Log Analysis on macOS(Part 2) : A Creative Approach
- 5 days ago
- 7 min read
Logs are like digital breadcrumbs—traces of system activities that tell a story. But with millions of log entries, scrolling aimlessly isn't an option. The real skill lies in creativity: knowing what to look for and how to find it efficiently.
Think Outside the Log File
Log analysis isn't just about running commands; it's about asking the right questions.
Need to know when a USB drive was plugged in?
Want to track down a rogue software install?
It's all there in the logs—you just need to know where to look.
Key Areas of Log Analysis
Volume Analysis: External drives, network shares, historical volume usage
System State: Boot, reboot, shutdown, system sleep/wake, disk usage
Software: Installed applications, system updates, kernel extensions
AirDrop Activity: Tracking file transfers between devices
------------------------------------------------------------------------------------------------------------
Volume Tracking: Who Mounted What and When?
macOS Finder: Tracking Mounted Volumes
macOS stores mounted volumes in com.apple.finder.plist at:
~/Library/Preferences/com.apple.finder.plistData captured using UAC Script:
The FXDesktopVolumePositions key logs mounted volumes and their positions on the desktop.
While it doesn’t store timestamps, pairing it with system logs can help reconstruct events.
Pro Tip: If the Finder preference to show volumes on the desktop is disabled, this key won’t exist.
Favorite Volumes (Mounted and Native)
Finder sidebar volumes are logged in:
~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2This file requires manual parsing or specialized scripts like macMRU.py to decode the contents.
------------------------------------------------------------------------------------------------------------
Unix Daily Maintenance Logs: /Volumes/
To check what volumes were mounted when macOS ran its maintenance scripts, search:
/var/log/ you will find the logs of the script
cat /var/log/daily.out | grep "/Volumes/"
or
cat /var/log/daily.out > /Users/deanwinchester/Desktop/dailyout.txt
Mac runs three maintenance scripts at different intervals:
/etc/periodic here script are located
Daily: /etc/periodic/daily
Weekly: /etc/periodic/weekly
Monthly: /etc/periodic/monthly
These scripts generate logs that can reveal disk usage trends and mounted volumes over time.
/System/Library/LaunchDaemons/ from here scripts will be run or executed
com.apple.periodic-daily.plist
com.apple.periodic-weekly.plist
com.apple.periodic-monthly.plist
------------------------------------------------------------------------------------------------------------
Unified Logs & System Logs: Tracking Mounted Volumes
if you remember in our previous article we have created an log archive. We are going to use same in this part of article.
For more detailed tracking, search system logs:
log show --predicate 'eventMessage contains "mounted"' --info
log show --predicate 'eventMessage contains "unmounted"' --info
or
log show system_logs.logarchive -- info -- predicate 'eventMessage contains "/Volumes"'This can reveal UUIDs, mount points, and timestamps for external drives.
or If you remember we used unified log parser to parse db/tracev3/timesync logs
After running the tool we got output in sqlite, you can search from there as well
example :
-------------------------------------------------------------------------------------------------------------
USB Device Tracking: Who Plugged What In?
To track USB mass storage devices, search for USBMSC in system logs:
log show --predicate 'eventMessage contains "USBMSC"' --info
or
Log show system_logs.logarchive -- info -- predicate 'eventMessage contains "USBMSC"'This will reveal:
Serial Number: Unique (sometimes)
Vendor ID: Manufacturer of the device
Product ID: Device model
Version: Firmware version
Heads-Up: Built-in SD card readers generate USBMSC logs too. To avoid false positives, correlate timestamps with user activity.
-------------------------------------------------------------------------------------------------------------
Network Shares: Who Accessed What?
macOS unified logs track network share connections via the NetAuthSysAgent process.
Searching for terms like smb://, afp://, or loginsupport can uncover mounted shares and user authentication details.
log show --predicate 'eventMessage contains "smb://"' --info
Or you can use logs which we parse using unified log parser in windows
-------------------------------------------------------------------------------------------------------------
Next Logs we are going to talk about System Information and State
When investigating a macOS system, understanding its boot, reboot, and shutdown patterns can provide valuable insights.
Boot, Reboot, and Shutdown Logs
macOS handles system startup and shutdown processes differently depending on the version. Here’s what you need to know:
macOS 10.13.1 and later: The system.log file contains timestamps for BOOT_TIME and SHUTDOWN_TIME, recorded in Unix epoch format.
cat system.log | grep "_TIME"
UAC Script collected artifact:
Unified Logs: These logs track which user initiated a shutdown (halt). If a system reboot occurs, it records shutdown: reboot by <user>.
macOS 10.12.0–10.12.2: Shutdown messages are mysteriously absent from logs.
How to Determine a System Shutdown or Restart
macOS logs specific messages that indicate whether a system was shut down, restarted, or if an attempt was canceled. These messages are found in logs associated with
SessionAgentNotificationCenter:
Command:
log show --predicate 'eventMessage contains "com.apple.system.loginwindow" and eventMessage contains "SessionAgentNotificationCenter"'
or
log show system_logs.logarchive --predicate 'eventMessage contains "com.apple.system.loginwindow" and eventM essage contains "SessionAgentNotificationCenter"'
com.apple.system.loginwindow.shutdownInitiated – User manually initiated a shutdown.
com.apple.system.loginwindow.logoutcancelled – User canceled a shutdown, restart, or logoff.
com.apple.system.loginwindow.restartinitiated – User chose to restart the system.
What Do Shutdown Causes Mean?
macOS logs also record the reason behind a shutdown or sleep event. You’ll typically see entries like:
Previous sleep cause: 5, Previous shutdown cause: 5 → Normal sleep or shutdown.
Negative numbers → Often indicate an error.
0 → System hibernation (sleep) or power loss (shutdown).
3 → Hard shutdown (e.g., holding down the power button).
Wake Reasons – What Woke the Mac?
The system also records why it woke up from sleep. Here are some common wake reasons:
EC.RTC (Alarm), RTC (Alarm): Wake-on-Demand via Bonjour Services or Real-Time Clock.
EC LID0, EC.LidOpen, EC.LidOpen XHC1: Laptop lid was opened.
EHC1, EHC2: USB, Bluetooth, or wireless device activity.
PWRB (User): Power button was pressed.
USB1: Trackpad activity.
EC.ACAttach/EC.ACDetach: Power adapter was connected or disconnected.
-------------------------------------------------------------------------------------------------------------
Next Tracking Disk Usage Over Time
Sometimes, understanding how disk space fluctuates can be important, whether for system performance monitoring or forensic analysis. macOS keeps a history of disk usage in /var/log/daily.out, which is updated as part of Unix maintenance scripts.
cat /var/log/daily.out | grep "/dev/disk1s1"
This will show how much disk space was used over time for the specified disk.
-------------------------------------------------------------------------------------------------------------
Next Tracking Application Bundle or Info.plist File
Before i start you might ask question Dean what is Application bundle?
So, Application bundles are designed to keep everything organized in one place
When you right-click an application and select “Show Package Contents”, you’ll see its internal structure.
Here’s what you’ll typically find:
Info.plist – The heart of the bundle, this file stores essential metadata about the application.
MacOS Directory – Contains the executable code that launches the app.
Resources Directory – Stores images, icons, and other assets used by the app.
Frameworks & Plug-ins – Additional components that the app might rely on.
This structure ensures that all dependencies remain self-contained, reducing compatibility issues and making apps more portable.
Breaking Down the Info.plist File
The Info.plist (Information Property List) is an XML file that holds critical details about the app, including:
Bundle Name – The official name of the application.
Bundle Version – The specific version number.
Bundle Identifier – A unique identifier, often in reverse domain notation (e.g., com.apple.Safari).
Executable Filename – The actual file that runs when the app is opened.
System Compatibility – Specifies the minimum macOS version required.
Privacy Keys – Declares what system resources the app may access, like the camera or microphone.
For example, an app might specify that it belongs to the Productivity category, supports opening specific file types, or integrates with particular web services. This is especially useful for forensic investigations or debugging unknown applications.
-------------------------------------------------------------------------------------------------------------
Next Tracking macOS Install History
If you need a record of what software was installed on your system and when it happened, macOS maintains an install history file:
Install History: /Library/Receipts/InstallHistory.plist
This file logs details such as:
Software package names
Timestamps
Installation method (System OS Installer, App Store download, etc.)
You can use this file to verify which updates or new software installations have taken place on your Mac.
-------------------------------------------------------------------------------------------------------------
Next Tracking macOS Receipt Files
Every software package installed on macOS generates receipt files stored in:
/var/db/receipts/Each installed package has two components:
.plist file – Stores metadata like package name, install timestamp, and installer process
.bom file – Bill of Materials file, listing all files installed with the package
To analyze a .bom file, use the command:
lsbom /var/db/receipts/<package_name>.bom-------------------------------------------------------------------------------------------------------------
Next Tracking Installed Software via Logs
macOS maintains an install log that records software installations and updates. You can check it using:
Install Log File: /var/log/install.log or /private/var/log/install.log
To quickly find installed software, search the log with:
grep "Installed" /var/log/install.log
This log tracks where an app was installed from and whether administrator privileges were required.
However, it does not log software installed via simple drag-and-drop methods (e.g., Firefox, Chrome, or any app copied directly into the Applications folder).
-------------------------------------------------------------------------------------------------------------
Next Tracking Network Usage in Logs
Want to check network activity? Use this log query to filter for wireless connection changes:
log show --info --predicate 'senderImagePath contains[cd] "IPConfiguration" and (eventMessage contains[cd] "SSID" or eventMessage contains[cd] "Lease" or eventMessage contains[cd] "network changed")'This command pulls entries where the system connects to different Wi-Fi networks, helping track internet usage and movement.
-------------------------------------------------------------------------------------------------------------
Next Tracking Wireless Activity Timeline: system.log & Unified Logs
By searching for “configd”, “SSID”, or “en0”, you can create a detailed timeline of wireless activity, showing when and where a Mac connected to various networks.
-------------------------------------------------------------------------------------------------------------
Next Tracking International Travel Through Country Codes
Did you know your Mac logs the country code of Wi-Fi access points?
Pre-macOS 10.8: Recorded in kernel.log
macOS 10.8+: Stored in system.log
macOS 10.12+: Found in Unified Logs
-------------------------------------------------------------------------------------------------------------
Next Tracking AirDrop Activity
AirDrop transfers are logged in Unified Logs, which can help analysts determine when files were sent or received between Apple devices. If both devices are available for analysis, the AirDrop ID can link them together. Otherwise, tracking becomes more challenging.
AirDrop Log Entries:
Sending a file: Logs show the sender’s device and recipient
Receiving a file: Shows sender details, file type, and whether it was accepted or declined
Accepted transfers: Indicate whether the file was imported into the Photos app or another directory
-------------------------------------------------------------------------------------------------------------
Next Tracking Kernel & System Extensions
Apple has tightened security in recent years, limiting how third-party extensions operate.
Kernel Extensions (Kexts) – The Old Way
Kernel Extensions (.kext files) provide deep system access, often used for:
Device Drivers – Hardware support.
Network Filters – Firewalls, VPN software.
File System Support – Enabling third-party file systems like macFUSE.
Key Commands for Kernel Extensions
List loaded kernel extensions:
kmutil showloaded (replaces the older kextstat command)View installed kexts on a non-live system:
/private/var/db/loadedkextmt.plistApple began phasing out kexts in macOS 10.13 (High Sierra) by requiring User-Approved Kernel Extension Loading, making unauthorized kexts harder to install.
System Extensions – The Future
Introduced in macOS 10.15 (Catalina), System Extensions are the modern, secure replacement for kexts.
Unlike kexts, they:
✅ Run in user space, not in the kernel, reducing system crashes.
✅ Require specific entitlements, meaning Apple tightly controls their use.
✅ Cover areas like DriverKit, Network Extensions, and Endpoint Security.
Key Commands for System Extensions
List loaded system extensions:
systemextensionsctl list-------------------------------------------------------------------------------------------------------------
Wrapping Up
macOS provides structured data that can help you dig deeper. By knowing where to look, you can gain valuable insights into your system’s software history.
🚀 Stay curious, explore, and keep learning! 🚀
-------------------------------------------Dean------------------------------------------------------------
Comments