Spotlight Metadata Index

macosFilesystem & TimelineDisk Image

Location

/.Spotlight-V100/ (per-volume) and ~/Library/Metadata/CoreSpotlight/

Description

macOS Spotlight search index containing rich metadata for every indexed file on the volume including file name, content type, creation and modification dates, author, file size, and for supported file types, extracted text content. The index is stored in a proprietary database format within the hidden .Spotlight-V100 directory at the root of each volume.

Forensic Value

Spotlight metadata preserves file attribute information even after the original files are deleted, providing evidence of files that previously existed on the system. The index contains kMDItemContentCreationDate, kMDItemContentModificationDate, and kMDItemFSName fields that can reconstruct what files were present and when. For documents, the extracted text content cached in the index can reveal the contents of deleted files. This is particularly valuable in data exfiltration cases where sensitive files were staged and then removed.

Tools Required

mac_aptmdlsmdfindspotlight_parserAutopsy

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical