Spotlight Inspector

[Aerosol]

Spotlight is name of Apple OSX’s desktop search functionality. It indexes all the files on a volume storing metadata about filesystem object (e.g. file, directory) in an effort to provide fast and extensive file searching capabilities.

The metadata stored includes familiar filesystem metadata, as in MAC times as well as file-internal metadata like image dimensions and color model. Spotlight allows users to search for documents with the Author tag “Snowden,” for example.

These databases are created by OSX on each volume the machine can access, including flash drives. They can be found at the path: /.Spotlight-V100/Store-V2/<SomeHash>/store.db for each volume; we have also provided access to some sample databases with the tool download.

504ensics is proud to introduce our newest forensic tool, Spotlight Inspector (SI). This is a brand new tool we’re developing for the analysis of OSX Spotlight databases. It parses Spotlight metadata databases and provides functionality to work with the internal data in a clean and useful way. On to some features!

Download: Spotlight Inspector Digital Forensics Tool Announced | 504ENSICS Labs