Shared File List
Overview
Section titled “Overview”Evidence: Shared File List
Description: Collect Shared File List (SFL) items
Category: System
Platform: macos
Short Name: sfl
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Shared File List (SFL/SFL2) stores recent items and application-specific lists. This data is essential for reconstructing user activity and identifying recently accessed files and apps.
Data Collected
Section titled “Data Collected”This collector gathers structured data about shared file list.
Shared File List Data
Section titled “Shared File List Data”| Field | Description | Example |
|---|---|---|
User | User | Example value |
SourceFile | Source File | Example value |
SourceName | Source Name | Example value |
ItemIndex | Item Index | 123 |
Name | Name | Example value |
URL | URL | Example value |
Collection Method
Section titled “Collection Method”This collector copies user SFL/SFL2 files, decodes NSKeyedArchive contents, and records entries into shared_file_list.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals recent documents and locations, aiding timeline building and data exfiltration analysis.