The following Knowledge Base Article explains how copied files from a MAC are reported in the SafeConsole Audit Logs.


Background


When files are copied to the Encrypted USB drive and the USB drive has a connection to SafeConsole, device and file information are transferred to the SafeConsole Server and made available in the User Audit Logs. If a file is copied to the USB drive and the USB drive is physically removed from the USB port quickly, the file copy may not have enough time to report the event. This only applies to offline devices (no connection to SafeConsole) but will be reported to SafeConsole once the device becomes online again.


It is strongly recommended that devices are 'Locked' using the Lock button in the device control panel or eject it from the computer prior to physically removing the USB drive from the USB port. This applies to both Windows and MAC Operating Systems. 


If a file is copied to the device from a MAC Operating System, the Operating System creates a temporary file that starts with ._ and is reported as a copied file along with the parent file. In addition, the temporary file will also be listed as a modified file and a deleted file. This may cause some confusion when the device is offline since once the device comes back online and the offline events are transferred to the Audit Logs, it will report the copied and deleted events as occurring while the device is offline even though the Parent File remains. 


For more information on the ._ temporary files created in MAC environments, please visit:


https://apple.stackexchange.com/questions/14980/why-are-dot-underscore-files-created-and-how-can-i-avoid-them


For further information, please contact [email protected]