Evidence: Downloaded Files Information
Description: Collect information about downloaded files
Category: System
Platform: macos
Short Name: dwnlds
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Downloaded files in user profiles provide visibility into initial access vectors and user activity. This data is essential for tracking suspicious downloads and verifying code signing and provenance.
Data Collected
This collector gathers structured data about downloaded files information.
Collection Method
This collector enumerates users’ Downloads folders, extracts file metadata, hashes small files, and parses WhereFrom URLs and quarantine flags.
Forensic Value
This evidence is crucial for forensic investigations as it links files to sources and timestamps, aiding detection of phishing payloads and drive‑by downloads.
