iOS 26 Overwrites ‘shutdown.log’ on Reboot, Erasing Forensic Evidence of Pegasus and Predator Spyware

As iOS 26 is being rolled out, a critical forensic challenge has emerged: the operating system now automatically overwrites the shutdown.log file on every reboot, effectively erasing crucial evidence of Pegasus and Predator spyware infections.

This development represents a significant setback for forensic investigators and users seeking to determine whether their devices have been compromised—particularly troubling given the escalating prevalence of sophisticated spyware attacks targeting executives, celebrities, and civil society figures alike.

For nearly a decade, the shutdown.log file has served as an invaluable forensic artifact in detecting iOS malware, despite remaining largely overlooked by mainstream security discussions.

Stored within the Sysdiagnoses in the Unified Logs section (Sysdiagnose Folder → system_logs.logarchive → Extra → shutdown.log), this file has documented crucial activity during device shutdown sequences.

In 2021, researchers discovered that the publicly known version of Pegasus spyware left discernible traces within the shutdown.log, providing ...