Most Recently Used

Overview

Evidence: Most Recently Used (MRU) Description: Collect Most Recently Used (MRU) items Category: System Platform: macos Short Name: mru Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

MRU data in Finder and app containers captures recently accessed folders, copies/moves, and secure bookmarks. This data is essential for reconstructing user file access and movement.

Data Collected

This collector gathers structured data about most recently used (mru).

Most Recently Used (MRU) Data

Field

Description

Example

User

User

Example value

SourceFile

Source File

Example value

SourceName

Source Name

Example value

SourceKey

Source Key

Example value

Name

Name

Example value

URL

URL

Example value

Collection Method

This collector parses Finder and sidebar plists and secure bookmarks, extracting recent items into most_recently_used.

Forensic Value

This evidence is crucial for forensic investigations as it shows recent file interactions and locations, supporting timeline and exfiltration analysis.

PreviousMongoDB Logs NextMount

Last updated 18 days ago

Was this helpful?