Forensic Analysis of the OS X Spotlight Search Index

Although not yet nearly as widespread as the Windows platform, Mac OS X-based machines are quickly gaining market share, and are now commonly seen in real-world investigations. While some research exists for analysis on this platform, almost none exists for deep parsing of the Spotlight index, which is used by the Mac OS X Spotlight desktop search system to facilitate search on live systems by indexing a wealth of useful information from files on the system including English words, and metadata across many different file types. Just some of the metadata indexed includes:

• File name, size, and MAC times
• EXIF data for image formats
• Internal metadata for Office and PDF documents
• Origin URL for Safari downloads

These items are indexed across files on local disks, inserted removable disks, and even across accessible file shares on the local network. This is clearly of tremendous forensic interest, yet almost no research exists on the Spotlight index format, what else might be stored within, or how to recover historical (deleted) versions of the index (especially given the difficulty of deleted file recovery in HFS+).

504ENSICS Labs is currently researching the on-disk format of the Spotlight index in order to fully explore its contents for artifacts of forensics interest and leveraging this research to develop technologies that will provide powerful tools for forensic investigators as well as for incident responders and malware analysis practitioners.