Skip to content
AIR Knowledge Base

Launchd Files

Overview

Section titled “Overview”

Evidence: Launchd Files
Description: Collect all launchd plist files from system directories
Category: System
Platform: macos
Short Name: lnchdf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Section titled “Background”

Launchd plists define daemons and agents on macOS. This data is essential for auditing startup items, detecting persistence, and verifying service configurations.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about launchd files.

Collection Method

Section titled “Collection Method”

This collector enumerates known LaunchAgents and LaunchDaemons directories, copies .plist files to content, and records file metadata into the launchd_files table.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it exposes auto-run configurations and modifications that may indicate malicious persistence.