=Start=
缘由:
突然想起来这个问题,虽然从理论上和直觉上都觉得应该不行,但还是搜索调研一下再给出结论会比较稳妥。
正文:
参考解答:
先说测试结论:
- 如果在事情发生之前已经在电脑上安装了DLP类监控软件,且配置了相应策略(或启用了相关的审计功能选项,这类选项因为资源占用很高,默认情况下是不会开启的),是可以记录相应操作供事后回溯分析的;但如果是事后(Post-hoc)装的,之前发生的事情你也是回溯不了的;
- 在测试的macOS 13.2.1系统上,是可以通过日志看到系统上是否有插拔USB存储的记录,并且能够看到插入U盘的名字;
- 老macOS系统下是通过文件 /var/log/system.log* 来进行分析的(暂未实际测试),新系统上是通过【控制台】或者命令【log show】来进行查看;
- macOS系统的变化真的挺快,而且有时候没什么连续性,没有Windows保持的那么好,很多时候网上的一些(尤其是很trick的那种)方法很可能已经过时(只对老版本系统生效)或者被禁用掉了;
- 对于标准的macOS系统(即没有额外安装DLP类软件或是没有启用实时审计的功能选项),是没办法追踪或回溯发生在系统中的文件拷贝、外传等行为的。
==
再给出一下具体查看插拔记录的命令,方便有需要的取用:
log show --predicate '(processImagePath contains "deleted") && (eventMessage contains "CACHE_DELETE_VOLUME : ")' --style syslog --last 1d | head
log show --predicate '(processImagePath contains "deleted") && (eventMessage contains "CACHE_DELETE_VOLUME : ")' --style syslog --last 1d | awk -F: '{print $NF}' | sort | uniq -c
log show --predicate 'eventMessage contains "mounted"' --last 35m
log show --style syslog --last 15m --info | grep -F '[USB]'
log show --style syslog --last 35m | tail
# 老系统上据说可用的方法(暂未实际测试)
zgrep -i 'usbmsc' /var/log/system.log*
zgrep -Ei 'usbmsc|mount' /var/log/system.log*
# If your MacOS version is 10.12 and later(Sierra/...), you can use the advanced terminal log tool.
log show --predicate 'eventMessage contains "mounted"' --last 35m
log show --style syslog --last 15m --info | grep -F '[USB]'Post hoc (sometimes written as post-hoc) is a Latin phrase, meaning "after this" or "after the event".
TL;DR: With a standard install of macOS it isn't possible to determine with any certainty whether data has been copied from the Mac onto an USB or network device
标准的macOS安装模式下,是无法感知数据是否被通过USB或者网络传输到了外面的。
因为:
1. 你无法知道哪个文件是否被拷贝了;
2. 日志系统默认并没有记录此行为。
除非你在事情发生之前已经打开了实时审计(产生了日志记录),否则你无法进行回溯。对于其它的Post_hoc场景来说都是一样的。参考链接:
Is there a system log which displays which external media/storage devices were connected/disconnected from my system? If so, please advise me on how to do so.
https://discussions.apple.com/thread/6734878
Can I find out the last time a specific USB was connected to my MBP?
https://apple.stackexchange.com/questions/366132/can-i-find-out-the-last-time-a-specific-usb-was-connected-to-my-mbp
Detecting theft of data – folder / files transfered from MacBook to USB
https://apple.stackexchange.com/questions/381229/detecting-theft-of-data-folder-files-transfered-from-macbook-to-usb
Find out if any files were exported from my MacBook
https://apple.stackexchange.com/questions/304893/find-out-if-any-files-were-exported-from-my-macbook
Post hoc – 事后
https://en.wikipedia.org/wiki/Post_hoc
=END=
《“macOS系统中能否追踪U盘拷贝文件的行为”》 有 1 条评论
在没有MDM下发profiles通道的情况下,可以通过检测外部磁盘挂载,然后主动弹出的方式来实现U盘禁用(虽然方式没那么优雅,且实际效果和检测的实时性和弹出的效果有关,但也不失为一种方式和思路)
How to Eject External Hard Drive from Mac: All the Methods
https://www.macgasm.net/news/eject-external-hard-drive-mac/
Instantly Eject All Mounted Drives & Disks from the Command Line in Mac OS X
https://osxdaily.com/2014/05/22/eject-all-mounted-volumes-command-line-mac/
How to Eject USB From Mac? Easy Step By Step Guide
https://thewiredshopper.com/how-to-eject-usb-from-mac/
`
The different ways to eject USB from Mac are listed below:
Use the Finder
Use the Disk Utility
Use the Terminal
`