Document Revisions

Overview

Evidence: Document Revisions Description: Collect Document Revisions Category: System Platform: macos Short Name: drvs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

macOS DocumentRevisions-V100 stores prior versions of documents for autosave. This data is essential for recovering prior content and tracking edits over time.

Data Collected

This collector gathers structured data about document revisions.

Document Revisions Data

Field

Description

Example

FileINode

File I Node

123

StorageID

Storage ID

123

FilePath

File Path

Example value

ExistsOnDisk

Exists On Disk

true

FileLastSeen

File Last Seen

2023-10-15 14:30:25+03:00

GenerationAdded

Generation Added

2023-10-15 14:30:25+03:00

GenerationPath

Generation Path

Example value

Source

Source

Example value

Collection Method

This collector copies the DocumentRevisions database and queries for files and generations, recording into document_revisions.

Forensic Value

This evidence is crucial for forensic investigations as it can reveal previous versions of altered or deleted documents.

PreviousDocker Volumes NextDownloaded Files Information

Last updated 3 days ago

Was this helpful?