LogTimeWarp

LogTimeWarp

Tracking Date & Time Changes in Apple’s Unified Logs

From suspicious user activity to malware behavior or post-event tampering, a sudden change to a device’s system time can be a red flag. It may signal attempts to obscure file timestamps, alter log coherence, or reset application timers.

Forensic validation often hinges on accurate time interpretation. When the system time is altered, even legitimate logs may appear misleading. That’s where the Unified Logs come in.

Date & time changes can be made by a device user by navigating to Settings > General > Date & Time.

By toggling off Set Automatically, the date and time can be changed manually by the user.

The first step is extracting the Unified Logs. See Alexis Brignoni’s post on Extraction, Processing, & Querying Apple Unified Logs from an iOS Device here: https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html

Once the Unified Logs are obtained the hunt for relevant artifacts begins! There are thousands and thousands of lines in the Unified Logs that relate to a time change in the iOS device. They range from “Significant Time Change” notifications by applications to system notifications about the time change.

But the main artifact that I was interested in highlighting is process id 79 with message “Time change: Clock shifted by” from com.apple.duetactivityscheduler.

Seen below, the event message includes that the clock was shifted and also includes the number of seconds that the clock was shifted by.

In this test, I manually changed the clock on Sheldon Coopers iPhone. I went to settings and Date & Time and turned off set automatically on Thursday May 22, 2025 at 3:57pm. I changed the date to the following day, Friday May 23, 2025. After applying this change, the phone reflected a date and time of Friday May 23 3:57pm. At 3:59pm, I went back in and turned on set automatically and phone switched back to the correct date and time.

In a second test, I manually changed the clock on Sheldon Coopers iPhone by one year and changed the pm time to am. At 7:46pm, I initiated a time change from May 22, 2025 to May 22, 2026. Eight seconds later, I changed the PM setting to AM. At 7:47pm, I changed the time back to the correct date and time.

This artifact is extremely helpful in identifying system time manipulation. It provides clear, timestamped evidence of when a time change occurred, which can be critical for validating or challenging timeline-based evidence in an investigation.

As of today, iLEAPP will be supporting automated extraction of this artifact, making it even easier for forensic examiners to incorporate into their analysis. https://github.com/abrignoni/iLEAPP

Happy Hunting!

Popular posts from this blog

Snapchat Artifacts

Image
iOS Snapchat -user.plist- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user.plist -holds data about the local user such as username and user id. -primary.docobjects database- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/DocObjects/primary.docobjects -Snapchat contacts can be found in this database -Arroyo.db -fs-full.zip/private/var/mobile/Containers/Data/Application//****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/arroyo/arroyo.db          - The message content is stored in the conversation_message table.          - Each conversation has a client_conversation_id.          - The message is located in the message_content column.      ...
Read more

Samsung Android Gallery-Deleted Photos

Image
 Samsung Android Deleted Gallery -Starting in Android 9, the user has the capability to restore deleted media files. -When a user deletes a media file, the media file is not immediately deleted. -It goes into trash and remains in the trash for 30 days. -The filename is changed upon deletion. -During this time the user can choose to permanently delete the file or restore it to its original location. -The deleted file specific to a Samsung device, will be parsed with forensic tools from: data\media\0\Android\data\com.sec.android.gallery3d\files\.Trash -Data about the file can be located in: data\data\com.sec.android.gallery3d\databases\local.db. -Looking in the local.db specifically, the trash table, contains information about the deleted media file. -The following columns contain data about the deleted files:            _absPath – The current path of the deleted file.            _Title – The current title of the deleted f...
Read more