Wi-Fi & Airport Connection Logs
Location
/var/log/wifi.log (legacy) and Unified Log (subsystem: com.apple.wifi)Description
Wi-Fi subsystem logs capturing wireless network association and disassociation events, SSID and BSSID information, signal strength, authentication type, and connection state changes. On modern macOS versions, Wi-Fi events are primarily recorded in the Unified Log under the com.apple.wifi subsystem, while legacy systems used the /var/log/wifi.log text file.
Forensic Value
Wi-Fi logs establish which wireless networks the system connected to and when, providing physical location context for the investigation timeline. Connection events to unknown or suspicious SSIDs may indicate evil twin attacks or rogue access point compromise. The BSSID (MAC address of the access point) enables correlation with physical network infrastructure. Frequent reconnection attempts or authentication failures suggest wireless deauthentication attacks. Wi-Fi connection history combined with airport preferences data creates a comprehensive wireless network usage profile.
Tools Required
Collection Commands
log
log show --last 7d --predicate "subsystem == 'com.apple.wifi'" > /forensics/wifi_log.txt
log
log show --last 7d --predicate "subsystem == 'com.apple.wifi' AND eventMessage CONTAINS 'association'" > /forensics/wifi_associations.txt
cp
sudo cp /var/log/wifi.log* /forensics/wifi_logs/ 2>/dev/null
defaults
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist > /forensics/airport_prefs.txt
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.