Apple devices are constantly recording user activity, yet few forensic examiners are making use of the vast amount of data these systems quietly generate. Apple's Unified Logs and Spotlight databases track nearly everything that happens on an iOS device, often without the user realizing it.
Would you believe an iPhone can generate around 1.5 million log entries in just 15 minutes of regular use? These records include highly specific actions—such as the exact moment Face ID is used to unlock a device, when the phone is flipped face-up, or whether a user interacted with Siri or used the device manually. Despite their detail and reliability, these sources are often overlooked in mobile investigations.
In this session, we’ll show how forensic practitioners can process and search these massive log sets using open-source tools. We’ll walk through examples of log entries that record actions like toggling airplane mode, launching specific apps like Facebook, or even detecting changes in device orientation. For investigators, this means direct, time-stamped evidence of how a device was used.
One of the most valuable aspects of this data is its ability to help distinguish between user actions and automatic background processes. Was an app opened by the user, or was it a system event? These logs provide that level of clarity. We’ll demonstrate how to isolate specific events from millions of entries and construct accurate timelines that reflect exactly what happened—and when.
As part of our ongoing work, we’re also focused on improving the accessibility and usability of these artifacts with incorporation into the LEAPPS. If you work with iOS devices, this is a session you won’t want to miss.
Notes:
2026 IACIS in Reno NV-
https://www.iacis.com/training/reno-info/
Spotlight-
https://github.com/ydkhatri/mac_apt
Unified Logs-
https://www.ios-unifiedlogs.com/
https://github.com/abrignoni/iLEAPP
Thursday, May 15, 2025
Thursday, May 1, 2025
Stomping Grounds: Digital Forensics at IACIS 2025
The Digital Forensics Now podcast brings together the core LEAPPs developer team for a candid, unscripted conversation about mobile forensics, legal challenges, and the future of their tools during the IACIS conference in Orlando.
First time bringing together most of the LEAPPs development team in person
Florida's new requirement for 10-day search warrant renewals creates significant challenges for long-running forensic processes
Timestamp parameters in warrants can limit investigators' ability to discover relevant evidence
Paladin now includes the LEAPPs integration, making powerful open-source forensic tools more accessible
Real-world success stories of the LEAPPs helping solve cases when commercial tools failed
Introduction of "The DFIR Investigative Mindset" book with technical editor Lee Harris
Multiple specialized forensic training courses available at IACIS including incident response, drone, MAC and RAM forensics
Join us in two weeks for a more technical episode exploring new forensic artifacts and techniques.
First time bringing together most of the LEAPPs development team in person
Florida's new requirement for 10-day search warrant renewals creates significant challenges for long-running forensic processes
Timestamp parameters in warrants can limit investigators' ability to discover relevant evidence
Paladin now includes the LEAPPs integration, making powerful open-source forensic tools more accessible
Real-world success stories of the LEAPPs helping solve cases when commercial tools failed
Introduction of "The DFIR Investigative Mindset" book with technical editor Lee Harris
Multiple specialized forensic training courses available at IACIS including incident response, drone, MAC and RAM forensics
Join us in two weeks for a more technical episode exploring new forensic artifacts and techniques.
Subscribe to:
Posts (Atom)