The rise of Pegasus and Predator spyware has redefined the threat landscape for mobile device security.
These highly advanced surveillance tools—crafted by nation-state or state-sponsored actors—have demonstrated an alarming ability to exploit zero-click vulnerabilities on iPhones and Android devices alike, silently compromising even the most secure environments.
For years, digital forensics experts relied on the subtle remnants left behind in system logs to identify traces of such infections. Among these artifacts, one file stood out: shutdown.log, a critical iOS record that documented system restarts and shutdown events.
However, with the release of Apple’s iOS 26, forensic analysts have encountered an unexpected setback that could reshape how investigators approach mobile threat analysis.
The Change: iOS 26 Overwrites the shutdown.log File
Researchers at iVerify—a mobile security and digital forensics firm—have uncovered that iOS 26 now overwrites the shutdown.log file each time a device is rebooted, rather than appending new entries as in previous versions.
At first glance, this might seem like a simple system optimization.
But for the forensic community, it’s a serious obstacle.
“This change effectively wipes historical shutdown data upon every reboot,” iVerify analysts explained.
“It means potential traces of compromise are permanently lost once the device restarts.”
Why the shutdown.log File Mattered
In earlier iOS versions, shutdown.log stored a chronological record of system reboots, crashes, and power events.
When advanced spyware like Pegasus infected a device, it often attempted to delete or tamper with this file to hide its tracks.
Yet, even after such tampering, forensic specialists could still identify subtle anomalies—for example, suspicious process names or timestamps inconsistent with normal user activity.
Notably, forensic teams discovered unique indicators linked to Pegasus infections, such as references to:
com.apple.xpc.roleaccountd.stagingcom.apple.WebKit.Networking
These entries offered rare glimpses into an attacker’s activity, even after partial log deletions.
That capability is now gone.
The “Double Erasure” Effect
With iOS 26, investigators face what iVerify calls a “double erasure.”
Spyware already deletes or manipulates logs during infection. Now, when the device reboots, iOS itself overwrites the shutdown.log file completely, erasing any residual traces.
This dual layer of data loss sanitizes critical forensic evidence, making it nearly impossible to reconstruct infection timelines or verify compromise.
In practical terms, a compromised device that restarts even once after infection could appear completely clean, despite having hosted spyware earlier.
Forensic Implications: A Setback for Defenders
Before iOS 26, the appended shutdown.log allowed investigators to track reboot sequences over time—vital for correlating suspicious system behavior with known attack windows.
Now, with each new reboot, that historical record disappears.
This design change tilts the balance in favor of attackers, reducing the visibility defenders have into post-infection states.
“Even if malware tries to hide, the OS itself used to preserve some breadcrumbs,” said one analyst familiar with iOS forensic workflows.
“With this change, those breadcrumbs vanish completely.”
Intentional or Inadvertent?
It remains unclear whether Apple’s move to overwrite shutdown.log was an intentional security feature, a performance optimization, or an inadvertent side effect of broader system changes in iOS 26.
Regardless of intent, the outcome raises serious questions about digital evidence preservation, transparency, and malware accountability.
For victims of spyware and journalists or activists targeted by state-level surveillance, the ability to prove a compromise is often the only form of defense.
Losing that forensic capability undermines both personal safety and public trust.
What’s Next for Investigators
Forensic teams are already adapting, exploring alternative methods to detect infection remnants using:
- Network telemetry and anomaly analysis
- Volatile memory dumps (RAM capture)
- App sandbox behavior monitoring
Yet, none of these offer the same clarity or persistence that the shutdown.log once provided.
The situation underscores the fragile balance between security, privacy, and evidence preservation—and how a single OS-level change can alter that balance overnight.
The Bigger Picture
This development highlights a broader issue in cybersecurity:
as mobile platforms evolve, defenders often lose visibility faster than attackers lose capability.
In the ongoing cat-and-mouse game between Apple’s engineers, spyware developers, and forensic analysts, iOS 26 marks a pivotal round—one where defenders just lost a critical investigative tool.
