Skip to content
AIR Knowledge Base

Software Update Information

Overview

Section titled “Overview”

Evidence: Software Update Information
Description: Collects software update information
Category: System
Platform: macos
Short Name: swinfo
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Software update preferences record last successful updates and recommended updates. This data is essential for verifying patch status and detecting outdated or vulnerable systems.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about software update information.

Collection Method

Section titled “Collection Method”

This collector copies and parses /Library/Preferences/com.apple.SoftwareUpdate.plist and records fields into software_update_information.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it reveals update timelines and failures, helping assess exposure windows and compliance.