DMG File Opened

Overview

Evidence: DMG File Opened Description: Collects previously opened DMG files. Category: DiskFilesystem Platform: macos Short Name: dmgf Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

DMG (disk image) files are commonly used on macOS for software distribution and data storage. When a DMG file is opened, macOS stores extended attributes (xattrs) including fsck information and recent checksums on the file. These attributes provide forensic evidence of DMG file access, helping investigators identify software installations, data transfers, or malicious payloads delivered via DMG files.

Data Collected

This collector gathers structured data about dmg file opened.

DMG File Opened Data

Collection Method

This collector scans the file system for DMG files and extracts extended attributes (com.apple.diskimages.fsck and com.apple.diskimages.recentcksum) to identify which DMG files were previously opened. It parses the recentcksum attribute to extract timestamps, checksum types, and checksum values, providing a timeline of DMG file access.

Forensic Value

DMG file access history is valuable for identifying software installations, detecting unauthorized application deployments, tracking malware delivery mechanisms, and establishing file access timelines. The checksum information can be used to verify file integrity and correlate DMG files across multiple systems. This evidence is particularly useful for detecting supply chain attacks, insider threats, and unauthorized software installations.