Evidence: Application Usage
Description: Collect Application Usage
Category: System
Platform: macos
Short Name: appusg
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Application usage events from KnowledgeC track app foreground activity durations. This data is essential for reconstructing user activity, triage timelines, and identifying suspicious usage patterns.
Data Collected
This collector gathers structured data about application usage.
Collection Method
This collector reads KnowledgeC databases under user profiles and runs the application usage query, recording results into app_usage.
Forensic Value
This evidence is crucial for forensic investigations as it shows which apps were active, when, and for how long, aiding timeline reconstruction and anomaly detection.
