.DS_Store Files
Overview
Section titled “Overview”Evidence: .DS_Store Files
Description: Collect information about .DS_Store files.
Category: DiskFilesystem
Platform: macos
Short Name: dsstr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”.DS_Store files store Finder metadata for directories. This data is essential for evidencing file presence and user interactions even after deletions.
Data Collected
Section titled “Data Collected”This collector gathers structured data about .ds_store files.
.DS_Store Files Data
Section titled “.DS_Store Files Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
ModificationTime | Modification Time | 2023-10-15 14:30:25+03:00 |
AccessTime | Access Time | 2023-10-15 14:30:25+03:00 |
CreationTime | Creation Time | 2023-10-15 14:30:25+03:00 |
FileName | File Name | Example value |
StructureType | Structure Type | Example value |
DataType | Data Type | Example value |
Collection Method
Section titled “Collection Method”This collector discovers .DS_Store files under user directories, parses entries, and records them into ds_store.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it can indicate files that existed and how they were displayed in Finder.