Filesystem Artifacts

macOS maintains extensive filesystem metadata through FSEvents (file system event logging), Spotlight (content indexing), and APFS (Apple File System) metadata. Additional artifacts include .DS_Store files (Finder directory metadata), the Quick Look thumbnail cache (file preview images), per-file extended attributes (download provenance, quarantine flags), and the Trash directory (deleted file recovery). These artifacts reveal file creation, modification, deletion, and access patterns -- often surviving user attempts to cover tracks.

Categories

• FSEvents — File system change journal
• Spotlight — Content indexing and search metadata
• APFS Metadata — Apple File System metadata and snapshots
• .DS_Store Files — Finder directory metadata and deleted file evidence
• Quick Look Cache — File preview thumbnails (persist after deletion)
• Extended Attributes — Quarantine flags, download URLs, Finder comments
• Trash — Deleted file recovery and original path reconstruction