Skip to Store Area:

You're currently on:

Locating USB Device Connection Artifacts on a Mountain Lion Computer [Update]

Posted on November 9, 2012 by BlackBag Training Team There have been 0 comments

With the introduction of Mac OS X (10.6) Snow Leopard, the OS X operating system began logging USB device connections. Mac forensic examiners may locate these important USB device connection artifacts rather easily. To read more about tracking USB device usage, please see our Snow Leopard logs USB Serial Numbers blog.

 

The Mac OS X (10.8) Mountain Lion operating system still retains the same timestamp, host machine, vendor ID, product ID, and product version information. However, it appears the most comprehensive information is now stored in the system.log file here:

 

/private/var/log/system.log

 

Remember that old system log files are usually compressed, renamed with an incremental number and the .bz2 extension (system.log.incrementalnumber.bz2), and stored in the same log directory as the current system.log file. Analysts may view these files and search for USB device connection artifacts using the built-in Mac OS X Console application, or by using our BlackLight Mac OS X and iOS forensic analysis software.

 

To quickly search for USB device connection artifacts using the BlackLight ‘Search’ feature, simply create a new search, add the keyword ‘USBMSC‘ to the keyword search list, and select the Start Search button. BlackLight locates USB device connection artifacts, including the connection timestamp and the host machine name, and displays them in the middle section of the ‘Content Pane.’  Hexadecimal values representing the USB device vendor ID (manufacturer), product ID (device type), and device release ( product version) also displays.

 

 

To learn how to determine the USB device manufacturer, device type, and device version using these hexadecimal values, please read our USB Serial Numbers on a Mac Part 2 blog.

 

For more information about the BlackLight forensic analysis software, please visit the BlackLight product page.


This post was posted in Macintosh Forensics Tips and Tricks, BlackLight Forensic Software, Computer Forensics Blog | BlackBag Technologies, Mac Forensics, Mac Forensics Essentials, USB Device Forensic Artifacts and was tagged with Macintosh Forensics Tips and Tricks, Mac Forensics, Macintosh Forensics Training, Forensic Analysis, BlackLight™ Forensic Software, Forensic Software, USB Device Connection Artifacts on a Macintosh Computer

Comments