SSH Files

Overview

Evidence: SSH Files Description: Collect all files from SSH directories including configurations, keys, and other SSH-related files Category: System Platform: macos Short Name: sshf Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

SSH configuration and key material define how remote access is performed on Unix-like systems. System directories (e.g., /etc/ssh, /usr/local/etc/ssh) and per-user ~/.ssh hold configs, keys, and trust relationships (known_hosts). These artifacts are critical for understanding access, hardening state, and potential lateral movement paths.

Data Collected

This collector gathers structured data about ssh files.

Collection Method

This collector walks system SSH directories and each user's ~/.ssh directory, copying regular files into the case content and recording metadata such as ownership, file mode, and timestamps.

Forensic Value

SSH files reveal authorized keys, host trust, cipher/policy settings, and possible backdoors. They help identify unauthorized access, weak configurations, persistence via keys, and relationships to other systems for lateral movement.