# Shining a light on Spotlight: Leveraging Apple's desktop search utility   to recover deleted file metadata on macOS

**Authors:** Tajvinder Singh Atwal, Mark Scanlon, Nhien-An Le-Khac

arXiv: 1903.07053 · 2019-03-19

## TL;DR

This paper investigates whether metadata records for deleted files in macOS Spotlight are recoverable, finding that while records persist temporarily in the database, deleted pages can be recovered from filesystem unallocated space.

## Contribution

It provides an analysis of Spotlight's metadata store structure and demonstrates methods to recover deleted file metadata from unallocated filesystem space.

## Key findings

- Deleted metadata records are no longer recoverable once removed from the database.
- Deleted database pages containing metadata are recoverable from unallocated filesystem space.
- Metadata persists temporarily in the database before deletion.

## Abstract

Spotlight is a proprietary desktop search technology released by Apple in 2004 for its Macintosh operating system Mac OS X 10.4 (Tiger) and remains as a feature in current releases of macOS. Spotlight allows users to search for files or information by querying databases populated with filesystem attributes, metadata, and indexed textual content. Existing forensic research into Spotlight has provided an understanding of the metadata attributes stored within the metadata store database. Current approaches in the literature have also enabled the extraction of metadata records for extant files, but not for deleted files. The objective of this paper is to research the persistence of records for deleted files within Spotlight's metadata store, identify if deleted database pages are recoverable from unallocated space on the volume, and to present a strategy for the processing of discovered records. In this paper, the structure of the metadata store database is outlined, and experimentation reveals that records persist for a period of time within the database but once deleted, are no longer recoverable. The experimentation also demonstrates that deleted pages from the database (containing metadata records) are recoverable from unused space on the filesystem.

---
Source: https://tomesphere.com/paper/1903.07053