Shining a light on Spotlight: Leveraging Apple's desktop search utility to recover deleted file metadata on macOS

Authors: Atwal, Tajvinder Singh; Scanlon, Mark and Le-Khac, Nhien-An

Publication Date: April 2019

Publication Name: Digital Investigation

Abstract:

Spotlight is a proprietary desktop search technology released by Apple in 2004 for its Macintosh operating system Mac OS X 10.4 (Tiger) and remains as a feature in current releases of macOS. Spotlight allows users to search for files or information by querying databases populated with filesystem attributes, metadata, and indexed textual content. Existing forensic research into Spotlight has provided an understanding of the metadata attributes stored within the metadata store database. Current approaches in the literature have also enabled the extraction of metadata records for extant files, but not for deleted files. The objective of this paper is to research the persistence of records for deleted files within Spotlight's metadata store, identify if deleted database pages are recoverable from unallocated space on the volume, and to present a strategy for the processing of discovered records. In this paper, the structure of the metadata store database is outlined, and experimentation reveals that records persist for a period of time within the database but once deleted, are no longer recoverable. The experimentation also demonstrates that deleted pages from the database (containing metadata records) are recoverable from unused space on the filesystem.

Download:

Download Paper as PDF

BibTeX Entry:

@article{atwal2019macOSSpotlightForensics,
author={Atwal, Tajvinder Singh and Scanlon, Mark and Le-Khac, Nhien-An},
title="{Shining a light on Spotlight: Leveraging Apple's desktop search utility to recover deleted file metadata on macOS}",
journal="{Digital Investigation}",
year="2019",
month="04",
publisher={Elsevier},
keywords = "Spotlight Forensics, Metadata Recovery, macOS Forensics, Mac OS X Forensics, Desktop Search",
abstract="Spotlight is a proprietary desktop search technology released by Apple in 2004 for its Macintosh operating system Mac OS X 10.4 (Tiger) and remains as a feature in current releases of macOS. Spotlight allows users to search for files or information by querying databases populated with filesystem attributes, metadata, and indexed textual content. Existing forensic research into Spotlight has provided an understanding of the metadata attributes stored within the metadata store database. Current approaches in the literature have also enabled the extraction of metadata records for extant files, but not for deleted files. The objective of this paper is to research the persistence of records for deleted files within Spotlight's metadata store, identify if deleted database pages are recoverable from unallocated space on the volume, and to present a strategy for the processing of discovered records. In this paper, the structure of the metadata store database is outlined, and experimentation reveals that records persist for a period of time within the database but once deleted, are no longer recoverable. The experimentation also demonstrates that deleted pages from the database (containing metadata records) are recoverable from unused space on the filesystem."
}