tag:blogger.com,1999:blog-1264611260322778486.post5396060763932586015..comments2024-01-01T03:51:10.857-05:00Comments on Yogesh Khatri's forensic blog: Interpreting volume info from FXDesktopVolumePositionsYogesh Khatrihttp://www.blogger.com/profile/03726664886311447808noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1264611260322778486.post-51929313807063646322018-09-13T10:27:06.892-04:002018-09-13T10:27:06.892-04:00Thanks for the info Swastik. The unified logs, fse...Thanks for the info Swastik. The unified logs, fseventsd logs and the quicktime thumbnail cache all have traces of volume activity.Yogesh Khatrihttps://www.blogger.com/profile/18391374024639697695noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-58442405209106016422018-08-28T01:53:28.022-04:002018-08-28T01:53:28.022-04:00Good post Yogesh.The information about mounted vol...Good post Yogesh.The information about mounted volumes/dmg's can also be ascertained using macOS Unified Logs:<br /><br />1.log show --info --<br />predicate 'process == "fseventsd" && eventMessage contains "/Volumes"' <br /><br />2.log show --info --predicate<br />'(process=="fseventsd" or process=="deleted") and (eventMessage contains "/Volumes/" or<br />eventMessage contains "fseventsd getting new uuid:")'<br /><br /><br />The logarchive's can be extracted from a suspect machine and parsed/analyzed on a macOS native terminal.Most importantly its difficult to get the serial nos of the USB device as macOS records the UUID's of the devices in the Unified Logs .It was tested on macOS High SierraAnonymoushttps://www.blogger.com/profile/09791902361546512407noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-66692617842143397612017-12-12T18:19:31.329-05:002017-12-12T18:19:31.329-05:00Oh, did not know about that. Thanks Geoff!Oh, did not know about that. Thanks Geoff!Yogesh Khatrihttps://www.blogger.com/profile/03726664886311447808noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-49513614324960379432017-10-06T13:47:54.570-04:002017-10-06T13:47:54.570-04:00Hey Yogesh, the whole string after the last "...Hey Yogesh, the whole string after the last "_" is a hexadecimal float string. In Python, you can use "float.fromhex(s)", then convert that to Mac Absolute Time. Only certain filesystems seem to have positive values (HFS+ only?). Verified this with SANS training materials and personal testing.<br /><br />https://docs.python.org/3/library/stdtypes.html#float.fromhex<br /><br />GeoffAnonymoushttps://www.blogger.com/profile/08433843733864038978noreply@blogger.com