Skip to content
AIR Knowledge Base

Installed Applications

Overview

Section titled “Overview”

Evidence: Installed Applications
Description: Collect info on installed apps
Category: System
Platform: macos
Short Name: apps
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

This collector gathers installed applications information from macOS, including bundle identifiers, versions, signatures, and entitlements. This data is essential for understanding software inventory, detecting unauthorized installs, and investigating persistence.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about installed applications.

Installed Applications Data

Section titled “Installed Applications Data”
FieldDescriptionExample
DisplayNameDisplay NameExample value
AppNameApp NameExample value
PathPathExample value
EnvironmentEnvironmentExample value
ElementElementExample value
BundleExecutableBundle ExecutableExample value
BundleIdentifierBundle IdentifierExample value
BundleNameBundle NameExample value
BundleVersionBundle VersionExample value
LastChangeTimeLast Change Time2023-10-15 14:30:25+03:00
AccessTimeAccess Time2023-10-15 14:30:25+03:00
ModificationTimeModification Time2023-10-15 14:30:25+03:00
LastOpenedTimeLast Opened Time2023-10-15 14:30:25+03:00
HashHashExample value
SizeInBytesSize In Bytes123
DisableLibraryValidationDisable Library Validationtrue
DyldEnvVariablesDyld Env Variablestrue
SignatureInfoSignature InfoExample value
DynamicLibrariesDynamic Libraries[]

Collection Method

Section titled “Collection Method”

This collector queries the apps table via osquery and augments results with file metadata and signature details.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it highlights installed software, execution history, and code signing state, aiding detection of malicious or untrusted apps.