Online Casino! Enjoy easy jollyph login, fast jollyph register, and the jollyph app download for non-stop gaming action today. visit: jollyph

  8. [9685]CryptoCasino Philippines: Register & Login today for a massive Sign Up Bonus. Play top Crypto Slots and enjoy a seamless mobile experience with our App Download. Experience the best crypto slots at CryptoCasino Philippines. Register or login now to claim your massive sign up bonus. Enjoy seamless mobile gaming on the go—complete your CryptoCasino app download today and start winning! visit: CryptoCasino

  9. [5148]bybet app|bybet register|bybet slots|bybet giris|bybet casino Join Bybet, the premier online casino in the Philippines! Complete your **Bybet register** today to play top-tier **Bybet slots**. Download the **Bybet app** for easy **Bybet giris** and enjoy a secure, world-class **Bybet casino** experience anytime, anywhere. visit: bybet

  10. [6672]Phaaa Online Casino Philippines: Secure Phaaa Login & Register to Play Premium Phaaa Slot Games. Phaaa Download App for the Ultimate Mobile Casino Experience. Experience premium Phaaa slot games at Phaaa Online Casino Philippines. Secure Phaaa login & Phaaa register today! Phaaa download app for the best mobile gaming. visit: phaaa

  11. [3916]fbvip Login & Register: Top Slot Online, Casino Link & App Download in Philippines Join fbvip today! Secure fbvip login & fbvip register for the best fbvip slot online in the Philippines. Access the fbvip casino link & fbvip app download now. visit: fbvip

  12. [1674]Ninogaming: Official Philippines Slot Online – Login, Register & Download APK via Link Alternatif Join Ninogaming, the official Philippines slot online platform. Access easy ninogaming login, register today, or download apk via link alternatif for premium gaming. visit: ninogaming

  13. [719]Melbet Philippines Official Site: Secure Registration, Login, App Download & Premium Casino Slots Visit the Melbet Philippines official site for secure melbet registration and login. Play premium melbet casino slots and get the melbet app download for free! visit: melbet

  14. [9109]18jili Online Casino Philippines: Easy Login, Register & App Download for the Best Slot Games Experience the ultimate 18jili Online Casino Philippines! Enjoy easy 18jili login and register processes to play top-tier 18jili slot games. Secure your 18jili app download today for the best mobile gaming experience and exclusive rewards. visit: 18jili

  15. [4617]Goated Official Site: Top Online Slots & Casino in the Philippines. Secure Goated Login, Easy Sign Up, and Official App Download. Experience the ultimate online gaming at the Goated official site, the #1 destination for top-rated Goated slots and casino games in the Philippines. Benefit from a secure Goated login and a fast, easy Goated sign up process to start winning today. Don’t miss out on the action—get the official Goated app download for seamless mobile play. Join the Goated community for a trusted, premium, and thrilling gambling experience! visit: Goated

  16. [8726]mwcbet register|mwcbet login|mwcbet casino|mwcbet giris|mwcbet app Join MWCBet, the Philippines’ premier online casino platform. Complete your MWCBet register and login (giris) today to access a wide range of premium MWCBet casino games, including slots and live dealers. Download the MWCBet app for a seamless mobile gaming experience and start winning with the most trusted casino in PH! visit: mwcbet

  17. [365]okplay Philippines: Top Casino & Slot Games. Fast okplay login, register, and official app download. Experience premium gaming at okplay Philippines! Enjoy top-tier okplay slot and casino games. Quick okplay login, easy okplay register, and official okplay download for the best mobile experience. Join the ultimate online casino destination in the Philippines today! visit: okplay

  18. [9499]55bmw Online Casino Philippines: Login, Register, Slot Games & Official App Download Join 55bmw Online Casino Philippines! Experience top-rated 55bmw slot games with secure 55bmw login and fast 55bmw register. Get the official 55bmw app download today and win big! visit: 55bmw

  19. [8287]Xojili Online Casino Philippines: Easy Login, Quick Register & App Download for the Best Slot Games. Experience Xojili Online Casino Philippines! Enjoy easy xojili login, quick xojili register, and premium xojili slot games. Get the xojili app download now for the best mobile gaming and big wins today! visit: xojili

  20. [9693]188JILI Online Casino Philippines: Quick Login, Easy Register, and App Download for the Best Slot Games. Experience the thrill of 188JILI Online Casino Philippines. Get quick 188JILI login, easy register, and fast 188JILI app download for the best slot games. Join the top-rated 188JILI online casino and start winning today! visit: 188JILICasino

  21. [8874]Q25Casino: The Best Legit Online Casino in the Philippines for Slots. Easy GCash Login & Fast Registration. Experience Q25Casino, the premier legit online casino in the Philippines specializing in the best online slots Philippines has to offer. Enjoy a seamless q25casino login gcash experience and a fast q25casino register process for immediate play. Join the most trusted platform for legit online gambling philippines and start winning today with q25casino online casino philippines. visit: q25casino

  22. [8612]PlayMojo Philippines: PlayMojo Login & Register for Top Online Slots, Casino Bonuses, and App Download. Join PlayMojo Philippines! Quick PlayMojo login & register to access top PlayMojo online slots. Claim a huge PlayMojo casino bonus & get the PlayMojo app download now! visit: PlayMojo

  23. [8933]Peryagame Online Casino Philippines: Easy Register, Login & App Download for the Best Peryagame Slots Experience. Join Peryagame Online Casino Philippines for the ultimate gaming experience! Quick Peryagame register, easy Peryagame login, and fast Peryagame app download for the best Peryagame slots. Experience the top-rated Peryagame online casino and start winning today! visit: peryagame

  24. [772]639club Online Casino Philippines: Quick Login, Register, and App Download for the Best Slot Games. Join 639club Online Casino Philippines for the ultimate gaming experience. Easy 639club login, quick 639club register, and 639club app download for top-tier 639club slot games. Start winning today! visit: 639club

  25. [7017]9awin Philippines: Official Link for 9awin Login, Register, App Download & Top Slot Online Games. Join 9awin Philippines! Access the 9awin official link for 9awin login & 9awin register. Play top 9awin slot online games and get the 9awin app download today! visit: 9awin

  26. [938]WineHQ Online Casino: The Best Legit Real Money Casino in the Philippines. Experience top-tier gaming at WineHQ Online Casino, recognized as the best legit real money casino in the Philippines. Fast-track your winnings with a secure WineHQ login or enjoy seamless play via the WineHQ Casino app download. Join the most trusted online casino Philippines has to offer and start winning real cash today! visit: winehq

  27. [2297]999jl: Official Link to Register, Login, and Download App for the Best 999jl Slot Games in the Philippines Experience the best 999jl slot games in the Philippines! Use the 999jl official link for a fast 999jl register and 999jl login. 999jl download app today for premium casino action, exclusive bonuses, and big wins anytime, anywhere. visit: 999jl

  28. [4906]Panaloplay: Best Philippines Online Casino – Slot Games, Easy Login, Register & App Download Experience Panaloplay, the best Philippines online casino! Enjoy top-tier Panaloplay slot games, fast Panaloplay login, and easy Panaloplay register. Get the Panaloplay app download today to play and win on the go! visit: panaloplay

  29. [1723]jlace app|jlace login|jlace giris|jlace download|jlace register Experience top-tier gaming at **jlace**, the Philippines’ premier online casino platform. **Download the jlace app** today for seamless mobile play. Simply complete your **jlace register** and secure **jlace login** (jlace giris) to access exclusive slots, live dealers, and big rewards. Join jlace now for the ultimate betting experience! visit: jlace

  30. [2579]Jilibet888: The Best Online Casino in the Philippines for GCash Slots and Instant Wins Experience Jilibet888, the best online casino in the Philippines for instant wins and top-tier entertainment. Secure your Jilibet888 login and register today to enjoy premium Jilibet888 slot games and seamless transactions at the leading GCash online casino Philippines. Join the best online gambling site PH for an unparalleled gaming experience! visit: jilibet888

  31. [9159]Jadesportsbet Official Site: Secure Login, Easy Register, and App Download for the Best Slots and Sports Betting in the Philippines. Experience the best slots and sports betting at the Jadesportsbet official site. Secure your jadesportsbet login, complete a fast jadesportsbet register, and get the jadesportsbet app download for premium gaming in the Philippines. Play jadesportsbet slots and win today! visit: jadesportsbet

  32. [5899]xgbet PH: The Best Online Casino & Live Sports Betting with Fast GCash Payouts Experience top-tier gaming at xgbet online casino Philippines. Discover the best online slots xgbet and thrilling xgbet live sports betting. Secure your xgbet login PH today for seamless GCash online gambling Philippines with the fastest payouts in the country. visit: xgbet

  33. [1519]25phwin slots|25phwin register|25phwin download|25phwin login|25phwin giris Experience the ultimate gaming thrill at 25phwin, the premier online casino in the Philippines. Play the latest 25phwin slots, complete your 25phwin register for exclusive bonuses, and enjoy a seamless 25phwin login. Get the app via 25phwin download for mobile play and fast 25phwin giris to start winning today! visit: 25phwin

Leave a Reply

Your email address will not be published. Required fields are marked *