Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Find history of external devices that have connected to the laptop

C

cpu2021

macrumors newbie
Original poster
Mar 19, 2021
3
0
I have searched and found a few answers to this question but nothing worked.

I suspect someone has used my usb drive
I doubt I can check the usb drive to see what computer it connected to

However, I thought I can do the opposite, by checking if a computer ever connected to the usb drive?

What command line/tools can I use on a macos ventura to achieve this?
Thank you
 
log show --start "2023-11-09 23:20:00" --end "2023-11-09 23:59:59" --process kernel | grep USB
(Set the time accordingly.)

Example output:

Code: 
2023-11-09 23:47:03.024601+0100 0xdeade    Default     0x0                  0      0    kernel: (IOUSBHostFamily) AppleUSB30HubPort@02330000: AppleUSBHostPort::enumerateDeviceComplete_block_invoke: enumerated 0x10de/032b/0000 (NASY 128GB / 5) at 5 Gbps
2023-11-09 23:55:13.246001+0100 0xdeaff    Default     0x0                  0      0    kernel: (IOUSBMassStorageDriver) USB device 12FF38CD02330000 - NothingToSeeHerePleaseDisperse,Inc, NASY 128GB - detected termination of interfaceNub, currentPowerState 1, provider is IOUSBMassStorageInterfaceNub

You may find the connect/disconnect time, device name, speed, Vendor ID and Device ID.

Logs can be rotated automatically, you may not find the event if it happened too long ago.
 
  • Like
Reactions: Brian33
Good idea, @DarkPremiumCho .

OP, for possibly less output to wade through, you might also try

log show --start "2023-11-09 23:20:00" --end "2023-11-09 23:59:59" --process kernel --style compact | grep -i "part-of-your-volume-name"

Example output for my drive called "test-apfs-backup" (note the "mounting volume" and "unmounting volume" lines):

Code: 
2023-11-10 16:22:50.846 Df kernel[0:5d7a50] (apfs) nx_volume_group_update:7756: disk10s1 Volume test-apfs-backup role 0 Not a System or data volume
2023-11-10 16:23:06.097 Df kernel[0:5d7b4e] (apfs) er_state_obj_get_for_recovery:6457: disk10s1 No ER state object for volume test-apfs-backup - rolling is not happening, nothing to recover.
2023-11-10 16:23:06.097 Df kernel[0:5d7b4e] (apfs) apfs_log_mount_unmount:1889: disk10s1 mounting volume test-apfs-backup, requested by: mount_apfs (pid 6242); parent: mount (pid 6241)
2023-11-10 16:23:06.229 Df kernel[0:5d7b4e] (apfs) nx_volume_group_update:7756: disk10s1 Volume test-apfs-backup role 0 Not a System or data volume
2023-11-10 16:24:37.621 Df kernel[0:5d7e63] (apfs) apfs_stop_bg_work:1065: disk10s1 Volume test-apfs-backup is unmounting, stop any bg work
2023-11-10 16:24:37.804 Df kernel[0:5d7e63] (apfs) apfs_log_mount_unmount:1889: disk10s1 unmounting volume test-apfs-backup, requested by: umount (pid 6257); parent: diskarbitrationd (pid 147)
2023-11-10 16:24:37.870 Df kernel[0:5d7e63] (apfs) nx_volume_group_update:7756: disk10s1 Volume test-apfs-backup role 0 Not a System or data volume

EDIT: I believe you need to be an "admin" user to use the 'log' command.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back