Snow Leopard logs USB serial numbers
This entry was posted on 02/01/2011.
Windows forensic examiners have been able to look at the Registry and determine when a USB key was inserted and what the serial number was for quite awhile now. This obviously aided investigators in their search for artifacts on other devices and machines.
For years people have been asking where this type of data exists on a Mac, and until now, it really didn't. However, with the later releases of Snow Leopard (10.6.5) the kernel logs of USB devices, times of connection, and serial numbers can be found.
Open up the Console Log.app and find the kernel.log. You will see the devices which have been connected:
As you can see, a USB key was inserted at 11:38:32 (local time) on the USB bus with a serial number of "ae9010620dd6a1" identified by the keyword USBMSC. USBMSC is USB Mass Storage Class. As an added benefit, you can see that SoftBlock made the device Read-Only.
Disk Utility also shows the serial number, so you can confirm that the kernel.log does in fact show the serial numbers now:
[Update] Please see our Locating USB Device Connection Artifacts on a Mountain Lion Computer for updated information about USB device artifacts on a computer running Mac OS 10.8.