File Last Used

Overview

Evidence: File Last Used Description: Collects files with last access times via Finder or open command. Category: DiskFilesystem Platform: macos Short Name: fls Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

macOS tracks last usage metadata for files through extended attributes (e.g., com.apple.lastuseddate#PS) updated by Finder and certain application interactions. These timestamps help understand user interaction with files beyond standard atime semantics.

Data Collected

This collector gathers structured data about file last used.

File Last Used Data

Field

Description

Example

ID

123

Username

Username

Example value

Path

Path

Example value

Time

Time

2023-10-15 14:30:25+03:00

Collection Method

This collector enumerates user directories and extracts the com.apple.lastuseddate#PS extended attribute for files, decoding it into timestamps and mapping them to the owning user.

Forensic Value

Last used timestamps help reconstruct user activity on documents, reveal recently interacted files, and support timeline building even when traditional access times are unreliable due to filesystem settings.

PreviousFailed Sudo NextFile System Enumeration

Last updated 2 months ago

Was this helpful?

hashtagOverview

hashtagBackground

hashtagData Collected

hashtagFile Last Used Data

hashtagCollection Method

hashtagForensic Value