Hey everyone, Trey Amick from Magnet Forensics here. Today we’re talking about Mac USB investigations, and what happens when we’ve been alerted that a USB has been inserted into an end point.
Different organisations handle USB policies differently. Some have alerting mechanisms in place for when USBs are detected, while others may encrypt the drive when it’s inserted into the end point. Other organisations may block the external drive from being mounted altogether, or may only allow specific external drives to be used by employees. Lastly, we have some organisations that tell staff it’s against policy to use USBs, but don’t take any additional steps to further protect the end point.