AUL or Sysdiagnose

Thesis Friday #7: Apple Unified Log or Sysdiagnose?

Sysdiagnose or CLI Logarchive?

When conducting forensic investigations on Apple devices, Unified Logs provide a treasure trove of information about user interactions, system events, and application behavior. However, the way these logs are extracted greatly influences the amount and quality of the data we get. In this post, I compare the logarchive generated via Sysdiagnose with one manually created using the log collect CLI command on iOS, iPadOS, and macOS.

Methodology

To understand the differences, I created a script named compare_logarchive (available on GitHub) to automate the analysis of key properties like:

  • Log size
  • Time-to-live (TTL)
  • Number of total events
  • Number of unique processes

Each platform was tested twice:

  1. By triggering a system-level Sysdiagnose (automated collection)
  2. By manually collecting logs via log collect using Terminal (CLI)

Disclaimer: This comparison focuses on the quantity and general properties of the logs, such as TTL and number of lines. It does not analyze TTL at the level of individual processes or subprocesses, nor does it examine the lifespan of specific artifacts within the logs.

Findings

macOS

  • Sysdiagnose: TTL = 2 days, Events = ~7.9 million, Unique processes = 914
  • CLI (log collect): TTL = 30 days, Events = ~26.2 million, Unique processes = 1509

iPadOS

  • Sysdiagnose: TTL = 10 days, Events = ~5.7 million, Unique processes = 1300
  • CLI: TTL = 15 days, Events = ~9.1 million, Unique processes = 1088

iOS

  • Sysdiagnose: TTL = 2 days, Events = ~5.8 million, Unique processes = 745
  • CLI: TTL = 14 days, Events = ~23.3 million, Unique processes = 841

Interpretation

The difference in TTL is striking, especially on macOS and iOS. The CLI-collected logarchives consistently retain log entries for significantly longer periods, making them much more useful in timeline analysis.

Another major difference is the number of events captured. The CLI versions hold between 1.5x to 4x more log entries than their Sysdiagnose counterparts, depending on the platform. Interestingly, iPadOS behaves slightly differently; while its CLI version has a longer TTL and more total events, the number of unique processes is lower than in the Sysdiagnose version.

Why it matters

For forensic practitioners, the richer dataset obtained via log collect offers a better foundation for reconstructing system and user activity over extended periods. Relying solely on Sysdiagnose may lead to missed artefacts, especially when investigating incidents that occurred more than a few days ago.

Conclusion

If you’re serious about Apple Unified Log analysis in forensic investigations, prefer using the CLI method over Sysdiagnose. The difference is not marginal; it significantly impacts what you can discover.

You can find the compare_logarchive tool and instructions for use on GitHub.

Happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest blog
Thesis Friday #13: AUL – Detecting Airplane Mode Activation in iOS 26 Beta
Thesis Friday #14: AUL – Touch Events