Skip to Store Area:

You're currently on:

Snow Leopard logs USB serial numbers

Posted on February 1, 2011 by Drew There have been 1 comment(s)

Windows forensic examiners have been able to look at the Registry and determine when a USB key was inserted and what the serial number was for quite awhile now. This obviously aided investigators in their search for artifacts on other devices and machines.

 

For years people have been asking where this type of data exists on a Mac, and until now, it really didn't. However, with the later releases of Snow Leopard (10.6.5) the kernel logs of USB devices, times of connection, and serial numbers can be found.

 

Open up the Console Log.app and find the kernel.log. You will see the devices which have been connected:

 

Console kernel.log

As you can see, a USB key was inserted at 11:38:32 (local time) on the USB bus with a serial number of "ae9010620dd6a1" identified by the keyword USBMSC.  USBMSC is USB Mass Storage Class.  As an added benefit, you can see that SoftBlock made the device Read-Only.

 

Disk Utility also shows the serial number, so you can confirm that the kernel.log does in fact show the serial numbers now:

 

Disk Utility showing the device serial number

 

[Update] Please see our Locating USB Device Connection Artifacts on a Mountain Lion Computer for updated information about USB device artifacts on a computer running Mac OS 10.8.


This post was posted in Forensic Software, Macintosh Forensics Tips and Tricks, Macintosh Forensic Images, Working with Macintosh DMG Files, BlackLight Forensic Software, MacQuisition - Mac Pro, MacBook and MacBook Air Forensic Imaging Solution, SoftBlock - Mac OS X Software-based write-blocker, Mac Forensics, Mac Forensics Essentials, USB Device Forensic Artifacts and was tagged with Macintosh Forensics Tips and Tricks, Mac Forensics, Forensic Analysis, Write-block, USB Device Connection Artifacts on a Macintosh Computer

1 Response to Snow Leopard logs USB serial numbers

  • This is new to Snow Leopard, but not 10.6.5. It has been present since 10.6.0.10A432.

    Additionally, the two hex values after the serial are the Vendor ID and Product ID, which can further be used to confirm sharing of the unique media and/or determine the product that was inserted.

    See http://www.linux-usb.org/usb.ids for user-contributed details.

    Posted on February 9, 2011 at 03:32

Comments