RECENTITEMS
The RECENTITEMS plugin parses data from several dozen files (per user) from the following locations.
| Description | Path |
|---|---|
| Recent Applications from each user's applications (ElCapitan +) | /Users/{USER}/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/* |
| NSNavRecentPlaces and SGTRecentFileSearches | /Users/{USER}/Library/Preferences/.GlobalPreferences.plist |
| FXDesktopVolumePositions and FXRecentFolders | /Users/{USER}/Library/Preferences/com.apple.finder.plist |
| systemitems.volumeslist and favoriteservers | /Users/{USER}/Library/Preferences/com.apple.sidebarlists.plist |
This plugin supports standalone mode.
$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 RECENTITEMS
| Field Name | Notes |
|---|---|
| Type | Type of Recent Item; UNKNOWN, DOCUMENT, APPLICATION, PLACE, VOLUME |
| Name | Name of Recent Item |
| URL | URL/File location (varies per type) APPLICTION : Location of Application files and contents PLACE : Location of folder/place DOCUMENT : Location of document UNKNOWN : Location of other file/app Volume : Name of volume for application or service |
| Info | Other information associated with the Recent Item |
| User | User associated with the Recent Item |
| Source | Source file from which the information for Recent Item was retrieved |