This question was inspired by another question and answer thread regarding false-positives on a Mac for an — apparently — PC only virus/malware.
My answer there posits that the hash BC8EE8D09234D99DD8B85A99E46C64 — which is the filename for a file in the “Unified Logging” system directory /private/var/db/uuidtext/7B/ — is just a false positive. I strongly believe this false positive diagnosis to be correct… But still, it strikes me as odd that a hash on a Mac would match a hash on a PC. What are the odds, right?
Anyway, while trying to understand why this might happen, I opened up the Terminal on the Mac Pro at work that runs macOS High Sierra 10.13.1 and looked into that system’s own /private/var/db/uuidtext/7B directory; ls -la output below:
total 128
drwxr-xr-x 9 root wheel 306 Nov 8 09:33 .
drwxr-xr-x 259 root wheel 8806 Sep 27 11:50 ..
-rw-r--r-- 1 root wheel 5732 Nov 1 09:27 122DC675FC3FC6A8184614F1ECBB99
-rw-r--r-- 1 root wheel 35 Nov 27 09:31 3AAA6D1D0C3D65A50B1B111ABEB6F3
-rw-r--r-- 1 root wheel 103 Nov 27 09:18 7F80A4BACE396A9BC2DA7E3C619493
-rw-r--r-- 1 root wheel 6605 Nov 27 09:21 96F54B98023EB49676A83C6A0E7A57
-rw-r--r-- 1 root wheel 32766 Nov 27 10:21 AE6788A12B367EA7442F303846B58D
-rw-r--r-- 1 root wheel 1310 Nov 27 14:26 E6B6AA12DD365CA5C5C8C8A2293D0B
-rw-r--r-- 1 root wheel 344 Nov 1 10:26 ECFE2546EB32328AF616F3154B2ABA
And I have looked into the same directory on the Mac mini I use at home that runs macOS High Sierra 10.13.1 as well and found the following:
total 48
drwxr-xr-x 7 root wheel 238 Nov 27 18:12 .
drwxr-xr-x 259 root wheel 8806 Sep 26 20:12 ..
-rw-r--r-- 1 root wheel 5732 Oct 29 13:59 122DC675FC3FC6A8184614F1ECBB99
-rw-r--r-- 1 root wheel 35 Nov 27 18:09 3AAA6D1D0C3D65A50B1B111ABEB6F3
-rw-r--r-- 1 root wheel 103 Nov 27 18:08 7F80A4BACE396A9BC2DA7E3C619493
-rw-r--r-- 1 root wheel 1310 Nov 27 18:20 E6B6AA12DD365CA5C5C8C8A2293D0B
-rw-r--r-- 1 root wheel 344 Nov 1 20:01 ECFE2546EB32328AF616F3154B2ABA
Okay, seems like a boring pile of hashes, right? Well, look closer: Both systems show hashes for E6B6AA12DD365CA5C5C8C8A2293D0B and 7F80A4BACE396A9BC2DA7E3C619493. And I did a quick Google search for the hashes and while most of the items have no results whatsoever, I found that one of the hashes I mention above — E6B6AA12DD365CA5C5C8C8A2293D0B — show up in a file directory listing on this page:
/private/var/db/diagnostics/Special/0000000000000024.tracev3
/private/var/db/diagnostics/timesync/0000000000000002.timesync
/private/var/db/diagnostics/Persist/0000000000000011.tracev3
/private/var/db/uuidtext/58/CC0E0317B43D7A84C47DA1275642C0
/private/var/db/uuidtext/BB/88FC65AC78308A82030DAD82CCAC19
/private/var/db/uuidtext/FE/F349208E223E709FE2552800B9A460
/private/var/db/uuidtext/7B/E6B6AA12DD365CA5C5C8C8A2293D0B
/private/var/db/uuidtext/9A/CA0127E687388594751D5E4DD83168
/private/var/db/uuidtext/9A/79C2510A7335848F421652E5BAB381
/private/var/db/uuidtext/6C/791AD6426B34A495CC9B8B049A5489
/private/var/db/uuidtext/A7/A58DC0EEB3352CAAF1851A24A8ACF0
/private/var/db/uuidtext/B7/3EB177938B3A989405789F729A0C3B
/private/var/db/uuidtext/F0/24C78020883E28A8DA1D7DB12E39CB
/private/var/db/uuidtext/F7/1B60DC303734C3ABB4B011CDF19866
/private/var/db/uuidtext/F8/8F8299441C3E1AAEBEAFBB858AE1EA
/private/var/db/uuidtext/40/75E44E5F45386DB289C1E320CB1709
Okay, this is too weird. If these are system hashes that should be 100% random (to my knowledge) then why does my Mac at work, my Mac at home and someone else’s Mac—wherever they are—have the exact same hashed filename in a similar directory?
What might be the source/logic behind the hash values used by “Unified Logging” system? Why, based on these casual observations, do these hashes seem to be non-random?
