Send us a text

Apple devices are constantly recording user activity, yet few forensic examiners are making use of the vast amount of data these systems quietly generate. Apple's Unified Logs and Spotlight databases track nearly everything that happens on an iOS device, often without the user realizing it.

Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.

In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.

One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.

As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss. 

Notes:

2026 IACIS in Reno NV-

https://www.iacis.com/training/reno-info/

Spotlight-

https://github.com/ydkhatri/mac_apt

Unified Logs-

https://www.ios-unifiedlogs.com/

https://github.com/abrignoni/iLEAPP