Package Install History
Overview
Evidence: Package Install History Description: Collect Package Install History Category: System Platform: macos Short Name: pkghist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Package installation history tracks software installs by package IDs. This data is essential for change auditing, detecting unauthorized installs, and reconstructing software timelines.
Data Collected
This collector gathers structured data about package install history.
Package Install History Data
PackageID
Package ID
Example value
Name
Name
Example value
Version
Version
Example value
Source
Source
Example value
ContentType
Content Type
Example value
Time
Time
2023-10-15 14:30:25+03:00
Collection Method
This collector queries the package_install_history table via osquery and records into package_install_histories.
Forensic Value
This evidence is crucial for forensic investigations as it reveals what was installed, when, and by whom, aiding attribution and scope analysis.
Last updated
Was this helpful?

