Skip navigation

Booting from external drive: Can doing so be detected?

272 Views 11 Replies Latest reply: Dec 10, 2013 2:58 PM by Doc. Caliban RSS
Doc. Caliban Calculating status...
Currently Being Moderated
Dec 8, 2013 12:52 PM

I have a late model iMac and I am wondering if there is a way for me to tell if someone has used it by booting from an external drive.

 

Thank you,

 

-Doc

iMac, iOS 7.0.4
  • Kappy Level 10 Level 10 (221,165 points)

    No. How would they do that if they have to connect the drive to your computer? If it's a concern, then don't leave the computer unattended without locking it with a password that's required for access.

  • rack0 tack0 Level 4 Level 4 (2,210 points)

    You could use the Console and search the system.log and system.log.0.gz etc for the string 'BOOT_TIME'

    This would tell you when the system was booted up and from what drive.

    You could also search for the string  'mount' and that would give any disks that have been mounted and I would expect that to include external drives as well.

     

    Don't include the quotes when you enter the string in the search bar.

     

    Of course if the person doing this was trying to evade detection they could delete the logs.

  • Kappy Level 10 Level 10 (221,165 points)

    Open Console in the Utilitiy folder. Select All Messages on the left. Enter "boot_time" in the search field (omit quotes.) You should get something like this which is from Mavericks:

     

    12/7/13 12:20:03.000 PM bootlog[0]: BOOT_TIME 1386436803 0

    12/8/13 1:11:57.000 PM bootlog[0]: BOOT_TIME 1386526317 0

     

    If there is anything meaningful then you can use it.

    Mac Pro, OS X Mavericks (10.9), iMacs, MBPs, MBs, iPods, iPads, ATV
  • rack0 tack0 Level 4 Level 4 (2,210 points)

    Thinking about it again you are correct, the log files will be on the external drive.

     

    In that case I am not sure how to detect it.

     

    It Is BOOT_TIME in capitals.

  • rack0 tack0 Level 4 Level 4 (2,210 points)

    Not sure why it does not show up. I am running on an external drive now, it is a backup clone and it shows it in this system.log, attached screen shot. I have used system.log instead of all messages due to it being a clone it shows all the BOOT_TIME values of the internal disk when I cloned it. This screen shot is from the boot up just now on the External drive. Not overly clear but I think you will be able to read it.

     

    Screen Shot 2013-12-09 at 21.45.11.png

  • rack0 tack0 Level 4 Level 4 (2,210 points)

    Not sure about that, the machines will have different hardware and it is possible that the external drive setup on your MBP will not behave correctly on different hardware.

    Still as long as the external drive is just a backup of your MBP and you have similar backup for the MacBook Air and iMac you could try it it.

    On the other hand if you setup the external drive on the MacBook Air with all your data then yes you could use the Air with your ext drive.

    Then again you could just have two accounts on the Air.

     

    Give you something to think about.

     

    Hope you sort it all out as you require.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.