AirDrop & Bluetooth Connection Logs
Location
Unified Log (subsystem: com.apple.bluetooth, com.apple.sharing) and /var/log/bluetoothd* (legacy)Description
Bluetooth daemon and AirDrop subsystem logs capturing device pairing events, connection history, file transfer activity, and nearby device discovery. AirDrop sharing events are logged under the com.apple.sharing subsystem in the Unified Log. Bluetooth device connections record the device name, MAC address, and connection timestamps.
Forensic Value
Bluetooth and AirDrop logs are critical for detecting proximity-based attacks and unauthorized data transfers. AirDrop file transfers bypass network monitoring entirely, making the Unified Log the only artifact that records these transfers with the sending device identifier and file names. Bluetooth pairing events reveal which external devices were connected, including keyboards (potential keystroke injection attacks via BadUSB/Rubber Ducky devices), headsets, and storage devices. Unauthorized AirDrop transfers in proximity to sensitive systems may indicate insider threat data exfiltration via this out-of-band channel.
Tools Required
Collection Commands
log
log show --last 7d --predicate "subsystem == 'com.apple.bluetooth'" > /forensics/bluetooth_log.txt
log
log show --last 7d --predicate "subsystem == 'com.apple.sharing'" > /forensics/airdrop_sharing_log.txt
system_profiler
system_profiler SPBluetoothDataType > /forensics/bluetooth_devices.txt
defaults
defaults read /Library/Preferences/com.apple.Bluetooth > /forensics/bluetooth_prefs.txt
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.