Quick Look Cache

Overview

Evidence: Quick Look Cache Description: Collect Quick Look Cache Category: System Platform: macos Short Name: qklc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Quick Look cache stores thumbnails and metadata for recently viewed files. This data is essential for confirming file access and reconstructing user interactions with files.

Data Collected

This collector gathers structured data about quick look cache.

Quick Look Cache Data

Field

Description

Example

Path

Path

Example value

RowID

Row ID

123

FSID

FSID

Example value

VolumeID

Volume ID

123

INode

I Node

123

ModTime

Mod Time

123

Size

Size

123

Label

Label

Example value

LastHitDate

Last Hit Date

123

HitCount

Hit Count

Example value

IconMode

Icon Mode

123

CachePath

Cache Path

Example value

Collection Method

This collector queries the quicklook_cache table via osquery and records cache metadata into quicklook_cache.

Forensic Value

This evidence is crucial for forensic investigations as it indicates files previewed or viewed by a user, even if moved or deleted.

PreviousQuarantine Events NextRe-opened Apps

Last updated 4 days ago

Was this helpful?