Snow Leopard logs USB serial numbers

Windows forensic examiners have been able to look at the Registry and determine when a USB key was inserted and what the serial number was for quite a while now. This obviously aided investigators in their search for artifacts on other devices and machines.


For years people have been asking where this type of data exists on a Mac, and until now, it really didn't. However, with the later releases of Snow Leopard (10.6.5) the kernel logs of USB devices, times of connection, and serial numbers can be found.


Open up the Console and find the kernel.log. You will see the devices which have been connected:


Console kernel.log

As you can see, a USB key was inserted at 11:38:32 (local time) on the USB bus with a serial number of "ae9010620dd6a1" identified by the keyword USBMSC.  USBMSC is USB Mass Storage Class.  As an added benefit, you can see that SoftBlock made the device Read-Only.


Disk Utility also shows the serial number, so you can confirm that the kernel.log does in fact show the serial numbers now:


Disk Utility showing the device serial number


[Update] Please see our Locating USB Device Connection Artifacts on a Mountain Lion Computer for updated information about USB device artifacts on a computer running Mac OS 10.8.

One thought on “Snow Leopard logs USB serial numbers”

  • John Jackson
    John Jackson 02/09/2011 at 03:32

    This is new to Snow Leopard, but not 10.6.5. It has been present since

    Additionally, the two hex values after the serial are the Vendor ID and Product ID, which can further be used to confirm sharing of the unique media and/or determine the product that was inserted.

    See for user-contributed details.

Leave a Reply

Sorry, you must be logged in to post a comment.