Installed Applications

Overview

Evidence: Installed Applications Description: Collect info on installed apps Category: System Platform: macos Short Name: apps Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers installed applications information from macOS, including bundle identifiers, versions, signatures, and entitlements. This data is essential for understanding software inventory, detecting unauthorized installs, and investigating persistence.

Data Collected

This collector gathers structured data about installed applications.

Installed Applications Data

Field

Description

Example

DisplayName

Display Name

Example value

AppName

App Name

Example value

Path

Path

Example value

Environment

Environment

Example value

Element

Element

Example value

BundleExecutable

Bundle Executable

Example value

BundleIdentifier

Bundle Identifier

Example value

BundleName

Bundle Name

Example value

BundleVersion

Bundle Version

Example value

LastChangeTime

Last Change Time

2023-10-15 14:30:25+03:00

AccessTime

Access Time

2023-10-15 14:30:25+03:00

ModificationTime

Modification Time

2023-10-15 14:30:25+03:00

LastOpenedTime

Last Opened Time

2023-10-15 14:30:25+03:00

Hash

Hash

Example value

SizeInBytes

Size In Bytes

123

DisableLibraryValidation

Disable Library Validation

true

DyldEnvVariables

Dyld Env Variables

true

SignatureInfo

Signature Info

Example value

DynamicLibraries

Dynamic Libraries

[]

Collection Method

This collector queries the apps table via osquery and augments results with file metadata and signature details.

Forensic Value

This evidence is crucial for forensic investigations as it highlights installed software, execution history, and code signing state, aiding detection of malicious or untrusted apps.

PreviousInstall Logs NextIP Routes

Last updated 3 days ago

Was this helpful?