spotlight digital forensics tool

Introducing Spotlight Inspector (SI)

Spotlight is name of Apple OSX’s desktop search functionality. It indexes all the files on a volume storing metadata about filesystem object (e.g. file, directory) in an effort to provide fast and extensive file searching capabilities.

The metadata stored includes familiar filesystem metadata, as in MAC times as well as file-internal metadata like image dimensions and color model. Spotlight allows users to search for documents with the Author tag “Snowden,” for example.

These databases are created by OSX on each volume the machine can access, including flash drives.  They can be found at the path: /.Spotlight-V100/Store-V2/<SomeHash>/store.db for each volume; we have also provided access to some sample databases with the tool download.

504ensics is proud to introduce our newest forensic tool, Spotlight Inspector (SI). This is a brand new tool we’re developing for the analysis of OSX Spotlight databases. It parses Spotlight metadata databases and provides functionality to work with the internal data in a clean and useful way. On to some features!

1

2

With case management you can create and load case files. Using case files means that not only will evidence that you added to the case be persistent through program executions, so will search history.

3

4

Here we have the Evidence Management tab. We can add and remove Spotlight databases here which will automatically timestamp them and get generate an MD5 hash for logging.

Parsing these files can sometimes take a little time so the parsing is done in a way to keep the UI responsive so that you setup several files to parse and begin working with the results of one while the rest continue to process. Additionally, after the first time a file is parsed, the results are cached so that no re-processing is necessary and the evidence list colors the item so you know what you’ve looked at.

Then we have our report buttons. There are currently three types of reports you can choose from.

  • Analyze will provide a basic report view of the spotlight data allowing you to browse the filesystem objects in a hierarchical fashion, search your current view and export results to a report for use externally
  • Timeline is a much narrower view of the data and is exceptionally useful to export as a Sleuth Kit mactime body file.
  • Diff actually provides two functions based on whether Advanced Diff is enabled or not. If it is not enabled, it performs a basic diff of the two selected files. If it is enabled, SI instead populates the advanced diff field list with all the fields that exist in the selected files. This intermediary step allows the user to specify precisely which fields to base comparisons on. After selecting  fields, ‘GO!’ will finish performing the diff operation.

5

6

That brings us to the report tabs. All reports have the same basic feel and functionality. On the left we have a hierarchical tree view of the volume which links to the table view on the right. Selecting an item in the tree view populates the table view with the data of objects found in that directory and can do so recursively as well if that option is enabled. Above the tree view are a collection of useful operations for the report. We have our recursive option we mentioned earlier as well as search and exporting functionality.

Export report will dump the entirety of the report to a tab-separated value file in most cases. This file can then be opened directly by a spreadsheet application such as Microsoft Excel for more extensive functionality. As mentioned for Timeline reports, the export is a TSK  body file. This makes it exceptionally useful to export timeline reports for use with external applications.

As we’re showing a nice view of a diff report here, let’s explain how diffing works for Spotlight databases. Diffing is useful for two similar files, such as historic copies of a volumes database before files were deleted/added or modified. In Spotlight, every file has an unique Object ID (OID) to identify it and many different fields which contain metadata about the file. In a basic diff operation we look at the files in two databases. For each file, we compare it to the file that shares the same OID in the other database. If every single field is the same, we denote it as equal. If any field at all is different we’ll call it not-equal. The other case is that no file with that OID exists in the other database in which case its exclusive. In our results we add the additional column diffstatus which gives us those results. Now for advanced diffing, the same process applies except that we can specify precisely which fields we want to compare on when looking at those two files with the same OID. This is a great way to reveal files that were deleted, created or modified between two related Spotlight databases.

7

And finally, search. On the left of the search window we have the search history so that you can easily reuse popular searches you’ve previously made. On the right side is where you specify the search terms, one per line. Search works based on the current hierarchy selections of the report so you can easily drill down and search just the location you want to recursively or not. If no search titles are specified, it’ll just use the current timestamp for you. One of the coolest things about searching we hinted at earlier too is that when you’re working out of an active case, your search history will get saved too! It’s a fantastic way to pick up where you left off on the case.

And that’s some of the current features of Spotlight Inspector. It’s currently brand new and in active development here at 504ensics so the features and improvements are coming in quick. Give us a shout and let us know what you think!

Downloading Spotlight Inspector


Your Name (required)

Your Email (required)

Please select files that you would like to download


Linux32 v.1.1.46
Linux64 v.1.1.46
OSX v.1.1.46
Windows32 v.1.1.46
Windows64 v.1.1.46
Spotlight Inspector Walkthrough
Readme.txt
Sample Evidence

A Brief Overview of Computer Forensics:

Computer forensics is the science of determining what actions have been performed on a computer under investigation. This can include when files were created or modified, what web sites a user has visited, recovering deleted files and much, much more. In addition to practicing forensics for our clients, we are also active researchers in the field.