Giters

ydkhatri / mac_apt

macOS (& ios) Artifact Parsing Tool

Home Page:https://swiftforensics.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

tons of "item_type unknown (0xF2)" and "Unknown custom data object type" occur while processing Unified Logs

mnrkbys opened this issue · comments

commented

The warning and info messages like below are displayed, if I analyze unified logs of macOS 10.6.

2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|INFO|Unknown custom data object type '{public,mdns:dnshdr}' data size=0xC in log @ 0x18E8
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|INFO|Unknown custom data object type '{public,mdns:dnshdr}' data size=0xC in log @ 0x1988
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|INFO|Unknown custom data object type '{public,mdns:dnshdr}' data size=0xC in log @ 0x1A28
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|INFO|Unknown custom data object type '{public,mdns:dnshdr}' data size=0xC in log @ 0x1B68
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|WARNING|item_type unknown (0xF2)
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|WARNING|item_type unknown (0xF2)
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|WARNING|item_type unknown (0xF2)
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|INFO|Unknown custom data object type '{private, mask.hash, mdnsresponder:domain_name}' data size=0x4 in log @ 0x1E20
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|WARNING|item_type unknown (0xF2)
2021-09-29 11:29:09|MAIN.UNIFIED_LOG_READER_LIB|WARNING|item_type unknown (0xF2)

A very large number of messages have been recorded.

% fgrep "MAIN.UNIFIED_LOG_READER_LIB" Log.20210929-105600.txt | fgrep "item_type unknown (0xF2)" | wc -l               
 1365407
% fgrep "MAIN.UNIFIED_LOG_READER_LIB" Log.20210929-105600.txt | fgrep "Unknown custom data object type" | wc -l
  889319

mac_apt log file has been attached.
Log.20210929-105600.txt.zip

Also, I can share the unified log files exported by mac_apt if necessary to fix the problem.

commented

The unified log format evolves with every new iteration of macOS. I will have to do some research here about.
About the Unknown custom data object type message, this has to do with structures that the library does not know how to parse as there is no definition available. Some of the common ones used have been reverse engineered, there are many more that are unknown.