How to Tell If Someone Was Using Your Mac
Although everyone should always password protect a Mac to prevent unauthorized use, not everyone does. Sometimes people share general logins, be it with a roommate, sibling, spouse or whoever else. Now, if you have ever wondered if someone was using your computer while you were away, there’s actually a pretty easy method to find out in Mac OS X.
Find Out If Someone Was Using Your Mac with Console
This works best if you put a Mac to sleep while away, since what we’re looking for are system wake events. If you aren’t sleeping a Mac while gone from the computer, start doing so now to track this wake data.
- Use Spotlight (Command+Spacebar) to search for and open “Console”
- Click the search bar in the upper right corner of Console and type “Wake” to sort the system logs for wake events
- Scroll to the bottom of the list to find the most recent events, search around in the listed data for a wake entry that corresponds to the time you suspect someone used the computer
First you’ll want to make note of the time since that alone can give you the information you’re looking for. Furthermore, by reading the wake reasons you’ll be able to see how the Mac was woken up and by what method. For example, Mac laptops will show “EC.LidOpen (User)” or “LID0” to indicate the Mac was woken by opening the screens lid. All Macs will show EHC or EHC2 to demonstrate that the Mac was woken by touching the keyboard or trackpad. OHC or USB generally indicates an external USB device or mouse was used to wake the Mac, and so forth. Some of the exact syntax for wake reasons will vary per version of OS X, but most of the codes are similar enough to draw shared conclusions.
Here are some example entries of what you may see in Console:
2/24/12 3:22:26.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 3:40:31.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 5:23:40.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 8:11:03.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:05:09.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:32:06.000 PM kernel: Wake reason: EC.LidOpen (User)
2/25/12 00:51:44.000 AM kernel: Wake reason: EHC2
What you are ultimately looking for is a date, time, or a wake event that doesn’t correspond to your own regular Mac use. Perhaps waking by trackpad (EHC2) at midnight is suspicious, or maybe it was unusual to have someone open the lid of the laptop at 3:40 in the afternoon yesterday. Ultimately it is up to you to determine what is suspicious or out of place, but by looking at system logs you can get data that is practically guaranteed to be accurate because most users wouldn’t think to interfere with these logs.
Finding Wake Information from the Command Line
If you’re more inclined to use the command line, or if you want to check wake events on a remote Mac via SSH, try using grep with the syslog command to look for “Wake” or “Wake reason”:
syslog |grep -i "Wake reason"
Using syslog with grep displays the exact same wake information as Console would, but because it’s accessible from the command line it can be more powerful for advanced users.
Keep in mind that while syslog and Console track sleep and wake data, they won’t necessarily show login attempts and failures, or waking a screen saver. In that case, the best protection is to always remember to set password protection on a Mac and lock the screen with a password even when you leave for a few minutes if you’re in a situation where sensitive data could be compromised or accessed by others.
You can find similar information on Windows machines too, although you’ll have to look elsewhere for that.
I’m almost exactly SEVEN years late. My how time flies.
The question that comes to my mind – can this track wireless access or attempts? This would be great, especially if they are bypassing the router (possible) and going directly for the macbook. Though I have “wake on network access” turned off… This person was still able, somehow – and I don’t believe they had physical access to my computer and for some reason added a new network device in the system settings – samsung something or other as a “modem” (Kicking myself for not taking a screen shot – it was a knee-jerk reaction). Now… unless they broke in or possibly they were hanging out with me and inserted a USB… My computer sleeps rather quicky, so if I went to pee… Anyhow… I digress…
Anyhow, I would like to wipe the drive and do a fresh install of the OS – all files have been saved (I’ll worry about the apps and programs later). Before I do this – is it possible to see the device or search for it when it was added. I might even have it’s mac address (long story). There is a possibility of brute force, too… but that I wouldn’t understand… as the firewall is on NO sharing, etc etc. Please help!
[…] files they opened. If someone was a step ahead and cleared out that menu, you can dig deeper and also determine if someone used a Mac by checking system logs, finding exact boot and wake times, and also determining precisely what caused a Mac to wake from […]
EFI password is easily bypassed. Hard drive can always be removed and read on another machine. And permissions can always be reset by anyone using admin account after taking ownership. Pre 2010 macs can reset efi pass with boot disk!
If you want true security you enable filevault. Without login password all they get is one giant encrypted file of a home folder.
Is there an app that’ll take a screenshot whenever the computer starts up and keep it hidden.
This will not tell you anything if someone boots your mac from external USB drive, accesses your internal drive to copy/steal data and shuts it down.
To prevent this use case you need to set EFI password, which most users don’t do.
[…] Via | OSXDaily […]
Set a strong admin password and you shouldn’t have to worry about anyone using your computer uninvited.
New CBS Show: CSI OSXDaily