USB Info

Overview

Evidence: USB Info Description: Filter USB Mass Storage Class events Category: System Platform: macos Short Name: usbinfo Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

USB Mass Storage Class (USBMSC) events on macOS capture USB device connections, disconnections, and storage device interactions through the IOKit framework. These logs track external storage devices including USB drives, external hard drives, and other mass storage peripherals connected to the system.

Data Collected

This collector gathers structured data about usb info.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract USB Mass Storage Class subsystem events and USB-related process activities over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='USB Info'.

Forensic Value

USB logs are critical for investigating data exfiltration, unauthorized device usage, malware introduction via USB drives, and BadUSB attacks. They reveal what USB devices were connected, when, and for how long, helping identify potential data theft, evidence tampering, or malicious device insertion during security incidents.