SSH Files
Overview
Section titled “Overview”Evidence: SSH Files
Description: Collect all files from SSH directories including configurations, keys, and other SSH-related files
Category: System
Platform: macos
Short Name: sshf
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”SSH configuration and key material define how remote access is performed on Unix-like systems. System directories (e.g., /etc/ssh, /usr/local/etc/ssh) and per-user ~/.ssh hold configs, keys, and trust relationships (known_hosts). These artifacts are critical for understanding access, hardening state, and potential lateral movement paths.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ssh files.
Collection Method
Section titled “Collection Method”This collector walks system SSH directories and each user’s ~/.ssh directory, copying regular files into the case content and recording metadata such as ownership, file mode, and timestamps.
Forensic Value
Section titled “Forensic Value”SSH files reveal authorized keys, host trust, cipher/policy settings, and possible backdoors. They help identify unauthorized access, weak configurations, persistence via keys, and relationships to other systems for lateral movement.