Network Usage
Overview
Section titled “Overview”Evidence: Network Usage
Description: Filter Network Usage Logs
Category: Network
Platform: macos
Short Name: netusagelogs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”IPConfiguration manages network interface configurations on macOS including DHCP leases, WiFi connections (SSID associations), and network state changes. These logs track network connectivity events, IP address assignments, and wireless network transitions.
Data Collected
Section titled “Data Collected”This collector gathers structured data about network usage.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract IPConfiguration events related to SSIDs, DHCP leases, and network changes over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Network Usage’.
Forensic Value
Section titled “Forensic Value”Network usage logs help establish device location history through WiFi networks, track network-based lateral movement, identify suspicious network connections, and create timelines of system connectivity. They reveal what networks were accessed, when, and can indicate device movement or rogue network connections.