When was this user logged on the system? Where was this system on a given date? What devices were used on the system? How often was the system used? Is the system compromised? - These questions may be answered by viewing the logs provided by Mac OS X. This presentation will cover the variety of logs, tools to read them, and analysis of additional file system files to provide a clear picture of events. User, network, or software activities can provide a timeline that can be used to uncover the clandestine activity on the system - whether or not it was meant to be secret.