How to Tell If Someone Was Using Your Mac

Feb 25, 2012 - 7 Comments

Find the last wake time

Although everyone should always password protect a Mac to prevent unauthorized use, not everyone does. Sometimes people share general logins, be it with a roommate, sibling, spouse or whoever else. Now, if you have ever wondered if someone was using your computer while you were away, there’s actually a pretty easy method to find out in Mac OS X.

Find Out If Someone Was Using Your Mac with Console

This works best if you put a Mac to sleep while away, since what we’re looking for are system wake events. If you aren’t sleeping a Mac while gone from the computer, start doing so now to track this wake data.

  • Use Spotlight (Command+Spacebar) to search for and open “Console”
  • Click the search bar in the upper right corner of Console and type “Wake” to sort the system logs for wake events
  • Scroll to the bottom of the list to find the most recent events, search around in the listed data for a wake entry that corresponds to the time you suspect someone used the computer

First you’ll want to make note of the time since that alone can give you the information you’re looking for. Furthermore, by reading the wake reasons you’ll be able to see how the Mac was woken up and by what method. For example, Mac laptops will show “EC.LidOpen (User)” or “LID0″ to indicate the Mac was woken by opening the screens lid. All Macs will show EHC or EHC2 to demonstrate that the Mac was woken by touching the keyboard or trackpad. OHC or USB generally indicates an external USB device or mouse was used to wake the Mac, and so forth. Some of the exact syntax for wake reasons will vary per version of OS X, but most of the codes are similar enough to draw shared conclusions.

Here are some example entries of what you may see in Console:
2/24/12 3:22:26.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 3:40:31.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 5:23:40.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 8:11:03.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:05:09.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:32:06.000 PM kernel: Wake reason: EC.LidOpen (User)
2/25/12 00:51:44.000 AM kernel: Wake reason: EHC2

What you are ultimately looking for is a date, time, or a wake event that doesn’t correspond to your own regular Mac use. Perhaps waking by trackpad (EHC2) at midnight is suspicious, or maybe it was unusual to have someone open the lid of the laptop at 3:40 in the afternoon yesterday. Ultimately it is up to you to determine what is suspicious or out of place, but by looking at system logs you can get data that is practically guaranteed to be accurate because most users wouldn’t think to interfere with these logs.

Finding Wake Information from the Command Line
If you’re more inclined to use the command line, or if you want to check wake events on a remote Mac via SSH, try using grep with the syslog command to look for “Wake” or “Wake reason”:

syslog |grep -i "Wake reason"

Using syslog with grep displays the exact same wake information as Console would, but because it’s accessible from the command line it can be more powerful for advanced users.

Keep in mind that while syslog and Console track sleep and wake data, they won’t necessarily show login attempts and failures, or waking a screen saver. In that case, the best protection is to always remember to set password protection on a Mac and lock the screen with a password even when you leave for a few minutes if you’re in a situation where sensitive data could be compromised or accessed by others.

You can find similar information on Windows machines too, although you’ll have to look elsewhere for that.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

  • No related posts
Posted by: William Pearson in Mac OS X, Tips & Tricks, Troubleshooting

7 Comments

» Comments RSS Feed

  1. Parakeet says:

    New CBS Show: CSI OSXDaily

  2. Connor Odell says:

    Set a strong admin password and you shouldn’t have to worry about anyone using your computer uninvited.

  3. Mario says:

    This will not tell you anything if someone boots your mac from external USB drive, accesses your internal drive to copy/steal data and shuts it down.

    To prevent this use case you need to set EFI password, which most users don’t do.

  4. brent says:

    Is there an app that’ll take a screenshot whenever the computer starts up and keep it hidden.

  5. Burt says:

    EFI password is easily bypassed. Hard drive can always be removed and read on another machine. And permissions can always be reset by anyone using admin account after taking ownership. Pre 2010 macs can reset efi pass with boot disk!

    If you want true security you enable filevault. Without login password all they get is one giant encrypted file of a home folder.

  6. [...] files they opened. If someone was a step ahead and cleared out that menu, you can dig deeper and also determine if someone used a Mac by checking system logs, finding exact boot and wake times, and also determining precisely what caused a Mac to wake from [...]

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates