Login Items
Overview
Section titled “Overview”Evidence: Login Items
Description: Collect Login Items
Category: System
Platform: macos
Short Name: litms
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Login Items configure applications to start automatically upon user login. This data is essential for detecting persistence and unwanted auto-start programs.
Data Collected
Section titled “Data Collected”This collector gathers structured data about login items.
Login Items Data
Section titled “Login Items Data”| Field | Description | Example |
|---|---|---|
Item | Item | Example value |
Path | Path | Example value |
Active | Active | true |
Collection Method
Section titled “Collection Method”This collector uses AppleScript via osascript to enumerate login items and their paths, recording them into login_items.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals user-level persistence and startup behavior.