Overview
Quick Look is macOS's built-in file preview system. When a user previews a file (via spacebar in Finder, or the preview pane), macOS generates a thumbnail image and caches it. These cached thumbnails persist independently of the original file, meaning Quick Look can provide visual evidence of file contents even after the file has been deleted from the system.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| File content previews | Visual evidence of file contents (images, documents, PDFs) |
| Deleted file evidence | Thumbnails survive file deletion |
| File access evidence | Thumbnail generation proves the file was viewed |
| External media previews | Thumbnails from files on disconnected external drives |
| Timestamp correlation | Cache modification times indicate when previews were generated |
File Locations
| Artifact | Path | Format |
|---|
| Thumbnail cache | ~/Library/Caches/com.apple.QuickLook.thumbnailcache/ | Directory |
| Cache index | .../thumbnailcache/index.sqlite | SQLite |
| Thumbnail data | .../thumbnailcache/thumbnails.data | Binary blob store |
| Exclusive cache (newer macOS) | ~/Library/Caches/com.apple.QuickLook.thumbnailcache/exclusive/ | Directory |
| Reset marker | ~/Library/Caches/com.apple.QuickLook.thumbnailcache/resetreason | Text |
Database Schema
index.sqlite
| Column | Type | Description |
|---|
rowid | INTEGER | Primary key |
file_id | INTEGER | File system node ID |
size | INTEGER | Thumbnail data size |
width | INTEGER | Thumbnail width in pixels |
height | INTEGER | Thumbnail height in pixels |
bitmapdata_location | INTEGER | Offset in thumbnails.data blob |
bitmapdata_length | INTEGER | Length in thumbnails.data blob |
last_hit_date | REAL | Last access timestamp |
hit_count | INTEGER | Number of times previewed |
fs_id | TEXT | Filesystem identifier |
version | INTEGER | Thumbnail version |
Key Fields for Analysis
SELECT
rowid,
file_id,
width || 'x' || height AS dimensions,
hit_count,
datetime(last_hit_date + 978307200, 'unixepoch') AS last_accessed,
size AS data_size
FROM thumbnails
ORDER BY last_hit_date DESC;
The thumbnail image data is stored in the thumbnails.data blob file. Each thumbnail can be extracted using the offset and length from the index:
import sqlite3
conn = sqlite3.connect('index.sqlite')
cursor = conn.execute(
"SELECT rowid, bitmapdata_location, bitmapdata_length FROM thumbnails"
)
with open('thumbnails.data', 'rb') as f:
for row_id, offset, length in cursor:
f.seek(offset)
data = f.read(length)
with open(f'thumb_{row_id}.png', 'wb') as out:
out.write(data)
Timestamps
Quick Look timestamps use Core Data timestamps (seconds since 2001-01-01 00:00:00 UTC).
Analysis Notes
- Deleted file recovery: The primary forensic value of Quick Look cache is that thumbnails persist after the original file is deleted. A thumbnail of a sensitive document proves the document existed and was previewed.
- Hit count analysis: The
hit_count field shows how many times a file was previewed. High hit counts indicate files the user repeatedly accessed. - External media: Quick Look generates thumbnails for files on external drives. These thumbnails persist in the cache even after the drive is disconnected, providing evidence of the drive's contents.
- File node correlation: The
file_id field is a filesystem inode number. On HFS+/APFS volumes, this can be correlated with FSEvents or filesystem metadata to identify the original file. - Cache size limitations: Quick Look periodically prunes the cache when it exceeds a size threshold. Older thumbnails may be purged.
- SIP protection: The cache location is in the user's Library directory and is not SIP-protected.
Version Differences
| macOS Version | Changes |
|---|
| 10.5+ | Quick Look thumbnail caching introduced |
| 10.14 (Mojave) | Enhanced thumbnail generation |
| 12 (Monterey) | Cache directory structure changes; exclusive subdirectory |
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| sqlite3 / Python | Manual cache extraction |
| QuickLookParser | Dedicated Quick Look forensic tool |
| AXIOM (Magnet) | Commercial Quick Look support |
References