Shining a light on Spotlight: Leveraging Apple's desktop search utility to recover deleted file metadata on macOS
Tajvinder Singh Atwal, Mark Scanlon, Nhien-An Le-Khac

TL;DR
This paper investigates whether metadata records for deleted files in macOS Spotlight are recoverable, finding that while records persist temporarily in the database, deleted pages can be recovered from filesystem unallocated space.
Contribution
It provides an analysis of Spotlight's metadata store structure and demonstrates methods to recover deleted file metadata from unallocated filesystem space.
Findings
Deleted metadata records are no longer recoverable once removed from the database.
Deleted database pages containing metadata are recoverable from unallocated filesystem space.
Metadata persists temporarily in the database before deletion.
Abstract
Spotlight is a proprietary desktop search technology released by Apple in 2004 for its Macintosh operating system Mac OS X 10.4 (Tiger) and remains as a feature in current releases of macOS. Spotlight allows users to search for files or information by querying databases populated with filesystem attributes, metadata, and indexed textual content. Existing forensic research into Spotlight has provided an understanding of the metadata attributes stored within the metadata store database. Current approaches in the literature have also enabled the extraction of metadata records for extant files, but not for deleted files. The objective of this paper is to research the persistence of records for deleted files within Spotlight's metadata store, identify if deleted database pages are recoverable from unallocated space on the volume, and to present a strategy for the processing of discovered…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
