Downloaded Files Information

Overview

Evidence: Downloaded Files Information Description: Collect information about downloaded files Category: System Platform: macos Short Name: dwnlds Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Downloaded files in user profiles provide visibility into initial access vectors and user activity. This data is essential for tracking suspicious downloads and verifying code signing and provenance.

Data Collected

This collector gathers structured data about downloaded files information.

Collection Method

This collector enumerates users’ Downloads folders, extracts file metadata, hashes small files, and parses WhereFrom URLs and quarantine flags.

Forensic Value

This evidence is crucial for forensic investigations as it links files to sources and timestamps, aiding detection of phishing payloads and drive‑by downloads.

PreviousDocument Revisions Next.DS_Store Files

Last updated 2 days ago

Was this helpful?