Devices
AirDrop
Overview
AirDrop is Apple's peer-to-peer file transfer protocol using Bluetooth Low Energy for discovery and Wi-Fi Direct for data transfer. AirDrop events are recorded in the Unified Logs and configuration is stored in sharing preferences. While AirDrop does not maintain a persistent transfer database, log entries and received file metadata provide forensic evidence of file transfers between Apple devices.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Transfer events | Evidence of files sent or received via AirDrop |
| Device discovery | Nearby Apple devices detected via AirDrop |
| Sender/receiver identity | Apple ID or contact information of transfer participants |
| Transfer timestamps | When files were transferred |
| Received files | Downloaded files in the Downloads folder with quarantine metadata |
| AirDrop configuration | Visibility settings (off, contacts only, everyone) |
File Locations
| Artifact | Path | Format |
|---|---|---|
| Sharing preferences | ~/Library/Preferences/com.apple.sharingd.plist | Plist |
| Unified Logs | /var/db/diagnostics/ (subsystem: com.apple.Sharing) | tracev3 |
| Received files | ~/Downloads/ | Various (with quarantine xattr) |
Key Data Sources
Unified Logs
# AirDrop discovery and transfer events
log show --predicate 'subsystem == "com.apple.Sharing"' --info --last 7d
# AirDrop-specific messages
log show --predicate 'eventMessage contains "AirDrop"' --info --last 7d
Sharing Preferences
defaults read com.apple.sharingd
Key values:
| Key | Description |
|---|---|
DiscoverableMode | AirDrop visibility (Off, Contacts Only, Everyone) |
SharingComputer | Whether this Mac is configured for sharing |
Received File Quarantine
Files received via AirDrop have the com.apple.quarantine extended attribute set, with the agent name identifying AirDrop:
xattr -p com.apple.quarantine ~/Downloads/received-file.pdf
# Output includes "AirDrop" as the agent
Analysis Notes
- No persistent database: Unlike Messages or Mail, AirDrop does not maintain a persistent transfer log. Unified Logs are the primary evidence source, and they have limited retention.
- Received file evidence: Files received via AirDrop land in
~/Downloads/with quarantine metadata indicating AirDrop as the source. Thecom.apple.metadata:kMDItemWhereFromsxattr may contain the sender's information. - Discovery without transfer: Unified Logs may show device discovery events even when no transfer occurred, indicating proximity to other Apple devices.
- Configuration as intent: An AirDrop visibility setting of "Everyone" (vs. "Contacts Only") may indicate the user was intentionally making themselves discoverable to unknown devices.
- Collect logs early: Unified Log entries for AirDrop have the same retention limitations as other log categories. Prioritise early collection.
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| log (macOS built-in) | Query Unified Logs for AirDrop events |
| xattr (macOS built-in) | Check quarantine attributes on received files |
References
- Apple AirDrop Security
- AirDrop Forensics Research
- SANS FOR518: Mac and iOS Forensic Analysis