Quick Look Cache
Overview
Section titled “Overview”Evidence: Quick Look Cache
Description: Collect Quick Look Cache
Category: System
Platform: macos
Short Name: qklc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Quick Look cache stores thumbnails and metadata for recently viewed files. This data is essential for confirming file access and reconstructing user interactions with files.
Data Collected
Section titled “Data Collected”This collector gathers structured data about quick look cache.
Quick Look Cache Data
Section titled “Quick Look Cache Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
RowID | Row ID | 123 |
FSID | FSID | Example value |
VolumeID | Volume ID | 123 |
INode | I Node | 123 |
ModTime | Mod Time | 123 |
Size | Size | 123 |
Label | Label | Example value |
LastHitDate | Last Hit Date | 123 |
HitCount | Hit Count | Example value |
IconMode | Icon Mode | 123 |
CachePath | Cache Path | Example value |
Collection Method
Section titled “Collection Method”This collector queries the quicklook_cache table via osquery and records cache metadata into quicklook_cache.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it indicates files previewed or viewed by a user, even if moved or deleted.