Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 08, 2026 · 5 min read

iOS 26 Erases Spyware Evidence on Every Reboot—Back Up Your Phone Before Updating

Apple's latest update overwrites a critical forensic log file that security researchers have relied on since 2021 to detect Pegasus and Predator infections.

Smartphone with iOS settings and fading digital evidence folder representing forensic data loss

What Changed in iOS 26

iOS 26 introduced a change that has alarmed security researchers and forensic analysts: the shutdown.log file is now completely overwritten every time the device restarts. In previous iOS versions, the system would append new entries to the bottom of this log, preserving a historical timeline that investigators could study.

The new behavior means that any user who updates to iOS 26 and subsequently restarts their device will inadvertently erase all evidence of older Pegasus and Predator infections that might have been present in their shutdown.log.

It remains unclear whether this is an intentional design decision by Apple or an unforeseen bug, but the practical effect is the same: a critical forensic artifact is now gone after every reboot.

Why Shutdown Logs Matter

In 2021, researchers discovered that Pegasus spyware left discernible traces within the shutdown.log file. This discovery transformed what seemed like a mundane system log into a powerful detection tool for identifying sophisticated surveillance malware.

The shutdown.log typically contains:

  • System shutdown timestamps and sequences
  • Process termination records
  • Application activity before device power off
  • Indicators of unauthorized surveillance activity

By 2022, NSO Group, the company behind Pegasus, had already evolved their approach and began wiping the shutdown.log file entirely. But until now, older infections could still be detected through preserved log entries. iOS 26 effectively does the attacker's cleanup work automatically.

Who This Affects Most

This change has significant implications for high risk individuals who may be targets of state sponsored surveillance:

  • Journalists tracking targeted surveillance attempts against themselves or sources
  • Activists documenting government monitoring of their communications
  • Incident responders investigating compromise indicators on devices
  • Human rights organizations conducting forensic analysis of compromised devices

For these users, the shutdown.log has been one of the few reliable ways to detect whether their device was compromised by sophisticated spyware. Without this evidence, proving that surveillance occurred becomes significantly more difficult.

What You Should Do Before Updating

Security researchers recommend taking immediate action before updating to iOS 26:

  • Run a sysdiagnose: Capture and save a complete system diagnostic to preserve your current shutdown.log
  • Use detection tools: Services like iVerify can scan for known Pegasus indicators before the evidence is lost
  • Document current device state: If you suspect you may have been targeted, preserve all forensic data now
  • Consider delaying the update: If you work in a high risk field, weigh the security benefits of iOS 26 against the loss of forensic capability

Once you update and restart, there is no way to recover the historical shutdown.log data.

The Broader Detection Challenge

This change is part of a broader pattern where sophisticated spyware is becoming increasingly difficult to detect. Modern commercial surveillance tools like Pegasus and Predator exploit zero click vulnerabilities, meaning victims receive no notification and take no action that would alert them to an infection.

With fewer forensic artifacts available, security researchers face an uphill battle. The shutdown.log was never meant to be a spyware detection tool, but its usefulness emerged precisely because it was a system log that attackers initially overlooked.

As each detection method is discovered and closed off, either by attackers evolving their techniques or by operating system changes like this one, the window for identifying surveillance shrinks further.

What This Means for Privacy

The iOS 26 change highlights an uncomfortable tension in mobile security. Apple's operating system updates generally improve security, but this particular change inadvertently benefits the very attackers that security researchers are trying to catch.

For journalists and activists who depend on being able to document surveillance against them, this represents a meaningful setback. The ability to prove that a government or organization targeted you with spyware often matters for legal cases, public accountability, and personal safety decisions.

Until Apple clarifies whether this is intentional and whether alternative detection methods will be preserved, high risk users should treat iOS 26 as a decision that requires careful consideration rather than an automatic update.