Login Items

Overview

Evidence: Login Items Description: Collect Login Items Category: System Platform: macos Short Name: litms Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Login Items configure applications to start automatically upon user login. This data is essential for detecting persistence and unwanted auto-start programs.

Data Collected

This collector gathers structured data about login items.

Field

Description

Example

Item

Item

Example value

Path

Path

Example value

Active

Active

true

Collection Method

This collector uses AppleScript via osascript to enumerate login items and their paths, recording them into login_items.

Forensic Value

This evidence is crucial for forensic investigations as it reveals user-level persistence and startup behavior.

PreviousLogin Hooks Nextlogind

Last updated 11 days ago

Was this helpful?

Overview

Background

Data Collected

Login Items Data

Collection Method

Forensic Value