Re-Opened Apps
Overview
Section titled “Overview”Evidence: Re-Opened Apps
Description: Collect Re-Opened Apps
Category: System
Platform: macos
Short Name: reapps
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Re-opened apps preference tracks files and apps restored at login. This data is essential for understanding user session restoration and potential persistence via loginwindow.
Data Collected
Section titled “Data Collected”This collector gathers structured data about re-opened apps.
Re-Opened Apps Data
Section titled “Re-Opened Apps Data”| Field | Description | Example |
|---|---|---|
Plist | Plist | Example value |
FilePath | File Path | Example value |
OriginalFilename | Original Filename | Example value |
FileType | File Type | Example value |
SHA1 | SHA1 | Example value |
SizeInBytes | Size In Bytes | 123 |
FileCreated | File Created | 2023-10-15 14:30:25+03:00 |
FileLastAccessed | File Last Accessed | 2023-10-15 14:30:25+03:00 |
FileLastChanged | File Last Changed | 2023-10-15 14:30:25+03:00 |
FileLastModified | File Last Modified | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector joins plist, hash, and file tables to enumerate ByHost loginwindow plists and referenced items, recording metadata into re_opened_apps.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it highlights recently accessed items and auto‑restored apps that may indicate user behavior or malicious persistence.