Back to binalyze.com

Shared File List

Overview

Evidence: Shared File List Description: Collect Shared File List (SFL) items Category: System Platform: macos Short Name: sfl Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Shared File List (SFL/SFL2) stores recent items and application-specific lists. This data is essential for reconstructing user activity and identifying recently accessed files and apps.

Data Collected

This collector gathers structured data about shared file list.

Shared File List Data

Field
Description
Example

User

User

Example value

SourceFile

Source File

Example value

SourceName

Source Name

Example value

ItemIndex

Item Index

123

Name

Name

Example value

URL

URL

Example value

Collection Method

This collector copies user SFL/SFL2 files, decodes NSKeyedArchive contents, and records entries into shared_file_list.

Forensic Value

This evidence is crucial for forensic investigations as it reveals recent documents and locations, aiding timeline building and data exfiltration analysis.

PreviousSession Creation and DestructionNextShell History

Last updated

Was this helpful?