Application Usage

Overview

Evidence: Application Usage Description: Collect Application Usage Category: System Platform: macos Short Name: appusg Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Application usage events from KnowledgeC track app foreground activity durations. This data is essential for reconstructing user activity, triage timelines, and identifying suspicious usage patterns.

Data Collected

This collector gathers structured data about application usage.

Collection Method

This collector reads KnowledgeC databases under user profiles and runs the application usage query, recording results into app_usage.

Forensic Value

This evidence is crucial for forensic investigations as it shows which apps were active, when, and for how long, aiding timeline reconstruction and anomaly detection.