Unified Logging / Sysdiagnose
Location
private/var/logs/ and sysdiagnose output (collected via Settings > Privacy > Analytics)Description
iOS Unified Logging system capturing structured log messages from the kernel, system daemons, frameworks, and applications in compressed tracev3 binary format. Sysdiagnose is a comprehensive diagnostic archive that bundles unified logs, process listings, network state, power logs, and other system information into a single tar.gz archive. Sysdiagnose can be triggered via Settings or key combinations and is the primary method for extracting unified logs from iOS devices.
Forensic Value
Unified logs are the single most comprehensive logging source on iOS, capturing process execution, network connections, push notification delivery, URL scheme invocations, Bluetooth activity, and security-relevant events from every system component. Log entries include the originating process, subsystem, and category, enabling filtered extraction of security events. Sysdiagnose archives contain additional diagnostic data including process snapshots, network interface states, and WiFi scan results not available elsewhere. Because unified log persistence depends on available storage, forensic collection via sysdiagnose should be performed as early as possible in the investigation to maximize log retention.