Network Usage

Overview

Evidence: Network Usage Description: Filter Network Usage Logs Category: Network Platform: macos Short Name: netusagelogs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

IPConfiguration manages network interface configurations on macOS including DHCP leases, WiFi connections (SSID associations), and network state changes. These logs track network connectivity events, IP address assignments, and wireless network transitions.

Data Collected

This collector gathers structured data about network usage.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract IPConfiguration events related to SSIDs, DHCP leases, and network changes over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Network Usage'.

Forensic Value

Network usage logs help establish device location history through WiFi networks, track network-based lateral movement, identify suspicious network connections, and create timelines of system connectivity. They reveal what networks were accessed, when, and can indicate device movement or rogue network connections.