Hi there,
I'm trying to determine the history of any & all USB devices that have been plugged into a particular Mac, but not having a ton of luck.
I've grepped /var/log/kernel.log for USBMSC, and found some stuff, including unique identifiers, but ideally I'd like the name of the devices.
Does anyone have any experience with find this info? Thoughts? Suggestions?
Thanks!
Depends on version as their are certain artifacts to look at/for. What version OS is it?
volumes mounted (not only USB external devices, optical disks as well) can be found in the system.log
You can look in the sidebar plist
/Users/$username$/Library/Preferences/com.apple.sidebar.plist
It will show all mount locations that have appeared in the sidebar so can include USB drives and volume mount locations. Under the entry type look for 515 as that usually indicates a USB thumb drive.
Unfortunately this will not give you any vendor or product ID's but will show the volume name.
Depends on version as their are certain artifacts to look at/for. What version OS is it?
Sorry about the delayed response. Right now, I'm working on a 10.6.8 system. Where would you suggest looking, other than system.log?
Hi!
See the blog at BlackBagTech - it was updated not too long ago with relevant info for this topic
https://
Keep up the good work everyone!
In Mac OS X 10.6 you can look in the sidebar plist as I earlier said or look in the hdiejectd.log or the DiskUtility.log. These will all give you timestamps and Volume Names but will not give you a VID and PID. Although due to the timestamps you should be able to work out which USB is which.
The com.apple.sidebar.plist doesn't have much of anything in it, which is the opposite of what I found in /var/log/kernel.log. Maybe I'm over looking something. How did you view the file? I did a Quick Look on it.
the hdiejectd.log has 1 entry in it from several months ago, which can't be right, as I know for a fact that USB has been connected more recently than that.
I can't find a DiskUtility.log file, even when I do a "find" for it. When I do a "man diskutil" I don't see any mention of the log file. Am I overlooking something obvious?
Grepping /var/log/kernel.log has produced the best information for USB history so far. Does anyone have any thoughts on Firewire device history? I can't seem to find any history on it, other than ejections. Neither ioreg or hdiutil seem to keep any history.
Thoughts? Suggestions?
Check the com.finder.plist file located in ~/Library/Preferences/. There is a dictionary in the plist called FXDesktopVolumePositions. It contains the names of all the volumes whose icons have been on the desktop. It will contain more than USB devices though.