Filesystem
.DS_Store Files
Overview
.DS_Store (Desktop Services Store) files are binary files created by Finder in every directory it has displayed. They store per-folder Finder view settings including icon positions, view mode, sort order, and background images. For forensic investigators, .DS_Store files provide evidence that a directory was accessed via Finder, and the file entries within them reveal filenames that were present in the directory at the time of access -- even if those files have since been deleted.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Directory access evidence | Proves Finder opened a specific directory |
| Historical filenames | Filenames recorded in .DS_Store persist after file deletion |
| External volume access | .DS_Store files on USB drives prove the Mac accessed the volume |
| Timestamps | .DS_Store modification times indicate last Finder access |
| File positions | Icon arrangement (rarely forensically relevant) |
File Locations
.DS_Store files exist in virtually every directory that Finder has displayed:
| Location | Description |
|---|---|
~/.DS_Store | User home directory |
/Volumes/<name>/.DS_Store | External volume root |
| Any directory opened in Finder | Created automatically |
~/.Trash/.DS_Store | Trash directory (contains original paths) |
Data Format
.DS_Store files use a proprietary binary format based on a B-tree structure (Apple's Buddy Allocator format). Each record contains:
| Field | Description |
|---|---|
| Filename | Name of a file/folder that was in this directory |
| Record type | Four-character code identifying the metadata type |
| Value | The associated data value |
Common Record Types
| Code | Description |
|---|---|
Iloc | Icon location (x, y coordinates) |
bwsp | Browser window settings |
lsvp | List view settings |
lsvP | List view settings (alternative) |
icvp | Icon view properties |
vstl | View style (icnv, Nlsv, clmv, Flwv) |
vSrn | View sort order |
BKGD | Background type (solid colour, picture) |
pict | Background picture path |
dilc | Desktop icon location |
ptbL | Trash put-back location (original path before deletion) |
ptbN | Trash put-back name |
Key Fields for Analysis
Parsing .DS_Store Files
# Using the ds_store Python library
# pip install ds_store
from ds_store import DSStore
with DSStore.open('.DS_Store', 'r') as d:
for entry in d:
print(f"{entry.filename}\t{entry.code}\t{entry.value}")
Trash Put-Back Paths
The .DS_Store file in ~/.Trash/ contains ptbL and ptbN records that reveal the original path of trashed files:
from ds_store import DSStore
with DSStore.open('/Users/username/.Trash/.DS_Store', 'r') as d:
for entry in d:
if entry.code in ('ptbL', 'ptbN'):
print(f"{entry.filename}: {entry.code} = {entry.value}")
Analysis Notes
- Deleted file evidence: The most valuable forensic use of
.DS_Storefiles is recovering filenames that were present in a directory but have since been deleted. The filename entries persist in the.DS_Storeuntil the file is regenerated. - External media:
.DS_Storefiles on external drives (USB, SD cards) prove the drive was accessed from a Mac. The file's creation/modification timestamp provides timing evidence. - Cross-platform indicator: The presence of
.DS_Storefiles on a non-Mac filesystem (e.g., a Windows NTFS drive or network share) indicates a Mac user accessed the location. - Trash original paths: The
ptbLrecord type in~/.Trash/.DS_Storereveals where each trashed file originally lived, even if the Trash has been partially emptied. - Recursion: Collecting
.DS_Storefiles recursively across an entire volume provides a map of every directory Finder has ever displayed.
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| ds_store (Python) | Open-source .DS_Store parser |
| DSStoreParser | Standalone .DS_Store analysis tool |
| AXIOM (Magnet) | Commercial .DS_Store support |