AirDrop & Bluetooth Connection Logs

macosNetwork TrafficDisk Image

Location

Unified Log (subsystem: com.apple.bluetooth, com.apple.sharing) and /var/log/bluetoothd* (legacy)

Description

Bluetooth daemon and AirDrop subsystem logs capturing device pairing events, connection history, file transfer activity, and nearby device discovery. AirDrop sharing events are logged under the com.apple.sharing subsystem in the Unified Log. Bluetooth device connections record the device name, MAC address, and connection timestamps.

Forensic Value

Bluetooth and AirDrop logs are critical for detecting proximity-based attacks and unauthorized data transfers. AirDrop file transfers bypass network monitoring entirely, making the Unified Log the only artifact that records these transfers with the sending device identifier and file names. Bluetooth pairing events reveal which external devices were connected, including keyboards (potential keystroke injection attacks via BadUSB/Rubber Ducky devices), headsets, and storage devices. Unauthorized AirDrop transfers in proximity to sensitive systems may indicate insider threat data exfiltration via this out-of-band channel.

Tools Required

log (macOS CLI)mac_aptsystem_profiler SPBluetoothDataTypeCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical