Applications

Installed Applications

Overview

macOS tracks installed applications through multiple mechanisms: application bundles in standard directories, an installation history plist recording every installer-based install and update, and Launch Services registration. Together these artifacts provide a complete software inventory with installation dates, sources, and version information.

Forensic Significance

Evidence TypeForensic Value
Application inventoryComplete list of installed software
Installation datesWhen each application was installed or updated
Installation sourcesWhether software came from App Store, installer packages, or direct download
Version historyUpdate timeline showing software changes
Removed applicationsEvidence of previously installed software (via install history)

File Locations

ArtifactPathFormat
System applications/Applications/App bundles
User applications~/Applications/App bundles
System utilities/System/Applications/App bundles
Install history/Library/Receipts/InstallHistory.plistPlist (array)
Launch Services DB~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistBinary
App receipts/var/db/receipts/Plist + BOM files

Data Format

InstallHistory.plist

An array of dictionaries, one per installation event, sorted chronologically:

KeyTypeDescription
displayNameStringHuman-readable application name
displayVersionStringVersion string (e.g., "14.3")
dateDateInstallation timestamp
packageIdentifiersArrayPackage bundle identifiers
processNameStringInstaller process (e.g., "installer", "softwareupdated", "storedownloadd")

Application Bundle Info.plist

Each .app bundle contains Contents/Info.plist with:

KeyDescription
CFBundleIdentifierUnique bundle ID (e.g., com.apple.Safari)
CFBundleShortVersionStringMarketing version
CFBundleVersionBuild version
CFBundleExecutableMain executable name
LSMinimumSystemVersionMinimum macOS version required

Key Fields for Analysis

Parse Install History

# List all installations with dates (most recent first)
plutil -convert json -o - /Library/Receipts/InstallHistory.plist | \
  python3 -c "
import sys, json
data = json.load(sys.stdin)
for item in reversed(data):
    print(f\"{item.get('date','?')}\t{item.get('processName','?')}\t{item.get('displayName','?')}\t{item.get('displayVersion','?')}\")
"

List Installed Applications

# List all apps with bundle IDs and versions
for app in /Applications/*.app; do
    id=$(defaults read "$app/Contents/Info" CFBundleIdentifier 2>/dev/null)
    ver=$(defaults read "$app/Contents/Info" CFBundleShortVersionString 2>/dev/null)
    echo "$id    $ver    $app"
done

Analysis Notes

  • Install source identification: The processName field in InstallHistory distinguishes between installer (PKG-based installs), softwareupdated (Apple software updates), storedownloadd (App Store downloads), and others.
  • Timestamp correlation: Installation dates can be correlated with FSEvents, quarantine events, and browser history to trace the full download-to-install chain.
  • Removed app evidence: InstallHistory.plist retains records even after an application has been uninstalled. This provides evidence of previously installed software.
  • Code signing verification: Use codesign -dv --verbose=4 on application bundles to verify code signing status, team ID, and whether the app has been modified.
  • Hidden applications: Check non-standard locations like ~/Library/, /usr/local/, and hidden directories for applications installed outside normal paths.

Version Differences

macOS VersionChanges
10.6+InstallHistory.plist format stable
10.15 (Catalina)Read-only system volume; system apps under /System/Applications/
11 (Big Sur)Signed System Volume (SSV)

Tool Support

ToolSupport
macforNot yet implemented (planned)
plutil / defaults (macOS built-in)Read plist files
system_profiler (macOS built-in)SPApplicationsDataType for full app inventory
codesign (macOS built-in)Verify application signatures

References

Previous
CoreAnalytics
Next
Dock Preferences