# Spotlight Metadata

## Overview

**Evidence:** Spotlight Metadata\
**Description:** Collects macOS Spotlight metadata from system and all user store databases\
**Category:** System\
**Platform:** macos\
**Short Name:** spotlight\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

macOS Spotlight maintains comprehensive metadata indexes of files, applications, emails, and user activity across the system. The store.db files contain rich metadata including file paths, creation/modification times, content types, keywords, email addresses, geographic coordinates, and user interactions. System-level stores track global file activity while user-level stores contain personalized metadata and search history. This data is essential for reconstructing user activity, file access patterns, and document timelines.

## Data Collected

This collector gathers structured data about spotlight metadata.

### Spotlight Metadata Data

| Field         | Description  | Example                   |
| ------------- | ------------ | ------------------------- |
| `ID`          | ID           | 123                       |
| `Username`    | Username     | Example value             |
| `Inode`       | Inode        | 123                       |
| `Flags`       | Flags        | Example value             |
| `ItemID`      | Item ID      | 123                       |
| `ParentInode` | Parent Inode | 123                       |
| `DateUpdated` | Date Updated | 2023-10-15 14:30:25+03:00 |
| `Filepath`    | Filepath     | Example value             |
| `Metadata`    | Metadata     | Example value             |

## Collection Method

This collector discovers and parses all Spotlight store.db files from both system storage (`/System/Volumes/Data/.Spotlight-V100/Store-V2/*/store.db`) and all user home directories (`Library/Metadata/CoreSpotlight/.../store.db`). It processes each database concurrently, extracting file metadata, timestamps, and attributes, then records them into the `spotlight_metadata` table with username and source path context.

## Forensic Value

This evidence is crucial for forensic investigations as it provides comprehensive file activity history, including deleted files that remain in the index, document metadata (authors, keywords, GPS coordinates), email addresses, application usage, and user search patterns. It helps establish file presence, user knowledge, and temporal relationships between files and activities, often revealing evidence that no longer exists in the filesystem.