iOS is always “doing things,” both because of and regardless of user activity. Most of what happens on a device is logged somewhere in the background. Some of this activity is captured in files and databases that are preserved in a forensic extraction. But a lot of logging is volatile — unless we take deliberate steps to preserve it, it disappears.
Unified logs are one of those overlooked sources that don’t always get the attention they deserve in mobile forensics. If you’ve read my earlier posts on triggering sysdiagnose (https://www.sjdcforensics.com/blog/triggering-sysdiagnose-on-ios-devices) and collecting sysdiagnose (https://www.sjdcforensics.com/blog/collecting-sysdiagnose-logs-from-ios-devices), you’ll know that Apple provides ways to generate smaller snapshots of a device’s state via the iOS sysdiagnose protocol. They’re useful in most circumstances, but they’re still only a partial picture.
Unified logs, on the other hand, are a much larger picture, especially if they’re preserved timely relative to an event. They include granular background activity that’s only available if we take the steps to preserve it. And yes—they’re bigger, messier, and take more effort to collect. But they’re also far more inclusive (up to 30 days of activity – but likely less) than a sysdiagnose (up to 10 days of activity – but likely less).
A quick but important note. At the time of this writing a couple of the major mobile device extraction tools were/are deleting sysdiagnose and/or unified logs (despite one vendor specifically telling me this was fixed in a version of their tool that I was using), so it is important to collect these logs before a forensic extraction.
Is a Mac required
Nope. Until recently there few available tools for collecting iOS unified logs outside of the MacOS environment, and even fewer in Windows. Fortunately a relatively new python-based open source tool, UFADE will capture iOS unified logs (in addition to other types of forensic extractions). Shout out to Christian Peter for his work on this fantastic tool that he has made available to the forensic community at no cost.
Manual collection
Back to the Mac method of collecting these logs. If you’re doing this manually on a Mac, you’ll need the libimobiledevice toolkit installed:
https://github.com/libimobiledevice/libimobiledevice
Or, just run brew install –HEAD libimobiledevice
Once that’s in place, you can run:
idevice_id -l # confirm your device UDID shows up
log collect –output ~/Desktop/iPhone-<UDID>-<date>.logarchive
That’s it—you’ll end up with a .logarchive folder on your desktop.
Automating the workflow
To save time – mostly with the “forensic” part of the process – I scripted the process into what I call the Mac-iPhone Unified Log Collector (ULC). It handles:
- Prompting for case and evidence numbers
- Waiting for the device to be connected and trusted
- Capturing the logs into a properly named .logarchive
- Hashing the output (MD5) for integrity
- Logging the entire session to a text file
It also reminds you up front that Stolen Device Protection must be disabled; otherwise, trust cannot be established.
You can find the script here:
https://github.com/mantal1/Mac-iPhone-Unified-Log-Collector-ULC
Reading the logs
Once you’ve collected a .logarchive, you can’t just open it in a text editor. It’s a structured bundle with binary .tracev3 files that require proper tools (or a mac) to interpret.
Some forensic suites have started adding support for the parsing of these logs, including Cellebrite and Magnet AXIOM. Elcomsoft’s iOS Forensic Toolkit can also extract unified logs (see their writeup: https://blog.elcomsoft.com/2025/06/extracting-and-analyzing-apple-unified-logs), but parsing and deep analysis of the .logarchive is more limited.
Beyond the commercial suites, a few open-source projects are worth knowing about:
- mandiant/macos-UnifiedLogs (https://github.com/mandiant/macos-UnifiedLogs) – Rust, actively maintained
- ydkhatri/UnifiedLogReader (https://github.com/ydkhatri/UnifiedLogReader) – Python, archived but still useful
- EC-DIGIT-CSIRC/sysdiagnose toolkit (https://github.com/EC-DIGIT-CSIRC/sysdiagnose)
- iLEAPP (https://github.com/abrignoni/iLEAPP) – already a staple for iOS artifact parsing, and now adding the ability to process unified logs from .logarchive bundles. This makes it possible to correlate unified log entries alongside other iOS artifacts in one workflow.
Parsing unified logs is a subject in itself. I’ll cover these tools in a future post.
Closing thoughts
If you’re already comfortable pulling sysdiagnose logs, consider stepping up to full unified logs when the case warrants it. They capture a broader span of system and app activity, and in some cases may be the only place a key artifact lives.
Yes, the logs are massive (up to 3gb on an actively used iPhone), but if you care about context—correlating the breadcrumbs that are not captured by other artifacts—unified logs may be worth the effort.