.Trash

Overview

Evidence: .Trash Description: Collect detailed information about files in .Trash directory Category: DiskFilesystem Platform: macos Short Name: trsh Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

User trash folders contain recently deleted items per account. This data is essential for recovering deleted evidence, tracing user actions, and identifying data staging.

Data Collected

This collector gathers structured data about .trash.

Collection Method

This collector enumerates each user's ~/.Trash directory and records file metadata into the trash table.

Forensic Value

This evidence is crucial for forensic investigations as it surfaces deleted items that may indicate anti‑forensic behavior or sensitive data handling.