Preserving the evidence: what to do when something serious goes wrong
Over the last few weeks, some Macs have undergone unintentional upgrades to Sonoma that appear to have taken place without the user’s consent. I’ve been trying to understand what might have gone wrong, and where, but there’s almost no evidence to go on. This article explains what you can and should do if something like this happens to your Mac, so Apple and others can understand the problem.
In the heat of the moment, we often forget details that later turn out to be significant. When you think your Mac is teetering on disaster, it’s hard to think clearly and methodically, and crucial information is either lost, or never gathered in the first place. A week or two later, when we’re trying to explain what happened, there are no logs, no screenshots, only our fading memories. They make it difficult if not impossible to discover what actually went wrong.
1. Safeguard your Mac
Before doing anything else, ensure your Mac and its data are protected from whatever happened. If it’s something that was downloaded, like a macOS update/upgrade that you need to stop, disconnect your Mac from your network immediately, to prevent any more being downloaded. Never switch the power supply off, or pull the plug on your Mac, unless there’s imminent threat of injury or death, though: use the Shut Down… command when needed.
2. Screenshots
If you have time, and your Mac is still up and running, take screenshots of relevant settings, dialogs and notifications. These can usefully extend to relevant windows in System Settings, and settings in open applications. These will also help you see anything that isn’t set the way you expected, that may have caused the problem to arise.
3. Logs
Since Sierra, macOS has used one central Unified log, although you can still see some entries in system.log and various crash reports. Capturing the Unified log is both urgent and important. Don’t waste time opening Console, as it can only show current log entries as they are written to the log, and can’t readily show the log history.
The simplest way to capture recent log entries and loads of other potentially useful information is in a sysdiagnose, named after the tool used to create it. If you ever want to report a problem to Apple’s engineers, or want to impress and help Apple Support, a sysdiagnose is essential. There are two easy ways to generate a sysdiagnose archive: I just type
sudo sysdiagnose -f ~/Documents
in Terminal and the compressed archive will be compiled and saved to my Documents folder. Or you can press Control-Option-Command-Shift-Period instead, in which case the screen will flash once, the archive will be saved to /private/var/tmp, and that will be opened in the Finder for you in a few minutes when it’s complete.
If you want to perform your own log analysis on the logarchive in a sysdiagnose, decompress the .tar.gz archive and you’ll find a large bundle named system_logs.logarchive, which you can then open using my free log browser Ulbow, Consolation, or (if you really want to) Console. Currently, the menu command to create a logarchive from within Ulbow isn’t working, I’m afraid; I am looking at how that can be fixed. In the meantime, you can create one from Terminal’s command line, using a command of the form
sudo log collect –output filepath –last 3h
to write a logarchive bundle to the file path and name filepath for the previous 3 hours. As this must be run as root, you’ll then need to authenticate with your admin password.
4. Written record
With those immediate actions in hand, open a new document in your favourite text or word processor, and write down your recollections as to what you did and saw in the period leading up to the problem, and exactly what happened. If you don’t do this now, you may forget important details. In the following hours or days, as you mull over in your mind what happened, amend or add to this, to build as complete a picture as you can.
Seemingly unimportant details can be valuable here. Did you see any notifications or alerts? If so, can you remember the gist of their text, and how you responded to them? If you can’t remember them clearly now, record them still, as their details might return later.
5. Repair and recovery
You finally need to check what to do next to repair any damage, and how best to recover your Mac from this problem. My two hot tips here are: never trust an AI of any kind, and be extremely wary of recommendations from human experts too. Many people think they know a great deal about Macs and macOS, and are only too happy to suggest dangerous or simply useless solutions. Try to arrive at a consensus of recommendations by experts, and don’t be afraid to ask them for advice before doing anything that isn’t readily reversible. Take your time, and don’t get rushed or flustered: it’s much better to think and plan the best solution than racing off, wiping your boot system and starting from scratch and backups.