Now this tells me that this validates what was found in the IT system: that this machine was used and dropped off, and IT did support this machine on 4/15.
And when we go back to the same database, we can actually look and see that this is coming back to an Apricorn SATA wire, 2.5″. So the next one we’re going to take a look at is the 984 that’s on the list, 4/15. Next, though, as we look through the list here we see a couple of additional pieces to this USB history, and we can see that we’ve got a couple of identifiers here that… we need to identify what’s going on. So we can validate that they are using this drive on this machine, and that’s been approved by their organisation. And sure enough, we can see that it is a G-Tech Western Digital hard drive. And this organisation in particular allows their employees to use one specific drive and I’d be willing to bet that’s going to be this drive.īut just like we did before, we can check on that by using the same database and loading it in.
APRICORN SATA WIRE 2.5 SERIAL
So these first three: we’re getting the exact same serial number, vendor ID, product information. And now that we do that, we can start identifying what’s going on here. We’re going to go ahead and get all of them grouped together. Let’s go ahead and we’re going to sort now on the serial number. So now we’ve confirmed that, we know that a lot of these hits are actually coming from Apple. And as we can see here, that is actually coming back to Apple, with a lot of their different product information pieces. There’s nobody saying that we can’t use open-source intelligence gathering methods for our investigations, so I’m actually going to use a website to detect what that information is for that vendor information. Now we can see all the different USB connections, and with there being 235 hits – which seems rather high – we’re going to actually try and identify some of this information.Īnd right off the bat, I’m seeing a lot of the same vendor ID codes here, with 0x5ac. And since this case hinges on USB information, I’m actually going to keep scrolling down, and we’re going to start with the USB connection history, with 235 hits. We can confirm that it’s 10.14.4 – I’m going to go ahead and add this as a tag. We can identify that for our report by going to the Artifacts view we’ll navigate on down to Operating System, and we will look for ‘Operating System Information.’ We’re going to go ahead and check the OS information. Here we have a MacBook Air image already processed in AXIOM. This investigation hinges on possible insider threats, where the associate may have attempted to copy files to a USB.
APRICORN SATA WIRE 2.5 MAC
The different evidence, but depending on the organisation you may be faced with identifying a USB that’s been inserted into a Mac in question for a possible data exfil. Lastly, we have some organisations that tell staff it’s against policy to use USBs, but don’t take any additional steps to further protect the end point. Other organisations may block the external drive from being mounted altogether, or may only allow specific external drives to be used by employees. Some have alerting mechanisms in place for when USBs are detected, while others may encrypt the drive when it’s inserted into the end point. Today we’re talking about Mac USB investigations, and what happens when we’ve been alerted that a USB has been inserted into an end point.ĭifferent organisations handle USB policies differently. Hey everyone, Trey Amick from Magnet Forensics here.