Package Install History

Overview

Evidence: Package Install History Description: Collect Package Install History Category: System Platform: macos Short Name: pkghist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Package installation history tracks software installs by package IDs. This data is essential for change auditing, detecting unauthorized installs, and reconstructing software timelines.

Data Collected

This collector gathers structured data about package install history.

Package Install History Data

Field

Description

Example

PackageID

Package ID

Example value

Name

Name

Example value

Version

Version

Example value

Source

Source

Example value

ContentType

Content Type

Example value

Time

Time

2023-10-15 14:30:25+03:00

Collection Method

This collector queries the package_install_history table via osquery and records into package_install_histories.

Forensic Value

This evidence is crucial for forensic investigations as it reveals what was installed, when, and by whom, aiding attribution and scope analysis.

PreviousPCAP NextParallels Logs

Last updated 2 months ago

Was this helpful?

hashtagOverview

hashtagBackground

hashtagData Collected

hashtagPackage Install History Data

hashtagCollection Method

hashtagForensic Value

Overview

Background

Data Collected

Package Install History Data

Collection Method

Forensic Value