Wi-Fi & Airport Connection Logs

macosNetwork TrafficDisk ImageSIEM / Log Aggregator

Location

/var/log/wifi.log (legacy) and Unified Log (subsystem: com.apple.wifi)

Description

Wi-Fi subsystem logs capturing wireless network association and disassociation events, SSID and BSSID information, signal strength, authentication type, and connection state changes. On modern macOS versions, Wi-Fi events are primarily recorded in the Unified Log under the com.apple.wifi subsystem, while legacy systems used the /var/log/wifi.log text file.

Forensic Value

Wi-Fi logs establish which wireless networks the system connected to and when, providing physical location context for the investigation timeline. Connection events to unknown or suspicious SSIDs may indicate evil twin attacks or rogue access point compromise. The BSSID (MAC address of the access point) enables correlation with physical network infrastructure. Frequent reconnection attempts or authentication failures suggest wireless deauthentication attacks. Wi-Fi connection history combined with airport preferences data creates a comprehensive wireless network usage profile.

Tools Required

log (macOS CLI)mac_aptgrepCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical