Package Install History
Overview
Section titled “Overview”Evidence: Package Install History
Description: Collect Package Install History
Category: System
Platform: macos
Short Name: pkghist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Package installation history tracks software installs by package IDs. This data is essential for change auditing, detecting unauthorized installs, and reconstructing software timelines.
Data Collected
Section titled “Data Collected”This collector gathers structured data about package install history.
Package Install History Data
Section titled “Package Install History Data”| Field | Description | Example |
|---|---|---|
PackageID | Package ID | Example value |
Name | Name | Example value |
Version | Version | Example value |
Source | Source | Example value |
ContentType | Content Type | Example value |
Time | Time | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector queries the package_install_history table via osquery and records into package_install_histories.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals what was installed, when, and by whom, aiding attribution and scope analysis.