Can you determine exactly when iMac was disconnected from power?
https://apple.stackexchange.com/questions/384322
-
26-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
(This is not just question about when a normal power failure occurred)
My 2017 iMac was stolen today during a break-in, but the internal hard drive was dead so it was running off of an external SSD. They unplugged everything including the external drive and left it behind. I'm trying to figure out if there is a system log that keeps an ongoing record with enough time resolution to figure out close to exactly when the power was unplugged.
I can't boot it up, but I can look through the file system on another Mac. I was able to find a couple of plist files updated most recently, but it only gives me a several-hour window and I'd like to get more accurate if possible. I'm was running Catalina and I'm not able to find anything more recent in ~/Library/Logs/DiagnosticReports/
Are there any very low-level system processes that might have a record? Something like cron (though I wasn't running any scheduled jobs)?
Solution
You want to find all files that are newer (based on time of last modification) than the .plist files you've already found. So if this is the name of the .plist file you already know about...
/Users/yourusername/Library/Preferences/whatever.plist
Then you want to use find like this:
find / -newermm /Users/yourusername/Library/Preferences/whatever.plist
You might see some lines like Permission denied -- just ignore those, it's fine.
This will search the whole disk for files accessed more recently than your comparison file. It might take a while. If you get many results, pick one of the results and try the find command again, substituting your newer file into the command. Rinse and repeat until you've found the newest file.
OTHER TIPS
You would need to look through the system log for the last "Shutdown Cause" code.
There won't be anything in cron because it was deprecated in favor of launchd. However, launchd (or cron) wouldn't be of help because those logs show when things are started or error out, seldom do they show when things are shutdown - especially if powered off properly (no error)
To search the log, use the following command:
$ log show --predicate "process == kernel" | grep -i "shutdown cause"
See this answer for further details on how to search the log.
