# .DS\_Store Files

## Overview

**Evidence:** .DS\_Store Files\
**Description:** Collect information about .DS\_Store files.\
**Category:** DiskFilesystem\
**Platform:** macos\
**Short Name:** dsstr\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

.DS\_Store files store Finder metadata for directories. This data is essential for evidencing file presence and user interactions even after deletions.

## Data Collected

This collector gathers structured data about .ds\_store files.

### .DS\_Store Files Data

| Field              | Description       | Example                   |
| ------------------ | ----------------- | ------------------------- |
| `Path`             | Path              | Example value             |
| `ModificationTime` | Modification Time | 2023-10-15 14:30:25+03:00 |
| `AccessTime`       | Access Time       | 2023-10-15 14:30:25+03:00 |
| `CreationTime`     | Creation Time     | 2023-10-15 14:30:25+03:00 |
| `FileName`         | File Name         | Example value             |
| `StructureType`    | Structure Type    | Example value             |
| `DataType`         | Data Type         | Example value             |

## Collection Method

This collector discovers `.DS_Store` files under user directories, parses entries, and records them into `ds_store`.

## Forensic Value

This evidence is crucial for forensic investigations as it can indicate files that existed and how they were displayed in Finder.