Application Usage
Overview
Section titled “Overview”Evidence: Application Usage
Description: Collect Application Usage
Category: System
Platform: macos
Short Name: appusg
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Application usage events from KnowledgeC track app foreground activity durations. This data is essential for reconstructing user activity, triage timelines, and identifying suspicious usage patterns.
Data Collected
Section titled “Data Collected”This collector gathers structured data about application usage.
Collection Method
Section titled “Collection Method”This collector reads KnowledgeC databases under user profiles and runs the application usage query, recording results into app_usage.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it shows which apps were active, when, and for how long, aiding timeline reconstruction and anomaly detection.