Spotlight is Apple’s Mac OS X content indexing and search feature. Like any other desktop search technology, it is aimed at helping the user find files and folders on the computer. Mac Spotlight indexes all the files/folders on a volume, storing indexed metadata about filesystem objects to deliver rapid and widespread searching capabilities across the volume. The stored file or folder information includes standard filesystem metadata, MAC times (Modified, Access, Created) as well as at least part of file-internal metadata, which varies according with the type of file, for example, EXIF info for photos or word specific metadata for MS word files. These databases are created by OS X and above on each volume the machine can access, including flash drives. Most recent versions of Spotlight also store information at the user level.
While much of the information obtained from Spotlight can be easily attained by accessing the full disk image, it still provides some useful data for any forensics investigation, because there is information in the Spotlight database that is not available elsewhere. For example, last opened date(s) or number of times opened/used for a folder, file or app are not available anywhere else on the Mac OS X file system.
Location and Characteristics of Spotlight Databases
For each volume in a Mac system which OS X can write to, a Spotlight database can be enabled. The database and associated files are located in a folder named “.Spotlight-V100”. Within this folder, there are at least one plist configuration file and two databases. Spotlight databases are compressed. Although there is no official documentation available for Spotlight databases, there are forensic tools, like Cellebrite Inspector and Magnet Axiom that parse the content of these databases.
Spotlight artifacts are a valuable source for forensic examiners. For example, Spotlight metadata may include information about how files were placed on the computer, including those downloaded; the browser used and the full source URL. In addition, since Spotlight also indexes file content, it may be possible to find previous text file content, even when the file has been modified or deleted. Yet another example, is an artifact named “KMDitemUseCount” (one of the metadata fields stored), which provides information regarding the number of times a certain app was used. Also, Spotlight is automatically generated when a volume is connected to a Mac computer and can be used as evidence that an external disk was used to copy files. In short, OS X’s Spotlight feature offers the examiner with a vital repository to assist in the gathering digital evidence.