DMG File Opened

Overview

Evidence: DMG File Opened
Description: Collects previously opened DMG files.
Category: DiskFilesystem
Platform: macos
Short Name: dmgf
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

DMG (disk image) files are commonly used on macOS for software distribution and data storage. When a DMG file is opened, macOS stores extended attributes (xattrs) including fsck information and recent checksums on the file. These attributes provide forensic evidence of DMG file access, helping investigators identify software installations, data transfers, or malicious payloads delivered via DMG files.

Data Collected

This collector gathers structured data about dmg file opened.

DMG File Opened Data

Field	Description	Example
ID	ID	123
Path	Path	Example value
Username	Username	Example value
Fsck	Fsck	Example value
RecentCksumDate	Recent Cksum Date	2023-10-15 14:30:25+03:00
RecentCksumType	Recent Cksum Type	Example value
RecentCksum	Recent Cksum	Example value

Collection Method

This collector scans the file system for DMG files and extracts extended attributes (com.apple.diskimages.fsck and com.apple.diskimages.recentcksum) to identify which DMG files were previously opened. It parses the recentcksum attribute to extract timestamps, checksum types, and checksum values, providing a timeline of DMG file access.

Forensic Value

DMG file access history is valuable for identifying software installations, detecting unauthorized application deployments, tracking malware delivery mechanisms, and establishing file access timelines. The checksum information can be used to verify file integrity and correlate DMG files across multiple systems. This evidence is particularly useful for detecting supply chain attacks, insider threats, and unauthorized software installations.