Unified Logging / Sysdiagnose
Location
private/var/logs/ and sysdiagnose output (collected via Settings > Privacy > Analytics)Description
iOS Unified Logging system capturing structured log messages from the kernel, system daemons, frameworks, and applications in compressed tracev3 binary format. Sysdiagnose is a comprehensive diagnostic archive that bundles unified logs, process listings, network state, power logs, and other system information into a single tar.gz archive. Sysdiagnose can be triggered via Settings or key combinations and is the primary method for extracting unified logs from iOS devices.
Forensic Value
Unified logs are the single most comprehensive logging source on iOS, capturing process execution, network connections, push notification delivery, URL scheme invocations, Bluetooth activity, and security-relevant events from every system component. Log entries include the originating process, subsystem, and category, enabling filtered extraction of security events. Sysdiagnose archives contain additional diagnostic data including process snapshots, network interface states, and WiFi scan results not available elsewhere. Because unified log persistence depends on available storage, forensic collection via sysdiagnose should be performed as early as possible in the investigation to maximize log retention.
Tools Required
Collection Commands
sysdiagnose
Trigger on device: Settings > Privacy > Analytics & Improvements > Analytics Data > sysdiagnose
libimobiledevice
idevicesyslog -u <UDID> > syslog_capture.txt
iLEAPP
python3 ileapp.py -t tar -i /path/to/sysdiagnose.tar.gz -o /forensics/output/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.