[New Tool] Spotlight Inspector v1.1.46 – Metadata OSX Released
Spotlight is name of Apple OSX’s desktop search functionality. It indexes all the files on a volume storing (among other things) metadata about filesystem objects (e.g. file, directory) in an effort to provide fast and extensive file searching capabilities.
The metadata stored includes familiar filesystem metadata, as in MAC times as well as file-internal metadata like image dimensions and color model and metadata that is unique to the Spotlight store (e.g., usage counts). Spotlight allows users to search for documents with the Author tag “Snowden,” for example.
These databases are created by OSX on each volume the machine can access, including flash drives. They can be found at the path: /.Spotlight-V100/Store-V2/<SomeHash>/store.db for each volume
Spotlight Inspector (SI) is a brand new tool developed for the analysis of OSX Spotlight metadata stores. It directly parses Spotlight metadata stores (bypassing the OS X API) and provides functionality to work with the internal data in a clean and useful way. The result is a wealth of information on recent filesystem activity useful for digital forensic investigations, incident response, and malware detection/analysis.
More Information: here
Thanks to Vico Marziale, for sharing this tool with us.
