Locating USB Device Connection Artifacts on a Mountain Lion Computer [Update]
This entry was posted on 11/09/2012.
With the introduction of Mac OS X (10.6) Snow Leopard, the OS X operating system began logging USB device connections. Mac forensic examiners may locate these important USB device connection artifacts rather easily. To read more about tracking USB device usage, please see our Snow Leopard logs USB Serial Numbers blog.
The Mac OS X (10.8) Mountain Lion operating system still retains the same timestamp, host machine, vendor ID, product ID, and product version information. However, it appears the most comprehensive information is now stored in the system.log file here:
Remember that old system log files are usually compressed, renamed with an incremental number and the .bz2 extension (system.log.incrementalnumber.bz2), and stored in the same log directory as the current system.log file. Analysts may view these files and search for USB device connection artifacts using the built-in Mac OS X Console application, or by using our BlackLight Mac OS X and iOS forensic analysis software.
To quickly search for USB device connection artifacts using the BlackLight ‘Search’ feature, simply create a new search, add the keyword ‘USBMSC‘ to the keyword search list, and select the Start Search button. BlackLight locates USB device connection artifacts, including the connection timestamp and the host machine name, and displays them in the middle section of the ‘Content Pane.’ Hexadecimal values representing the USB device vendor ID (manufacturer), product ID (device type), and device release ( product version) also displays.
To learn how to determine the USB device manufacturer, device type, and device version using these hexadecimal values, please read our USB Serial Numbers on a Mac Part 2 blog.
For more information about the BlackLight forensic analysis software, please visit the BlackLight product page.