USB Info
Overview
Section titled “Overview”Evidence: USB Info
Description: Filter USB Mass Storage Class events
Category: System
Platform: macos
Short Name: usbinfo
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”USB Mass Storage Class (USBMSC) events on macOS capture USB device connections, disconnections, and storage device interactions through the IOKit framework. These logs track external storage devices including USB drives, external hard drives, and other mass storage peripherals connected to the system.
Data Collected
Section titled “Data Collected”This collector gathers structured data about usb info.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract USB Mass Storage Class subsystem events and USB-related process activities over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘USB Info’.
Forensic Value
Section titled “Forensic Value”USB logs are critical for investigating data exfiltration, unauthorized device usage, malware introduction via USB drives, and BadUSB attacks. They reveal what USB devices were connected, when, and for how long, helping identify potential data theft, evidence tampering, or malicious device insertion during security incidents.