Skip to Store Area:

You're currently on:

USB serial numbers on Mac Part 2

Posted on February 8, 2011 by Drew There have been 2 comment(s)

As a follow up to my last post, I wanted to provide more detailed information about the kernel log.  In my last post, I showed the console program with the kernel.log file showing a USB device with a serial number:

 

Console kernel.log

This is all well and good, but what are the three hex values after the serial number?

Device identifier

They are actually rather useful.  If you look at the source code for IOUSBInterface::SetProperties from Apple  you can see that the three values: 0x90c 0x1000 0x1100 are the Vendor ID, Product ID and the DeviceRelease number:

Code snippet

So in this case looking online at the most up to date database: http://www.linux-usb.org/usb.ids one can see that 0x90c (090c) is from Feiya Technology Corp. and 0x1000 (1000) is a Flash Drive and 0x1100 (1100) is the release for that flash  drive.

As for the (non-unique) identifier label "FBF1011220604786", that is simply showing that the serial number is not necessarily unique because there is no specification that indicates they have to be.  Apple is just making sure that nobody gets the wrong impression that they may not be unique.

[Update] Please see our Locating USB Device Connection Artifacts on a Mountain Lion Computer for updated information about USB device artifacts on a computer running Mac OS 10.8.


This post was posted in Forensic Software, Macintosh Forensics Tips and Tricks, Macintosh Forensic Images, Working with Macintosh DMG Files, BlackLight Forensic Software, MacQuisition - Mac Pro, MacBook and MacBook Air Forensic Imaging Solution, Mac Forensics, Mac Forensics Essentials, USB Device Forensic Artifacts and was tagged with Mac Forensics, USB Device Connection Artifacts on a Macintosh Computer

2 Responses to USB serial numbers on Mac Part 2

  • Megan says:

    How does the USB serial number get determined? Is the serial number recorded anywhere on the actual USB drive, such that I could view the serial number of the drive in EnCase/hex and not have to view it natively in Disk Utility? (don't have an analysis mac). I have a image of an external usb hard drive and a image of a suspect's macbook pro. I am trying to determine/show the external hd was utilized/reformatted on the mac.

    Posted on November 4, 2011 at 08:11

  • Drew says:

    The serial numbers are set by the manufacturer. They are stored in the firmware of the device. As such they are not stored in the storage area and you will not find it in an image. You need to get it from the device itself. If you have any other questions feel free to contact us directly.

    Posted on November 16, 2011 at 05:25

Comments