Spotlight Metadata

Overview

Evidence: Spotlight Metadata Description: Collects macOS Spotlight metadata from system and all user store databases Category: System Platform: macos Short Name: spotlight Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

macOS Spotlight maintains comprehensive metadata indexes of files, applications, emails, and user activity across the system. The store.db files contain rich metadata including file paths, creation/modification times, content types, keywords, email addresses, geographic coordinates, and user interactions. System-level stores track global file activity while user-level stores contain personalized metadata and search history. This data is essential for reconstructing user activity, file access patterns, and document timelines.

Data Collected

This collector gathers structured data about spotlight metadata.

Spotlight Metadata Data

Collection Method

This collector discovers and parses all Spotlight store.db files from both system storage (/System/Volumes/Data/.Spotlight-V100/Store-V2/*/store.db) and all user home directories (Library/Metadata/CoreSpotlight/.../store.db). It processes each database concurrently, extracting file metadata, timestamps, and attributes, then records them into the spotlight_metadata table with username and source path context.

Forensic Value

This evidence is crucial for forensic investigations as it provides comprehensive file activity history, including deleted files that remain in the index, document metadata (authors, keywords, GPS coordinates), email addresses, application usage, and user search patterns. It helps establish file presence, user knowledge, and temporal relationships between files and activities, often revealing evidence that no longer exists in the filesystem.