Document Revisions
Overview
Section titled “Overview”Evidence: Document Revisions
Description: Collect Document Revisions
Category: System
Platform: macos
Short Name: drvs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”macOS DocumentRevisions-V100 stores prior versions of documents for autosave. This data is essential for recovering prior content and tracking edits over time.
Data Collected
Section titled “Data Collected”This collector gathers structured data about document revisions.
Document Revisions Data
Section titled “Document Revisions Data”| Field | Description | Example |
|---|---|---|
FileINode | File I Node | 123 |
StorageID | Storage ID | 123 |
FilePath | File Path | Example value |
ExistsOnDisk | Exists On Disk | true |
FileLastSeen | File Last Seen | 2023-10-15 14:30:25+03:00 |
GenerationAdded | Generation Added | 2023-10-15 14:30:25+03:00 |
GenerationPath | Generation Path | Example value |
Source | Source | Example value |
Collection Method
Section titled “Collection Method”This collector copies the DocumentRevisions database and queries for files and generations, recording into document_revisions.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it can reveal previous versions of altered or deleted documents.