Article illustration 1

For years, forensic investigators relied on a seemingly mundane system file—shutdown.log—to uncover some of the most sophisticated mobile spyware attacks. Buried in iOS Sysdiagnose logs, this artifact captured digital fingerprints left by tools like NSO Group's Pegasus and Intellexa's Predator during device shutdown sequences. Now, with iOS 26, that critical evidence is being systematically erased.

The Silent Witness That Spoke Volumes

Located at Sysdiagnose Folder → system_logs.logarchive → Extra → shutdown.log, this log historically recorded processes interacting with the system during shutdown. In 2021, researchers discovered Pegasus left identifiable traces here—entries that became telltale indicators of compromise (IOCs). By 2022, Pegasus operators evolved to actively wipe the log, but ironically, the very act of erasure left its own forensic signature: a suspiciously empty shutdown.log became a new IOC.

"A cleared shutdown.log served as a heuristic for compromise," explains Matthias Frielingsdorf, VP of Research at iVerify. "Even when they tried to hide, they left traces of the hiding itself."

Predator spyware later adopted similar log-wiping techniques, making this artifact a cornerstone of modern iOS forensic investigations. Yet iOS 26 fundamentally alters its behavior: instead of appending new entries on each reboot, the OS now overwrites the entire file, permanently destroying historical evidence.

A Devastating Blow to Forensic Capabilities

The implications are severe:
1. Historical Evidence Vanishes: Any device updated to iOS 26 that undergoes a reboot loses prior shutdown.log data—including evidence of past infections.
2. Detection Gap: Without this log, investigators lose a primary method for correlating events (e.g., cross-referencing containermanagerd boot logs with shutdown anomalies).
3. Catastrophic Timing: This change arrives as spyware attacks surge, with recent targets including executives, journalists, and politicians.

/private/var/db/com.apple.xpc.roleaccountd.staging/com.apple.WebKit.Networking

Above: A specific Pegasus IOC path now erased by iOS 26 reboots. NSO Group notably shifted to using legitimate-looking system process names like this to evade detection.

Preserving Evidence: A Race Against Time

For at-risk individuals:
- Immediately capture a Sysdiagnose before updating to iOS 26 to preserve existing logs.
- Delay updating until Apple addresses the behavior (whether a bug or intentional design).
- For older iOS versions, correlate containermanagerd boot events with shutdown.log entries—discrepancies may indicate tampering.

This isn't just about a log file—it's about the escalating arms race between privacy and surveillance. As spyware vendors continuously adapt, Apple's opaque changes inadvertently dismantle vital forensic defenses. Until resolved, this move leaves users and investigators flying blind in an increasingly hostile mobile landscape.

Source: iVerify Research