Dock Items

Overview

Evidence: Dock Items
Description: Collect Dock Items
Category: System
Platform: macos
Short Name: dckitms
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Dock preferences record persistent apps, folders, and recent items displayed in the macOS Dock. This data is essential for understanding user activity and potential persistence via Dock items.

Data Collected

This collector gathers structured data about dock items.

Dock Items Data

Field	Description	Example
`GUID`	GUID	123
`User`	User	Example value
`FileLabel`	File Label	Example value
`ParentModified`	Parent Modified	2023-10-15 14:30:25+03:00
`FileModified`	File Modified	2023-10-15 14:30:25+03:00
`RecentlyUsed`	Recently Used	true
`FileType`	File Type	123
`FileTypeName`	File Type Name	Example value
`FilePath`	File Path	Example value
`Source`	Source	Example value

Collection Method

This collector reads users’ com.apple.dock.plist files, decodes entries, and records items into the dock_items table.

Forensic Value

This evidence is crucial for forensic investigations as it reveals recently used and pinned applications, supporting timeline and behavior analysis.