Sarah Edwards has written a fresh Mac forensics script. The script could be used for parsing both new SFL-based MRU plist files found in OS X 10.11 and ‘older’ format plist files used in OS X 10.10 and older.
This script parses the following plist files:
- /Users/<username>/Library/Preferences/<bundle_id>.LSShardFileList.plist
- /Users/<username>/Library/Preferences/com.apple.finder.plist
- [10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
- [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl
More info about the script you can get at Sarah’s blog.
You can download the script from GitHub.