InstallHistory.plist

macOSSystem ConfigurationDisk Image

Location

/Library/Receipts/InstallHistory.plist

Common Names

InstallHistory.plistsoftware update history

Description

System-wide property list recording application installations, package receipts, XProtect or platform updates, and software-update events processed through Apple installers and package frameworks.

Forensic Value

InstallHistory.plist helps establish when software, security updates, and package-based payloads first landed on the Mac. It can highlight suspicious third-party packages introduced near the compromise window, confirm whether the system received Apple security updates before exploitation, and provide product identifiers that are not obvious from simple application-folder listings. Combined with quarantine and Gatekeeper artifacts, it helps reconstruct the lifecycle of user-approved and installer-based software introduction.

Tools Required

plutildefaultscpmac_apt

Collection Commands

plutil

plutil -p /Library/Receipts/InstallHistory.plist > /forensics/install_history.txt

sudo cp /Library/Receipts/InstallHistory.plist /forensics/InstallHistory.plist

defaults

defaults read /Library/Receipts/InstallHistory > /forensics/install_history_defaults.txt

Collection Constraints

•Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
•This file records package and software-update events, not every application launch or drag-and-drop install. Some third-party apps and portable bundles do not create receipt history.

MITRE ATT&CK Techniques

T1204.002T1036.005T1546

References

System Extensions File Provider Framework Gatekeeper and Runtime Protection Update macOS on Mac

Acquisition Methods

AutoMacTC Triage Collection

macos — triage

mac_apt (macOS Artifact Parsing Tool)

macos — triage

SUMURI Recon ITR Logical Acquisition

macos — logical