Downloaded Files Information

Overview

Evidence: Downloaded Files Information
Description: Collect information about downloaded files
Category: System
Platform: macos
Short Name: dwnlds
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Downloaded files in user profiles provide visibility into initial access vectors and user activity. This data is essential for tracking suspicious downloads and verifying code signing and provenance.

Data Collected

This collector gathers structured data about downloaded files information.

Collection Method

This collector enumerates users’ Downloads folders, extracts file metadata, hashes small files, and parses WhereFrom URLs and quarantine flags.

Forensic Value

This evidence is crucial for forensic investigations as it links files to sources and timestamps, aiding detection of phishing payloads and drive‑by downloads.