Devices
USB Device History
Overview
macOS records USB device connections through multiple artifacts: Unified Logs, the IOKit registry, system logs, and Spotlight volume metadata. USB history reveals which storage devices, phones, cameras, and other peripherals have been connected to the system, providing evidence for data exfiltration investigations, device attribution, and timeline reconstruction.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Device identifiers | Vendor ID, Product ID, serial number for unique identification |
| Connection timestamps | When devices were connected and disconnected |
| Volume mount events | When external storage was mounted and accessible |
| Device names | User-configured device names (e.g., "John's iPhone") |
| Data transfer indicators | Volume mount/unmount patterns suggesting file transfers |
File Locations
| Artifact | Path | Format |
|---|---|---|
| Unified Logs | /var/db/diagnostics/ | tracev3 |
| System Preferences | /Library/Preferences/SystemConfiguration/com.apple.Boot.plist | Plist |
| IOKit registry | ioreg -p IOUSB (live) | API output |
| Spotlight volumes | /System/Volumes/Data/.Spotlight-V100/VolumeConfiguration.plist | Plist |
| Disk arbitration logs | Unified Logs (subsystem: com.apple.diskarbitration) | tracev3 |
Key Data Sources
Unified Logs
The primary source for USB device history on modern macOS:
# USB device connections
log show --predicate 'subsystem == "com.apple.usb"' --info --last 30d
# Volume mount events
log show --predicate 'subsystem == "com.apple.diskarbitration"' --info --last 30d
# IOKit USB matching
log show --predicate 'eventMessage contains "USB" AND eventMessage contains "attached"' --last 30d
IOKit Registry (Live System)
# List currently connected USB devices
ioreg -p IOUSB -l | grep -E "(USB Product Name|USB Vendor Name|USB Serial Number|idVendor|idProduct)"
# Detailed USB device tree
system_profiler SPUSBDataType
Analysis Notes
- Serial number uniqueness: USB device serial numbers, combined with Vendor ID and Product ID, provide a unique identifier that can link a specific physical device to the system.
- Volume mount correlation: Cross-reference USB connection events with volume mount events (diskarbitration) and FSEvents to determine what files were accessed on the connected device.
- iPhone/iPad connections: iOS device connections are recorded with device name, serial number, and IMEI. These entries in the Unified Logs and in
~/Library/Preferences/com.apple.iPod.plistlink specific mobile devices to the Mac. - Timestamp analysis: The gap between USB attachment and volume mount can indicate whether auto-mount was used or if the user manually mounted the volume.
- Ejection events: Proper ejection events (vs. sudden disconnect) are recorded differently, which can indicate whether the user intentionally removed the device.
- Historical limitations: On modern macOS, the richest USB history is in Unified Logs, which have a limited retention period (typically days to weeks depending on log volume). Collect early.
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| log (macOS built-in) | Query Unified Logs for USB events |
| ioreg (macOS built-in) | Inspect IOKit registry |
| system_profiler (macOS built-in) | USB device enumeration |
| mac_apt | Open-source USB artifact parser |
References
- macOS USB Forensics - SANS
- Apple IOKit USB Documentation
- SANS FOR518: Mac and iOS Forensic Analysis