E 'possibile stabilire se un disco rigido Macbook è stato avviato internamente rispetto a quello esterno (usb, firewire, ecc.)?

-1

È possibile sapere da system.log o da altri registri se un disco rigido di macbook pro è stato avviato internamente o estratto e avviato esternamente (ad esempio da USB)? Sto pensando che le voci "BSD root" o "Got boot device" potrebbero essere rilevanti, ma non ne sono sicuro. Ho mostrato un log di esempio qui sotto.

Grazie!

* EDIT: non sono sicuro del motivo per cui qualcuno ha effettuato il downgrade di questa: questa è una domanda valida e pertinente.

Mar 29 15:41:55 localhost bootlog[0]: BOOT_TIME 1434483715 0
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.AccountPolicyHelper" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.authd" sharing output destination "/var/log/asl" with ASL Module "com.apple.asl".
Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.authd" sharing output destination "/var/log/system.log" with ASL Module "com.apple.asl".
Output parameters from ASL Module "com.apple.asl" override any specified in ASL Module "com.apple.authd".
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.authd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.awdd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.callhistory.asl.conf" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.cloudd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.clouddocs" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.commerce.asl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.CoreDuetAdmissionControl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.eventmonitor" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.family.asl" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.ical" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.icloud.FindMyDevice" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.install" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.iokit.power" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.mail" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.MessageTracer" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.networking.symptoms" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:26 --- last message repeated 1 time ---
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.performance" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.sandbox.telemetry" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.secinitd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:23 localhost syslogd[40]: Configuration Notice:
ASL Module "com.apple.securityd" claims selected messages.
Those messages may not appear in standard system log files or in the ASL database.
Mar 29 15:42:26 --- last message repeated 6 times ---
Mar 29 15:42:23 localhost kernel[0]: Longterm timer threshold: 1000 ms
Mar 29 15:42:23 localhost kernel[0]: Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64
Mar 29 15:42:23 localhost kernel[0]: vm_page_bootstrap: 879991 free pages and 94857 wired pages
Mar 29 15:42:23 localhost kernel[0]: kext submap [0xffffff7f80a00000 - 0xffffff8000000000], kernel text [0xffffff8000200000 - 0xffffff8000a00000]
Mar 29 15:42:23 localhost kernel[0]: zone leak detection enabled
Mar 29 15:42:23 localhost kernel[0]: "vm_compressor_mode" is 4
Mar 29 15:42:23 localhost kernel[0]: multiq scheduler config: deep-drain 0, urgent first 1, depth limit 4, band limit 127, sanity check 0
Mar 29 15:42:23 localhost kernel[0]: standard timeslicing quantum is 10000 us
Mar 29 15:42:23 localhost kernel[0]: standard background quantum is 2500 us
Mar 29 15:42:23 localhost kernel[0]: mig_table_max_displ = 13
Mar 29 15:42:23 localhost kernel[0]: AppleACPICPU: ProcessorId=0 LocalApicId=0 Enabled
Mar 29 15:42:23 localhost kernel[0]: AppleACPICPU: ProcessorId=1 LocalApicId=1 Enabled
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for TMSafetyNet
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Safety net for Time Machine (TMSafetyNet)
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for AMFI
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Apple Mobile File Integrity (AMFI)
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for Sandbox
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Seatbelt sandbox policy (Sandbox)
Mar 29 15:42:23 localhost kernel[0]: calling mpo_policy_init for Quarantine
Mar 29 15:42:23 localhost kernel[0]: Security policy loaded: Quarantine policy (Quarantine)
Mar 29 15:42:23 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993
Mar 29 15:42:23 localhost kernel[0]: The Regents of the University of California. All rights reserved.
Mar 29 15:42:23 localhost kernel[0]: MAC Framework successfully initialized
Mar 29 15:42:23 localhost kernel[0]: using 16384 buffer headers and 10240 cluster IO buffer headers
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.oracle.java.Helper-Tool): Unknown key for string: SHAuthorizationRight
Mar 29 15:42:23 localhost kernel[0]: AppleKeyStore starting (BUILT: Mar 23 2015 11:37:46)
Mar 29 15:42:23 localhost kernel[0]: IOAPIC: Version 0x11 Vectors 64:87
Mar 29 15:42:23 localhost kernel[0]: ACPI: sleep states S3 S4 S5
Mar 29 15:42:23 localhost kernel[0]: pci (build 11:38:56 Mar 23 2015), flags 0xe3000, pfm64 (36 cpu) 0xf80000000, 0x80000000
Mar 29 15:42:23 localhost kernel[0]: AppleIntelCPUPowerManagement: (built 11:31:44 Mar 23 2015) initialization complete
Mar 29 15:42:23 localhost kernel[0]: [ PCI configuration begin ]
Mar 29 15:42:23 localhost kernel[0]: console relocated to 0xf80010000
Mar 29 15:42:23 localhost kernel[0]: [ PCI configuration end, bridges 6, devices 18 ]
Mar 29 15:42:23 localhost kernel[0]: NVEthernet::start - Built Mar 23 2015 11:36:34
Mar 29 15:42:23 localhost kernel[0]: FireWire (OHCI) Lucent ID 5901 built-in now active, GUID 00264afffe0761ee; max speed s800.
Mar 29 15:42:23 localhost kernel[0]: USBMSC Identifier (non-unique): 000000009833 0x5ac 0x8403 0x9833, 2
Mar 29 15:42:23 localhost kernel[0]: mcache: 2 CPU(s), 64 bytes CPU cache line size
Mar 29 15:42:23 localhost kernel[0]: mbinit: done [64 MB total pool size, (42/21) split]
Mar 29 15:42:23 localhost kernel[0]: rooting via boot-uuid from /chosen: JF8A7F5C-10BA-35F4-89BD-B35F5436ED0G
Mar 29 15:42:23 localhost kernel[0]: Waiting on <dict ID="0"><key>IOProviderClass</key><string ID="1">IOResources</string><key>IOResourceMatch</key><string ID="2">boot-uuid-media</string></dict>
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeZlib kmod start
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeDataless kmod start
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeZlib load succeeded
Mar 29 15:42:23 localhost kernel[0]: com.apple.AppleFSCompressionTypeDataless load succeeded
Mar 29 15:42:23 localhost kernel[0]: AppleIntelCPUPowerManagementClient: ready
Mar 29 15:42:23 localhost kernel[0]: BTCOEXIST off 
Mar 29 15:42:23 localhost kernel[0]: BRCM tunables:
Mar 29 15:42:23 localhost kernel[0]: pullmode[1] txringsize[  256] txsendqsize[1024] reapmin[   32] reapcount[  128]
Mar 29 15:42:23 localhost kernel[0]: Got boot device = IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/SATA@B/AppleMCP79AHCI/PRT0@0/IOAHCIDevice@0/AppleAHCIDiskDriver/IOAHCIBlockStorageDevice/IOBlockStorageDriver/FUJITSU MJA2250BH FFS G1 Media/IOGUIDPartitionScheme/Customer@2
Mar 29 15:42:23 localhost kernel[0]: BSD root: disk0s2, major 1, minor 2
Mar 29 15:42:23 localhost kernel[0]: hfs: mounted Macintosh HD on device root_device
Mar 29 15:42:23 localhost kernel[0]: VM Swap Subsystem is ON
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (org.macosforge.xquartz.privileged_startx): The TimeOut key is no longer respected. It never did anything anyway.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.alf): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.audio.coreaudiod): Unknown key for array: seatbelt-profiles
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.auditd): The TimeOut key is no longer respected. It never did anything anyway.
Mar 29 15:42:22 localhost hidd[93]: void __IOHIDPlugInLoadBundles(): Loaded 0 HID plugins
Mar 29 15:42:22 localhost watchdogd[54]:  [watchdog_daemon] @(    wd_watchdog_open) - IOIteratorNext failed (kr=0)
Mar 29 15:42:22 localhost watchdogd[54]:  [watchdog_daemon] @(      wd_daemon_init) - could not initialize the hardware watchdog
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.autofsd): This service is defined to be constantly running and is inherently inefficient.
Mar 29 15:42:22 localhost watchdogd[54]:  [watchdog_daemon] @(                main) - cannot initialize the watchdog service
Mar 29 15:42:22 localhost hidd[93]: IOHIDService compatibility thread running at priority 63 and schedule 2.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.backupd-status): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it.
Mar 29 15:42:22 localhost iconservicesagent[61]: iconservicesagent launched.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.backupd.status.xpc): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.bsd.dirhelper): The TimeOut key is no longer respected. It never did anything anyway.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.AVCAssistant): ThrottleInterval set to zero. You're not that important. Ignoring.
Mar 29 15:42:22 localhost watchdogd[99]:  [watchdog_daemon] @(    wd_watchdog_open) - IOIteratorNext failed (kr=0)
Mar 29 15:42:23 localhost watchdogd[99]:  [watchdog_daemon] @(      wd_daemon_init) - could not initialize the hardware watchdog
Mar 29 15:42:23 localhost watchdogd[99]:  [watchdog_daemon] @(                main) - cannot initialize the watchdog service
Mar 29 15:42:22 localhost com.apple.SecurityServer[76]: Session 100000 created
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.IIDCVideoAssistant): ThrottleInterval set to zero. You're not that important. Ignoring.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.cmio.VDCAssistant): ThrottleInterval set to zero. You're not that important. Ignoring.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.configd): This service is defined to be constantly running and is inherently inefficient.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.CoreRAID): The HideUntilCheckIn property is an architectural performance issue. Please transition away from it.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.CoreRAID): The ServiceIPC key is no longer respected. Please remove it.
Mar 29 15:42:08 localhost com.apple.xpc.launchd[1] (com.apple.installd): This key does not do anything: OnDemand
Mar 29 15:42:23 localhost com.apple.xpc.launchd[1] (com.apple.watchdogd): Service only ran for 1 seconds. Pushing respawn out by 9 seconds.
Mar 29 15:42:23 localhost kernel[0]: IO80211Controller::dataLinkLayerAttachComplete():  adding AppleEFINVRAM notification
Mar 29 15:42:23 localhost kernel[0]: IO80211Interface::efiNVRAMPublished():  
Mar 29 15:42:23 localhost kernel[0]: bpfAttach len 64 dlt 12
Mar 29 15:42:22 localhost wirelessproxd[70]: updateScanner - central is not powered on: 0
Mar 29 15:42:23 localhost iconservicesagent[61]: Starting service with cache path: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.iconservices
Mar 29 15:42:25 localhost com.apple.xpc.launchd[1] (com.avast.daemon): This service is defined to be constantly running and is inherently inefficient.
Mar 29 15:42:25 localhost syslog[147]: ChmodBPF: Forcing creation and setting permissions for /dev/bpf*
Mar 29 15:42:25 localhost powerd[50]: Activity changes from 0xffff to 0x0. Assertions:1 HidState:0
Mar 29 15:42:25 localhost com.apple.SecurityServer[76]: Entering service
Mar 29 15:42:26 localhost kernel[0]: IOGraphics flags 0x43
Mar 29 15:42:26 localhost kernel[0]: IOBluetoothUSBDFU::probe
Mar 29 15:42:26 localhost kernel[0]: IOBluetoothUSBDFU::probe ProductID - 0x8213 FirmwareVersion - 0x0208
Mar 29 15:42:26 localhost kernel[0]: **** [IOBluetoothHostControllerUSBTransport][start] -- completed -- result = TRUE -- 0x5000 ****
Mar 29 15:42:26 localhost kernel[0]: **** [BroadcomBluetoothHostControllerUSBTransport][start] -- Completed (matched on Device) -- 0x5000 ****
Mar 29 15:42:26 localhost kernel[0]: NVDAStartup: Official
Mar 29 15:42:26 localhost kernel[0]: NVDANV50HAL loaded and registered
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController][staticBluetoothTransportShowsUp] -- Received Bluetooth Controller register service notification -- 0x5000 
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController][start] -- completed
Mar 29 15:42:26 localhost kernel[0]: [IOBluetoothHCIController::setConfigState] calling registerService
Mar 29 15:42:26 localhost kernel[0]: **** [IOBluetoothHCIController][ProcessBluetoothTransportShowsUpActionWL] -- Connected to the transport successfully -- 0xfb00 -- 0x1800 -- 0x5000 ****
Mar 29 15:42:26 localhost opendirectoryd[69]: BUG in libdispatch: 14D136 - 2004 - 0x5
Mar 29 15:42:26 localhost distnoted[97]: # distnote server daemon  absolute time: 32.520141728   civil time: Tue     Mar 29 15:42:26 2015   pid: 97 uid: 241  root: yes
Mar 29 15:42:26 localhost hidd[93]: ____IOHIDSessionScheduleAsync_block_invoke: thread_id=0x105e76000
Mar 29 15:42:26 localhost hidd[93]: HID Session async scheduling initiated.
Mar 29 15:42:26 localhost hidd[93]: HID Session async root queue running at priority 63 and schedule 2.
Mar 29 15:42:26 localhost hidd[93]: HID Session async scheduling complete.
Mar 29 15:42:26 localhost hidd[93]: Successfully opened the IOHIDSession
Mar 29 15:42:26 localhost thermald[46]: Waiting for OSTT support notification
Mar 29 15:42:26 localhost com.apple.usbmuxd[75]: usbmuxd-344.6 on Mar 16 2015 at 23:31:17, running 64 bit
Mar 29 15:42:26 localhost kernel[0]: Waiting for DSMOS...
Mar 29 15:42:26 localhost kernel[0]: Previous shutdown cause: 5
Mar 29 15:42:26 localhost kernel[0]: DSMOS has arrived
Mar 29 15:42:26 localhost loginwindow[89]: Login Window Application Started
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system): Service "com.apple.ManagedClient.startup" tried to hijack endpoint "com.apple.ManagedClient.agent" from owner: com.apple.ManagedClient
Mar 29 15:42:26 localhost digest-service[176]: label: default
Mar 29 15:42:26 localhost digest-service[176]:  dbname: od:/Local/Default
Mar 29 15:42:26 localhost digest-service[176]:  mkey_file: /var/db/krb5kdc/m-key
Mar 29 15:42:26 localhost digest-service[176]:  acl_file: /var/db/krb5kdc/kadmind.acl
Mar 29 15:42:26 localhost UserEventAgent[41]: Captive: CNPluginHandler en1: Inactive
Mar 29 15:42:26 localhost UserEventAgent[41]: Failed to copy info dictionary for bundle /System/Library/UserEventPlugins/alfUIplugin.plugin
Mar 29 15:42:26 localhost com.avast.daemon[144]: Starting daemon.
Mar 29 15:42:26 localhost systemkeychain[158]: done file: /var/run/systemkeychaincheck.done
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.appkit.xpc.sandboxedServiceRunner): The JoinExistingSession key is only available to Application services.
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.lakitu): The JoinExistingSession key is only available to Application services.
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.accounts.dom): The _DirtyJetsamMemoryLimit key is not available on this platform.
Mar 29 15:42:26 localhost com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent): The _DirtyJetsamMemoryLimit key is not available on this platform.
Mar 29 15:42:26 localhost iconservicesd[60]: iconservicesd launched.
Mar 29 15:42:26 localhost iconservicesd[60]: Cache path: /Library/Caches/com.apple.iconservices.store
Mar 29 15:42:26 localhost configd[49]: preference: no sharing preferences
Mar 29 15:42:27 localhost kernel[0]: 00000000  00000020  NVEthernet::setLinkStatus - not Active
Mar 29 15:42:27 localhost configd[49]: [bootp_transmit.c:213] bootp_transmit(): bpf_write(en0) failed: Network is down (50)
Mar 29 15:42:27 localhost configd[49]: DHCP en0: INIT transmit failed
Mar 29 15:42:27 localhost kernel[0]: 00000000  00000020  NVEthernet::setLinkStatus - not Active
Mar 29 15:42:27 localhost secinitd[174]: UID[0]: cache loaded: /System/Library/Caches/com.apple.app-sandbox-cache.plist
    
posta catmac 24.07.2015 - 22:58
fonte

1 risposta

0

La risposta sembra essere un qualificato. Un post nel link Discussioni Apple dice che ci sarebbero log del firmware (nota la modalità Target Disk attivata nell'EFI prima del caricamento del sistema operativo) in /var/log/system.log:

kernel: hfs: mounted YourDiskName on device  diskXsX

Si noti che questo mi sembra un log del kernel, quindi non sono sicuro di crederci, ma potrebbe essere il kernel del firmware che monta l'unità (qualcosa deve).

Come sottolinea dwbrecovery (l'utente che ha suggerito di controllare i registri), chiunque apra il tuo Mac in modalità disco di destinazione ha accesso illimitato ai tuoi dati. Potrebbero modificare i registri, apportare modifiche e modificare i timestamp in modo che sarebbe impossibile sapere che erano lì.

    
risposta data 25.07.2015 - 01:58
fonte

Leggi altre domande sui tag