Re-opened Apps

Overview

Evidence: Re-Opened Apps Description: Collect Re-Opened Apps Category: System Platform: macos Short Name: reapps Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Re-opened apps preference tracks files and apps restored at login. This data is essential for understanding user session restoration and potential persistence via loginwindow.

Data Collected

This collector gathers structured data about re-opened apps.

Re-Opened Apps Data

Field

Description

Example

Plist

Plist

Example value

FilePath

File Path

Example value

OriginalFilename

Original Filename

Example value

FileType

File Type

Example value

SHA1

SHA1

Example value

SizeInBytes

Size In Bytes

123

FileCreated

File Created

2023-10-15 14:30:25+03:00

FileLastAccessed

File Last Accessed

2023-10-15 14:30:25+03:00

FileLastChanged

File Last Changed

2023-10-15 14:30:25+03:00

FileLastModified

File Last Modified

2023-10-15 14:30:25+03:00

Collection Method

This collector joins plist, hash, and file tables to enumerate ByHost loginwindow plists and referenced items, recording metadata into re_opened_apps.

Forensic Value

This evidence is crucial for forensic investigations as it highlights recently accessed items and auto‑restored apps that may indicate user behavior or malicious persistence.

PreviousQuick Look Cache NextSafari Browsing History

Last updated 3 days ago

Was this helpful?