How to Tell If Someone Was Using Your Mac
Although everyone should always password protect a Mac to prevent unauthorized use, not everyone does. Sometimes people share general logins, be it with a roommate, sibling, spouse or whoever else. Now, if you have ever wondered if someone was using your computer while you were away, there’s actually a pretty easy method to find out in Mac OS X.
Find Out If Someone Was Using Your Mac with Console
This works best if you put a Mac to sleep while away, since what we’re looking for are system wake events. If you aren’t sleeping a Mac while gone from the computer, start doing so now to track this wake data.
- Use Spotlight (Command+Spacebar) to search for and open “Console”
- Click the search bar in the upper right corner of Console and type “Wake” to sort the system logs for wake events
- Scroll to the bottom of the list to find the most recent events, search around in the listed data for a wake entry that corresponds to the time you suspect someone used the computer
First you’ll want to make note of the time since that alone can give you the information you’re looking for. Furthermore, by reading the wake reasons you’ll be able to see how the Mac was woken up and by what method. For example, Mac laptops will show “EC.LidOpen (User)” or “LID0” to indicate the Mac was woken by opening the screens lid. All Macs will show EHC or EHC2 to demonstrate that the Mac was woken by touching the keyboard or trackpad. OHC or USB generally indicates an external USB device or mouse was used to wake the Mac, and so forth. Some of the exact syntax for wake reasons will vary per version of OS X, but most of the codes are similar enough to draw shared conclusions.
Here are some example entries of what you may see in Console:
2/24/12 3:22:26.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 3:40:31.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 5:23:40.000 PM kernel: Wake reason: EC.SleepTimer (SleepTimer)
2/24/12 8:11:03.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:05:09.000 PM kernel: Wake reason: EC.LidOpen (User)
2/24/12 9:32:06.000 PM kernel: Wake reason: EC.LidOpen (User)
2/25/12 00:51:44.000 AM kernel: Wake reason: EHC2
What you are ultimately looking for is a date, time, or a wake event that doesn’t correspond to your own regular Mac use. Perhaps waking by trackpad (EHC2) at midnight is suspicious, or maybe it was unusual to have someone open the lid of the laptop at 3:40 in the afternoon yesterday. Ultimately it is up to you to determine what is suspicious or out of place, but by looking at system logs you can get data that is practically guaranteed to be accurate because most users wouldn’t think to interfere with these logs.
Finding Wake Information from the Command Line
If you’re more inclined to use the command line, or if you want to check wake events on a remote Mac via SSH, try using grep with the syslog command to look for “Wake” or “Wake reason”:
syslog |grep -i "Wake reason"
Using syslog with grep displays the exact same wake information as Console would, but because it’s accessible from the command line it can be more powerful for advanced users.
Keep in mind that while syslog and Console track sleep and wake data, they won’t necessarily show login attempts and failures, or waking a screen saver. In that case, the best protection is to always remember to set password protection on a Mac and lock the screen with a password even when you leave for a few minutes if you’re in a situation where sensitive data could be compromised or accessed by others.
You can find similar information on Windows machines too, although you’ll have to look elsewhere for that.