Log Collection & IOC Analysis¶

System logs are one of the most valuable sources of evidence when investigating a security incident. This guide covers how to collect logs from different platforms and what to look for when analyzing them for indicators of compromise (IOCs).

Why Logs Matter¶

Logs can reveal:

Unauthorized access - Failed/successful logins from unknown locations
Malware activity - Suspicious processes, network connections
Data exfiltration - Unusual outbound traffic patterns
Persistence mechanisms - Scheduled tasks, startup items, services
Lateral movement - Access to other systems
Timeline of events - When the attack started and progressed

Time is Critical

Many logs have limited retention periods. Some mobile device logs expire within hours. Collect logs as soon as possible after discovering an incident.

Log Collection by Platform¶

iOS (iPhone/iPad)¶

What you collect: sysdiagnose - comprehensive system logs, crash reports, network data

Method: AssistiveTouch (Recommended)

Setup (one-time):

Settings → Accessibility → Touch → AssistiveTouch
Toggle AssistiveTouch ON
Tap "Single-Tap" (under Custom Actions)
Select "Analytics" - a checkmark appears

Collect logs:

Tap the floating AssistiveTouch button
Device vibrates confirming capture started
Wait 5-10 minutes for collection

Find the file:

Settings → Privacy & Security → Analytics & Improvements → Analytics Data
Scroll to find: sysdiagnose_YYYY.MM.DD_HH-MM-SS_...
Tap the file → Share icon → Save to Files

Alternative: Hardware buttons

Press both volume buttons + power button simultaneously. Feel for vibration confirmation.

Property	Value
File format	`.tar.gz`
Typical size	100-500 MB
Contains	Unified logs, crash logs, network connections, process list, WiFi scans, biometric events

Android¶

What you collect: Bug report - system logs, app data, device state

Enable Developer Mode (one-time):

Settings → About Phone
Tap "Build Number" 7 times rapidly
Enter PIN/password when prompted
"Developer mode enabled" message appears

Collect logs:

Settings → System → Developer Options
Scroll to "Take bug report"
Select "Full report"
Tap "Report"
Wait 5-15 minutes (notification appears when done)
Tap notification → Share → Save to Files/Drive

Alternative: ADB (requires computer)

# Connect device via USB, enable USB debugging
adb bugreport /path/to/save/bugreport.zip

Property	Value
File format	`.zip`
Typical size	50-200 MB
Contains	Logcat, dumpsys, dmesg, package info, network state, battery stats

Samsung devices: Use SysDump for more detailed OEM-specific logs.

Windows¶

What you collect: Event logs (Security, System, Application, PowerShell)

Method: PowerShell (Run as Administrator)

# Create collection folder
$timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"
$outputDir = "C:\HackAid_Logs_$timestamp"
New-Item -ItemType Directory -Path $outputDir

# Export key event logs
wevtutil epl Security "$outputDir\Security.evtx"
wevtutil epl System "$outputDir\System.evtx"
wevtutil epl Application "$outputDir\Application.evtx"
wevtutil epl "Microsoft-Windows-PowerShell/Operational" "$outputDir\PowerShell.evtx"
wevtutil epl "Microsoft-Windows-Windows Defender/Operational" "$outputDir\Defender.evtx" 2>$null

# Compress all logs
Compress-Archive -Path "$outputDir\*" -DestinationPath "$outputDir.zip"

Write-Host "Logs saved to: $outputDir.zip"

Quick one-liner:

$out = "C:\Logs_$(Get-Date -f yyyyMMdd_HHmmss)"
mkdir $out; @('Security','System','Application') | % { wevtutil epl $_ "$out\$_.evtx" }
Compress-Archive "$out\*" "$out.zip"

Property	Value
File format	`.evtx` or `.zip`
Typical size	10-100 MB
Contains	Authentication events, service changes, process creation, PowerShell execution

macOS¶

What you collect: sysdiagnose - unified logs, system state, network data

Method 1: Keyboard shortcut

Press simultaneously: Shift + Control + Option + Command + . (period)
Screen may briefly freeze (normal)
Wait 5-10 minutes

Find the file:

Open Finder
Go → Go to Folder (Shift+Command+G)
Enter: /var/tmp/
Find: sysdiagnose_YYYY.MM.DD_HH-MM-SS_hostname.tar.gz

Method 2: Terminal

sudo sysdiagnose
# Output: /var/tmp/sysdiagnose_[timestamp].tar.gz

Collect specific time range:

# Last 3 days of unified logs
log collect --last 3d --output ~/Desktop/logs.logarchive

Property	Value
File format	`.tar.gz`
Typical size	200 MB - 1 GB
Contains	Unified logs (AUL), process list, network connections, kernel extensions, crash reports

Linux¶

What you collect: Journal logs, authentication logs, system logs

Collection script:

#!/bin/bash
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
OUTPUT_DIR="/tmp/hackaid_logs_$TIMESTAMP"
mkdir -p "$OUTPUT_DIR"

echo "Collecting Linux logs..."

# Journal logs (last 7 days)
journalctl --since "7 days ago" --output=export > "$OUTPUT_DIR/journal_export.log"

# Authentication logs
cp /var/log/auth.log* "$OUTPUT_DIR/" 2>/dev/null
cp /var/log/secure* "$OUTPUT_DIR/" 2>/dev/null

# System logs
cp /var/log/syslog* "$OUTPUT_DIR/" 2>/dev/null
cp /var/log/messages* "$OUTPUT_DIR/" 2>/dev/null

# Current processes
ps auxf > "$OUTPUT_DIR/processes.txt"

# Network connections
ss -tunapl > "$OUTPUT_DIR/network_connections.txt"

# User logins
last -100 > "$OUTPUT_DIR/last_logins.txt"
lastb -100 > "$OUTPUT_DIR/failed_logins.txt" 2>/dev/null

# Cron jobs
for user in $(cut -f1 -d: /etc/passwd); do
    crontab -u $user -l > "$OUTPUT_DIR/cron_$user.txt" 2>/dev/null
done

# Compress
tar -czvf "$OUTPUT_DIR.tar.gz" -C /tmp "hackaid_logs_$TIMESTAMP"
echo "Logs saved to: $OUTPUT_DIR.tar.gz"

Quick one-liner:

sudo journalctl --since "7 days ago" -o json > ~/hackaid_journal.json

Property	Value
File format	`.tar.gz`
Typical size	10-100 MB
Contains	Systemd journal, auth logs, syslog, process info, network state

Analyzing Logs for IOCs¶

Once you have collected logs, here's what to look for on each platform.

Windows Event Log Analysis¶

Critical Event IDs¶

Log	Event ID	Description	IOC Significance
Security	4624	Successful logon	Check for unusual times, accounts, or source IPs
Security	4625	Failed logon	Brute force attempts, password spraying
Security	4648	Explicit credential logon	Credential theft, pass-the-hash
Security	4672	Admin privileges assigned	Privilege escalation
Security	4688	New process created	Malware execution, living-off-the-land
Security	4698	Scheduled task created	Persistence mechanism
Security	4720	User account created	Backdoor accounts
Security	4732	Member added to local group	Privilege escalation
Security	1102	Audit log cleared	Anti-forensics, covering tracks
System	7045	New service installed	Persistence, malware
System	7034	Service crashed	Malware crash, exploitation
PowerShell	4104	Script block execution	Malicious scripts
Defender	1116	Malware detected	Known threats
Defender	1117	Action taken on malware	Response to detection

Suspicious Patterns to Look For¶

Authentication anomalies:

- Logons at unusual hours (3 AM local time)
- Logons from unexpected countries/IPs
- Multiple failed logons followed by success
- Service accounts logging in interactively
- Admin logons from non-admin workstations

Process execution red flags:

- PowerShell with encoded commands (-enc, -e)
- cmd.exe spawned by Office applications
- Processes running from temp folders
- wscript/cscript executing scripts
- certutil used for downloads
- bitsadmin for file transfers
- mshta executing remote content

Persistence indicators:

- New services with random names
- Scheduled tasks running scripts
- Registry run key modifications
- New startup folder items

PowerShell Analysis Commands¶

# Find failed logons
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} |
    Select-Object TimeCreated, @{N='Account';E={$_.Properties[5].Value}},
    @{N='Source';E={$_.Properties[19].Value}}

# Find successful logons (Type 10 = RDP)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} |
    Where-Object {$_.Properties[8].Value -eq 10} |
    Select-Object TimeCreated, @{N='Account';E={$_.Properties[5].Value}},
    @{N='SourceIP';E={$_.Properties[18].Value}}

# Find new services
Get-WinEvent -FilterHashtable @{LogName='System';ID=7045} |
    Select-Object TimeCreated, @{N='ServiceName';E={$_.Properties[0].Value}},
    @{N='ImagePath';E={$_.Properties[1].Value}}

# Find PowerShell execution
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational';ID=4104} |
    Select-Object TimeCreated, @{N='ScriptBlock';E={$_.Properties[2].Value}}

macOS/iOS Unified Log Analysis¶

Key Subsystems to Examine¶

Subsystem	What It Logs
`com.apple.authd`	Authentication events
`com.apple.securityd`	Keychain access, code signing
`com.apple.xpc`	Inter-process communication
`com.apple.networking`	Network connections
`com.apple.launchd`	Process launching, services
`com.apple.installd`	App installations
`com.apple.MobileInstallation`	iOS app installs

Analysis Commands (macOS)¶

# View logs from specific time range
log show --start "2026-01-20 00:00:00" --end "2026-01-21 23:59:59"

# Filter by subsystem
log show --predicate 'subsystem == "com.apple.authd"' --last 24h

# Search for process execution
log show --predicate 'eventMessage contains "exec"' --last 7d

# Find sudo usage
log show --predicate 'process == "sudo"' --last 7d

# Network connections
log show --predicate 'subsystem == "com.apple.networking"' --last 24h

# Failed authentication
log show --predicate 'subsystem == "com.apple.authd" AND eventMessage contains "failed"'

Suspicious Patterns (macOS/iOS)¶

- Unexpected sudo/root activity
- LaunchDaemon/LaunchAgent additions
- Apps requesting unusual entitlements
- Keychain access from unexpected processes
- Code signing failures
- TCC (privacy) permission grants
- Gatekeeper bypasses
- Unexpected network connections

Linux Log Analysis¶

Key Log Files¶

File	Content	IOC Value
`/var/log/auth.log`	Authentication (Debian/Ubuntu)	Login attempts, sudo usage
`/var/log/secure`	Authentication (RHEL/CentOS)	Login attempts, sudo usage
`/var/log/syslog`	General system messages	Service issues, errors
`/var/log/kern.log`	Kernel messages	Driver issues, exploits
`/var/log/cron.log`	Cron execution	Persistence via cron
`/var/log/apache2/`	Web server logs	Web attacks
`/var/log/nginx/`	Web server logs	Web attacks

Analysis Commands¶

# Failed SSH logins
grep "Failed password" /var/log/auth.log | tail -50

# Successful SSH logins
grep "Accepted" /var/log/auth.log | tail -50

# Sudo commands
grep "sudo:" /var/log/auth.log | grep "COMMAND"

# New user accounts
grep "useradd\|adduser" /var/log/auth.log

# Cron executions
grep "CRON" /var/log/syslog

# Check for SSH brute force (journal)
journalctl -u sshd --since "7 days ago" | grep "Failed"

# Find all logins by IP
grep -E "Accepted|Failed" /var/log/auth.log | \
    awk '{print $11}' | sort | uniq -c | sort -rn

Suspicious Patterns (Linux)¶

- SSH from unexpected IPs or countries
- Root logins (should be disabled)
- New users created
- Cron jobs added by unexpected users
- Processes running from /tmp or /dev/shm
- Outbound connections on unusual ports
- Modified system binaries
- Rootkit signatures (hidden processes, files)

Android Log Analysis¶

Key Areas in Bug Report¶

Directory/File	Content
`bugreport-*.txt`	Main summary
`FS/data/system/packages.xml`	Installed apps
`FS/data/system/usagestats/`	App usage history
`dumpstate/`	System state dump
`logcat.txt`	Application logs

What to Look For¶

- Apps installed from unknown sources (sideloading)
- Apps with excessive permissions
- Battery drain from background processes
- Network connections to suspicious IPs
- Device admin apps (MDM or malware)
- Accessibility service abuse
- Unusual certificate installations

ADB Commands for Live Analysis¶

# List installed packages
adb shell pm list packages -f

# Check permissions for an app
adb shell dumpsys package com.suspicious.app | grep permission

# View running processes
adb shell ps -A

# Check network connections
adb shell netstat -an

# View system logs in real-time
adb logcat

Common IOC Patterns Across Platforms¶

Network-Based IOCs¶

Pattern	Significance
Connections to known malicious IPs	Command & control
DNS queries to suspicious domains	C2, data exfiltration
Beaconing traffic (regular intervals)	Malware communication
Large outbound data transfers	Data exfiltration
Connections to Tor exit nodes	Anonymization
Traffic on unusual ports	Covert channels

Behavioral IOCs¶

Behavior	Platforms	Significance
Process injection	Windows, Linux	Code execution, evasion
Scheduled persistence	All	Maintaining access
Credential access	All	Lateral movement prep
Discovery commands	All	Reconnaissance
Encoded commands	Windows, Linux	Obfuscation
Anti-forensics	All	Covering tracks

Analysis Tools¶

Multi-Platform¶

Tool	Purpose	Link
Velociraptor	Remote forensics, log analysis	velocidex/velociraptor
Splunk	Log aggregation and search	splunk.com
ELK Stack	Open source log analysis	elastic.co

Windows-Specific¶

Tool	Purpose	Link
Chainsaw	Fast Windows log analysis	WithSecureLabs/chainsaw
Hayabusa	Windows event log threat hunting	Yamato-Security/hayabusa
Event Viewer	Native log viewer	Built into Windows
LogParser	SQL-like log queries	Microsoft download

macOS/iOS-Specific¶

Tool	Purpose	Link
log show	Native unified log viewer	Built into macOS
Mandiant ioc-scanner	iOS malware detection	mandiant
MVT (Mobile Verification Toolkit)	Mobile forensics	mvt-project/mvt

Linux-Specific¶

Tool	Purpose	Link
journalctl	Systemd log viewer	Built into systemd
aureport	Audit log analysis	Part of auditd
OSSEC	Host-based IDS	ossec.net

Quick Reference: IOC Checklist¶

When analyzing logs, look for:

[ ] Logons at unusual times
[ ] Logons from unexpected locations/IPs
[ ] Failed logon attempts (brute force)
[ ] New user accounts created
[ ] Privilege escalation events
[ ] New services or scheduled tasks
[ ] Process execution from temp directories
[ ] PowerShell/script execution
[ ] Outbound network connections to suspicious IPs
[ ] Large data transfers
[ ] Cleared or modified logs
[ ] Antivirus/security software disabled
[ ] New applications installed
[ ] Modified system files

References¶

Official Guidelines¶

Platform-Specific¶

Tools Documentation¶

Need Help?¶

If you've collected logs and need assistance analyzing them, HackAid volunteers can help.

Apply for Assistance

Last updated: 2026-01