Spotlight Metadata
Overview
Section titled “Overview”Evidence: Spotlight Metadata
Description: Collects macOS Spotlight metadata from system and all user store databases
Category: System
Platform: macos
Short Name: spotlight
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”macOS Spotlight maintains comprehensive metadata indexes of files, applications, emails, and user activity across the system. The store.db files contain rich metadata including file paths, creation/modification times, content types, keywords, email addresses, geographic coordinates, and user interactions. System-level stores track global file activity while user-level stores contain personalized metadata and search history. This data is essential for reconstructing user activity, file access patterns, and document timelines.
Data Collected
Section titled “Data Collected”This collector gathers structured data about spotlight metadata.
Spotlight Metadata Data
Section titled “Spotlight Metadata Data”| Field | Description | Example |
|---|---|---|
ID | ID | 123 |
Username | Username | Example value |
Inode | Inode | 123 |
Flags | Flags | Example value |
ItemID | Item ID | 123 |
ParentInode | Parent Inode | 123 |
DateUpdated | Date Updated | 2023-10-15 14:30:25+03:00 |
Filepath | Filepath | Example value |
Metadata | Metadata | Example value |
Collection Method
Section titled “Collection Method”This collector discovers and parses all Spotlight store.db files from both system storage (/System/Volumes/Data/.Spotlight-V100/Store-V2/*/store.db) and all user home directories (Library/Metadata/CoreSpotlight/.../store.db). It processes each database concurrently, extracting file metadata, timestamps, and attributes, then records them into the spotlight_metadata table with username and source path context.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides comprehensive file activity history, including deleted files that remain in the index, document metadata (authors, keywords, GPS coordinates), email addresses, application usage, and user search patterns. It helps establish file presence, user knowledge, and temporal relationships between files and activities, often revealing evidence that no longer exists in the filesystem.