Launchd Files

Overview

Evidence: Launchd Files Description: Collect all launchd plist files from system directories Category: System Platform: macOS Short Name: lnchdf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers launchd files information from the macOS system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.## Data Collected

This collector gathers structured data about launchd files.

Launchd Files Data

Field
Description
Example

ID

Primary key (auto-increment)

1

FilePath

Full file path

/System/Library/LaunchAgents/com.apple.Safari.plist

FileName

File name

com.apple.Safari.plist

FileSize

File size in bytes

1024

FileMode

File permissions

644

IsDir

Whether it's a directory

false

DirectoryType

Directory type (System/Library/User)

System

AccessTime

File access time

2023-10-15 14:30:25

ModificationTime

File modification time

2023-10-15 14:30:25

CreationTime

File creation time

2023-10-15 14:30:25

Collection Method

This collector parses the necessary data from the launchd_files table.

Usage

This evidence is crucial for forensic investigations as it provides launchd files information. It helps investigators understand system activity, detect security incidents, and investigate system-related events. The data can reveal system changes, unauthorized activities, and potential security vulnerabilities. Analysts can use this information to identify system compromises, trace malicious activities, and assess system security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

Last updated

Was this helpful?