Most Recently Used (MRU)
Overview
Section titled “Overview”Evidence: Most Recently Used (MRU)
Description: Collect Most Recently Used (MRU) items
Category: System
Platform: macos
Short Name: mru
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”MRU data in Finder and app containers captures recently accessed folders, copies/moves, and secure bookmarks. This data is essential for reconstructing user file access and movement.
Data Collected
Section titled “Data Collected”This collector gathers structured data about most recently used (mru).
Most Recently Used (MRU) Data
Section titled “Most Recently Used (MRU) Data”| Field | Description | Example |
|---|---|---|
User | User | Example value |
SourceFile | Source File | Example value |
SourceName | Source Name | Example value |
SourceKey | Source Key | Example value |
Name | Name | Example value |
URL | URL | Example value |
Collection Method
Section titled “Collection Method”This collector parses Finder and sidebar plists and secure bookmarks, extracting recent items into most_recently_used.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it shows recent file interactions and locations, supporting timeline and exfiltration analysis.