.DS_Store Files

Overview

Evidence: .DS_Store Files Description: Collect information about .DS_Store files. Category: DiskFilesystem Platform: macos Short Name: dsstr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

.DS_Store files store Finder metadata for directories. This data is essential for evidencing file presence and user interactions even after deletions.

Data Collected

This collector gathers structured data about .ds_store files.

.DS_Store Files Data

Field

Description

Example

Path

Path

Example value

ModificationTime

Modification Time

2023-10-15 14:30:25+03:00

AccessTime

Access Time

2023-10-15 14:30:25+03:00

CreationTime

Creation Time

2023-10-15 14:30:25+03:00

FileName

File Name

Example value

StructureType

Structure Type

Example value

DataType

Data Type

Example value

Collection Method

This collector discovers .DS_Store files under user directories, parses entries, and records them into ds_store.

Forensic Value

This evidence is crucial for forensic investigations as it can indicate files that existed and how they were displayed in Finder.

PreviousDownloaded Files Information NextDump Arc Indexed DB

Last updated 2 days ago

Was this helpful?