You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
Is there any way to see if someone "hacked" into my computer using Target Disk Mode? My only thought is to check the Console but I see nothing active during the time frame I was thinking it happened. Also, can someone delete that info from the Console if they wanted?
Thanks for any info.
The only way to use Target Disk Mode is to set two Macs next to each other and hook a FireWire or Thunderbolt cable between them. If you know you've never allowed that, then no such "hack" has ever occurred.
Physical access to a Mac allows many things to happen.
Target disk mode usage isn't logged as far as I am aware, it is a feature of the firmware IIRC. It happens before an OS loads.
A user can access the entire disk so logs & anything could be modified, it really depends on the knowledge of the attacker.
You should consider EFI passwords & using Filevault if you need to mitigate these types of attacks, however if someone has the machine they could try other attacks to gain or modify data.
Setting up firmware password protection in Mac OS X(try finding a newer version of this - I can't see one)
You would probably need to image the Mac's disk & run over it with a fine tooth comb to see if any malicious software is installed, frankly erasing the disk is easier.
I wasn't aware of how easily someone could access my data up until today. I'm surprised there's no locked folders or password protection on by default when accessing through Target Disk mode. I will probably turn Filevault on now.
I'd still like to see if my data was accessed though. At 1:36pm I powered my laptop off and maybe 30 minutes later started charging it. I left it alone and at 3:46pm started it back up. The Console shows me turning it off and on again (picture attached). Is it safe to assume that if the computer was turned back on (even through Target Disk Mode) I would see an item in the log saying "BOOT TIME" in the 2 o'clock hour just like I do at 3:46pm?
hawkeyext wrote:
The Console shows me turning it off and on again (picture attached). Is it safe to assume that if the computer was turned back on (even through Target Disk Mode) I would see an item in the log saying "BOOT TIME" in the 2 o'clock hour just like I do at 3:46pm?
I don't know, I don't think the standard OS is involved at this point.
Boot into target disk mode now check the log again. If you have an new entry it will be evident. Make sure you note the time of power off, time of boot to Target mode, time of reboot etc so you can unpick the timeline of events.
All computers work this way, if someone can boot from another disk or plug things in then there is a chance they can access files. Encryption & Firmware passwords can slow an attack.
Just tried what you suggested and no, unfortunately the Console does not log that data down. I'm surprised there is no way to find this information out. Does the hard disk have any sort of log for when it's powered on? I know the Apple Geniuses at the store have access to this because they can test out the battery. I've seen them pull up charts with Charging Times and more.
Hi, so you know,
There will be some logs but on the Mac that was used to connect to your machine in Target Disk Mode.
There should be entries like " kernel: hfs: mounted YourDiskName on device diskXsX" in /var/log/system.log and the asl, "All Messages" in Console
Hope this helps
I wasn't aware of how easily someone could access my data up until today. I'm surprised there's no locked folders or password protection on by default when accessing through Target Disk mode. I will probably turn Filevault on now.
Target Disk most just turns your Mac into a very expensive external disk enclosure for your internal disk.
Anyone that has "Physical" access to your Mac, and remove the disk and put it in their own external disk enclosure and access the data, so any Mac specific features, including a firmware password will not stop that.
As you have concluded, FileVault is the only way to protect the data on the disk, by making sure it is encrypted. But note, if an attacker can gain access via your running Mac, it will have access to the data as the running Mac needs to unencrypt the data so you can access it.
hawkeyext wrote:
Just tried what you suggested and no, unfortunately the Console does not log that data down. I'm surprised there is no way to find this information out. Does the hard disk have any sort of log for when it's powered on? I know the Apple Geniuses at the store have access to this because they can test out the battery. I've seen them pull up charts with Charging Times and more.
The hard disk will write changes using the date & time set on the device writing to it. In the same way as any other external disk.
You don't seem to have fully grasped that Target disk mode (TDM) is the Mac's firmware turning the Mac into a 'dumb disk drive'. The Mac OS installed on that hard drive is not in control of the OS - otherwise TDM would be useless for restoring a damaged OS. You can use TDM when the HD is blank etc because the installed OS it is not in control.
Permissions still prevent users reading & writing things they don't own, but anyone with experience will be able to disable/ work around that.
BobHarris is right about physical access. Encryption is the only way to go, combined with a lot of powering down when not in use.
Read the Hardening Tips for Mac OS X 10.6 "Snow Leopard"
http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdfto see what the NSA has to do to get some better security on Macs, it is old now but a lot still applies.
Check if Someone used Target Disk Mode on my comp?
