File Last Used
Overview
Section titled “Overview”Evidence: File Last Used
Description: Collects files with last access times via Finder or open command.
Category: DiskFilesystem
Platform: macos
Short Name: fls
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”macOS tracks last usage metadata for files through extended attributes (e.g., com.apple.lastuseddate#PS) updated by Finder and certain application interactions. These timestamps help understand user interaction with files beyond standard atime semantics.
Data Collected
Section titled “Data Collected”This collector gathers structured data about file last used.
File Last Used Data
Section titled “File Last Used Data”| Field | Description | Example |
|---|---|---|
ID | ID | 123 |
Username | Username | Example value |
Path | Path | Example value |
Time | Time | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector enumerates user directories and extracts the com.apple.lastuseddate#PS extended attribute for files, decoding it into timestamps and mapping them to the owning user.
Forensic Value
Section titled “Forensic Value”Last used timestamps help reconstruct user activity on documents, reveal recently interacted files, and support timeline building even when traditional access times are unreliable due to filesystem settings.