I was away from my MacBook Air (Yosemite) briefly and suspected that someone had copied files from my Mac. Here is what I can see from the system.log under console /var/log. Could some experts advise whether this "(non-unique): 000000000820 " log may be sign that some one plugged in an USB drive? What do I need to search for to find out what directory of files were possibly stolen?
_____________________BEGIN______________________
Mar 31 21:18:41 This mac kernel[0]: USBMSC Identifier (non-unique): 000000000820 0x5ac 0x8406 0x820, 3
Mar 31 21:18:41 This mac kernel[0]: en0: channel changed to 1
Mar 31 21:18:41 This mac.local FinderSyncAPIExtension[1051]: Pipe path is a symbolic link, connecting to target.
Mar 31 21:18:41 This mac kernel[0]: IOBluetoothUSBDFU::probe
Mar 31 21:18:41 This mac kernel[0]: IOBluetoothUSBDFU::probe ProductID - 0x828F FirmwareVersion - 0x0103
Mar 31 21:18:41 This mac kernel[0]: **** [IOBluetoothHostControllerUSBTransport][start] -- completed -- result = TRUE -- 0xb000 ****
Mar 31 21:18:41 This mac kernel[0]: **** [BroadcomBluetoothHostControllerUSBTransport][start] -- Completed (matched on Device) -- 0xb000 ****
Mar 31 21:27:27 This mac kernel[0]: USB (XHCI Root Hub USB 2.0 Simulation):Port 12 on bus 0xa connected or disconnected: portSC(0xe4202a0)
Mar 31 21:27:27 This mac kernel[0]: The USB device Card Reader (Port 3 of Hub at 0x15000000) may have caused a wake by being disconnected
Best Answer
Here's the command for generating a list of all files accessed in the last 72 hours:
From there, you can run 'stat' on each file to get the access time.
You can narrow your search to a specific date/time range via a text editor or grep command.
This may not be sufficient to prove any wrongdoing, but it can disprove it if there were no files accessed during the window of concern. Also, gives an idea of what was possibly accessed.