Evidence: .Trash
Description: Collect detailed information about files in .Trash directory
Category: DiskFilesystem
Platform: macos
Short Name: trsh
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
User trash folders contain recently deleted items per account. This data is essential for recovering deleted evidence, tracing user actions, and identifying data staging.
Data Collected
This collector gathers structured data about .trash.
Collection Method
This collector enumerates each user's ~/.Trash directory and records file metadata into the trash table.
Forensic Value
This evidence is crucial for forensic investigations as it surfaces deleted items that may indicate anti‑forensic behavior or sensitive data handling.
