# Shared File List

## Overview

**Evidence:** Shared File List\
**Description:** Collect Shared File List (SFL) items\
**Category:** System\
**Platform:** macos\
**Short Name:** sfl\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Shared File List (SFL/SFL2) stores recent items and application-specific lists. This data is essential for reconstructing user activity and identifying recently accessed files and apps.

## Data Collected

This collector gathers structured data about shared file list.

### Shared File List Data

| Field        | Description | Example       |
| ------------ | ----------- | ------------- |
| `User`       | User        | Example value |
| `SourceFile` | Source File | Example value |
| `SourceName` | Source Name | Example value |
| `ItemIndex`  | Item Index  | 123           |
| `Name`       | Name        | Example value |
| `URL`        | URL         | Example value |

## Collection Method

This collector copies user SFL/SFL2 files, decodes NSKeyedArchive contents, and records entries into `shared_file_list`.

## Forensic Value

This evidence is crucial for forensic investigations as it reveals recent documents and locations, aiding timeline building and data exfiltration analysis.