# SSH Files

## Overview

**Evidence:** SSH Files\
**Description:** Collect all files from SSH directories including configurations, keys, and other SSH-related files\
**Category:** System\
**Platform:** macos\
**Short Name:** sshf\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

SSH configuration and key material define how remote access is performed on Unix-like systems. System directories (e.g., /etc/ssh, /usr/local/etc/ssh) and per-user \~/.ssh hold configs, keys, and trust relationships (known\_hosts). These artifacts are critical for understanding access, hardening state, and potential lateral movement paths.

## Data Collected

This collector gathers structured data about ssh files.

## Collection Method

This collector walks system SSH directories and each user's \~/.ssh directory, copying regular files into the case content and recording metadata such as ownership, file mode, and timestamps.

## Forensic Value

SSH files reveal authorized keys, host trust, cipher/policy settings, and possible backdoors. They help identify unauthorized access, weak configurations, persistence via keys, and relationships to other systems for lateral movement.