macOS Incident Forensics: UnifiedLogs, FSEvents and AULR in Practice

A MacBook Pro M3 lands on the bench, suspected of running a payload signed with a revoked Developer ID. The client wants answers in 48 hours, the disk is FileVault encrypted, and the user is on vacation in another timezone. Before powering any tool, the Basilisk team locks down legal scope, receives the FileVault password through a vetted channel, and records a SHA-256 hash of the initial image. On modern macOS you do not get far without knowing that the logging stack mutated drastically since Sierra: classic .log files gave way to binary tracev3, and ignoring this drops 80% of the available telemetry on the floor.

UnifiedLogs live under /var/db/diagnostics and /var/db/uuidtext, weighing anywhere from 500 MB to 4 GB depending on usage. For live capture we run log collect --output incident.logarchive, which freezes the current state into a portable bundle. For dead-box work we copy the raw directories and feed them to Mandiant's macos-UnifiedLogs, a Rust parser that no longer requires a matching Apple host. That used to be a major friction point: you had to keep a Mac with the exact target OS version online just to invoke /usr/bin/log. For the broader defensive context, pair this read with macOS Hardening: Lockdown Mode, MDM and Attack Surface Reduction.

FSEvents is the second pillar and answers the 'what changed on this volume and when' question. Logs sit in /.fseventsd/ as gzipped numbered files; each record carries a monotonic event ID plus flags for create, rename or delete. Critical caveat: FSEvents records neither content nor the user who triggered the change, only path and operation. Pairing FSEvents with UnifiedLogs produces a trustworthy timeline. Tools like David Cowen's FSEventsParser chew through it in seconds and emit Timesketch-ready CSV, echoing the workflow we covered in Timeline Forensics on Windows: Plaso, Log2Timeline and KAPE in Practice, retuned for the Apple stack.

AULR, or more precisely Apple Unified Logging with Activity Tracing, layers parent process, thread ID and signpost context on top. Predicates are your sharpest knife: log show --predicate 'subsystem == "com.apple.securityd"' --last 24h surfaces suspicious XPC attempts, while subsystem com.apple.TCC exposes microphone and camera prompts that were denied or granted. In a real June case this year, an Atomic AMOS stealer variant left fingerprints in com.apple.kextd trying to load a KEXT on a SIP-enabled Mac, failing loudly. Without that predicate the event drowns in millions of lines of noise.

On the ethical capture side, Basilisk follows a fixed runbook: written client authorization, Thunderbolt write-blocker for disk imaging when feasible, SHA-256 and SHA-3-512 hashes, and chain-of-custody logs signed with YubiKey hardware keys. When the Mac is live and cannot be shut down we lean on CrowdStrike's aftriage or the macos_artifact_collection Velociraptor recipe, always redirecting output to a dedicated APFS external SSD. This rigor mirrors what we explored in DFIR on Linux: Live Triage with UAC and Velociraptor and connects with OPSEC for Security Researchers: Building a Personal Threat Model, because investigating without protecting yourself is walking into a smoldering house unmasked.

Analysis starts in parallel: while macos-UnifiedLogs streams JSONL in the background, we inspect Spotlight metadata via mdls on suspicious files, export KnowledgeC.db from CoreDuet to map focused windows, and walk /private/var/db/CoreDuet/Knowledge to correlate Terminal usage with off-hours activity. Everything funnels into a Jupyter notebook with pandas where we join UnifiedLogs PIDs against FSEvents paths. When loader behavior surfaces it tends to rhyme with techniques covered in Malware Analysis in an Isolated Lab: Safe Setup with FlareVM and REMnux, retargeted from PE to Mach-O.

Practical takeaway: build a baseline logarchive of your own Mac today with log collect and stash it next to an APFS snapshot of /.fseventsd. Next time something feels off you will have a real temporal diff instead of guesses. That baseline costs five minutes and spares you days of reactive investigation when the incident actually knocks.