Launchd Files

Overview

Evidence: Launchd Files Description: Collect all launchd plist files from system directories Category: System Platform: macos Short Name: lnchdf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Launchd plists define daemons and agents on macOS. This data is essential for auditing startup items, detecting persistence, and verifying service configurations.

Data Collected

This collector gathers structured data about launchd files.

Collection Method

This collector enumerates known LaunchAgents and LaunchDaemons directories, copies .plist files to content, and records file metadata into the launchd_files table.

Forensic Value

This evidence is crucial for forensic investigations as it exposes auto-run configurations and modifications that may indicate malicious persistence.