Time Machine Backup Metadata

macosFilesystem & TimelineDisk Image

Location

/Volumes/.timemachine/ and backup store on external/network volume (Backups.backupdb/)

Description

Time Machine backup metadata and backup store containing incremental snapshots of the entire filesystem taken at hourly, daily, and weekly intervals. The backup store uses hard links for unchanged files and contains full copies of modified files, preserving historical versions of every file on the system.

Forensic Value

Time Machine backups provide historical file versions that predate the compromise, enabling comparison of pre-attack and post-attack states. Malware persistence mechanisms, modified system files, and attacker-created accounts can be identified by diffing backup snapshots across the intrusion timeline. Even if the attacker wiped the primary disk, Time Machine backups on external or network storage may remain intact. The backup metadata includes precise timestamps for each snapshot, establishing when changes first appeared.

Tools Required

tmutilmac_aptAutopsydifffind

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical