Filesystem
Spotlight Metadata
Overview
Spotlight is the macOS system-wide search and indexing service. It maintains comprehensive metadata databases that index the contents and attributes of every file on each volume, along with per-user search history and configuration preferences.
From a forensic perspective, Spotlight provides three distinct categories of evidence:
- Search shortcuts -- A record of what the user searched for and which items they launched from Spotlight, including timestamps.
- Configuration and preferences -- Which search categories are enabled or disabled, and which paths are excluded from indexing (exclusions can reveal deliberate attempts to hide activity).
- Volume metadata stores -- Proprietary binary databases containing indexed file metadata (kMDItem attributes), which can reveal information about files even after they have been deleted.
The Spotlight metadata store uses a proprietary binary format (not SQLite). macfor collects the parseable plist-based artifacts (shortcuts, preferences, volume configuration) and optionally collects raw store files for offline analysis with specialised tools.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Search shortcuts | Proves user searched for specific terms and launched specific applications/files |
| Search timestamps | Establishes when a user last searched for and accessed a particular item |
| Exclusion lists | May indicate deliberate hiding of directories from indexing |
| Disabled categories | Shows which result types the user chose to suppress |
| Volume store mapping | Maps store UUIDs to volume paths for cross-referencing with other artifacts |
| Raw metadata store | Contains kMDItem attributes for files that may no longer exist |
File Locations
Per-User Artifacts
| Artifact | Path | Format |
|---|---|---|
| Spotlight preferences | ~/Library/Preferences/com.apple.Spotlight.plist | Binary plist |
| Search shortcuts | ~/Library/Application Support/com.apple.spotlight.Shortcuts | Binary plist |
| Search shortcuts (v3) | ~/Library/Application Support/com.apple.spotlight.Shortcuts.v3 | Binary plist |
| User CoreSpotlight store | ~/Library/Metadata/CoreSpotlight/index.spotlightV3/ | Proprietary binary |
System-Wide Artifacts
| Artifact | Path | Format |
|---|---|---|
| System preferences | /Library/Preferences/com.apple.Spotlight.plist | Binary plist |
| Volume configuration | /.Spotlight-V100/VolumeConfiguration.plist | Binary plist |
| Volume metadata store | /.Spotlight-V100/Store-V2/{UUID}/ | Proprietary binary |
APFS Data Volume (macOS 10.15+)
On Catalina and later, the volume stores are located on the Data volume:
| Artifact | Path |
|---|---|
| Volume configuration | /System/Volumes/Data/.Spotlight-V100/VolumeConfiguration.plist |
| Volume metadata store | /System/Volumes/Data/.Spotlight-V100/Store-V2/{UUID}/ |
Raw Store Files
The volume metadata store directory contains these key files:
| File | Purpose | Typical Size |
|---|---|---|
store.db | Primary metadata store | 500 MB - 5 GB |
.store.db | Secondary/shadow store | 100 MB - 2 GB |
dbStr-1.map.header | String table header | Small |
dbStr-1.map.offsets | String table offsets | Small - Medium |
dbStr-1.map.data | String table data | 10 MB - 200 MB |
These files use a proprietary binary format (not SQLite). They require specialised parsers such as spotlight_parser or mac_apt for analysis.
Database Schema / File Format
Spotlight Shortcuts (com.apple.Spotlight.plist)
The shortcuts are stored in a binary plist under the UserShortcuts key:
UserShortcuts = {
"<search_query>" = {
DISPLAY_NAME = "<item name>";
LAST_USED = <CFAbsoluteTime>; // Seconds since 2001-01-01 00:00:00 UTC
URL = "<file or application URL>";
};
};
The orderedItems key contains the user's search category preferences:
orderedItems = (
{
enabled = 1;
name = "APPLICATIONS";
},
{
enabled = 1;
name = "DOCUMENTS";
},
{
enabled = 0;
name = "FOLDERS";
},
...
);
Shortcuts.v3 Format
The .v3 variant (macOS 14 Sonoma and later) uses a similar dictionary structure with search queries as keys mapping to shortcut metadata. The format is functionally equivalent to the original.
VolumeConfiguration.plist
Stores = {
"<UUID>" = {
PartialPath = "<relative path>";
};
};
Exclusions = (
"<path1>",
"<path2>",
...
);
The Stores dictionary maps store UUIDs to their corresponding volume paths. The Exclusions array lists paths explicitly excluded from Spotlight indexing.
Key Fields for Analysis
Shortcut Records
| Field | Description | Forensic Value |
|---|---|---|
| Search query (dictionary key) | The text the user typed into Spotlight | Reveals user intent and search behaviour |
DISPLAY_NAME | The name of the item launched from the search result | Confirms which specific item the user selected |
LAST_USED | CFAbsoluteTime timestamp of last use | Establishes timeline of search activity |
URL | File URL of the launched item | Identifies the exact file or application accessed |
Preference Categories
| Category Name | Description |
|---|---|
APPLICATIONS | Applications (.app bundles) |
MENU_EXPRESSION | Calculator expressions and unit conversions |
CONTACT | Contacts from AddressBook |
MENU_DEFINITION | Dictionary definitions |
DOCUMENTS | Documents of all types |
EVENT_TODO | Calendar events and reminders |
DIRECTORIES / FOLDERS | Folder names |
FONTS | Installed fonts |
IMAGES | Image files |
MESSAGES | Mail and Messages content |
MOVIES | Video files |
MUSIC | Audio files |
MENU_OTHER | Other results |
PDF | PDF documents |
PRESENTATIONS | Keynote, PowerPoint |
SPREADSHEETS | Numbers, Excel |
MENU_SPOTLIGHT_SUGGESTIONS | Siri/web suggestions |
SYSTEM_PREFS | System Settings panes |
TIPS | Tips |
BOOKMARKS | Safari bookmarks and history |
Disabled categories are forensically interesting -- a user who disables DOCUMENTS from Spotlight results may be attempting to reduce discoverability.
Volume Configuration
| Field | Forensic Value |
|---|---|
| Store UUID-to-path mapping | Links metadata stores to specific volumes |
| Exclusion paths | May reveal directories the user or administrator deliberately hid from indexing |
Timestamps
Spotlight shortcuts use CFAbsoluteTime (Core Data) timestamps: seconds since 2001-01-01 00:00:00 UTC.
To convert to Unix epoch:
unix_timestamp = cf_absolute_time + 978307200
Where 978307200 is the number of seconds between 1970-01-01 and 2001-01-01.
A value of 0 typically indicates the timestamp is not set.
Analysis Notes
Search Activity Reconstruction
Spotlight shortcuts provide a direct record of user search behaviour. Each shortcut entry records:
- What the user typed (the dictionary key)
- What they selected from the results (
DISPLAY_NAMEandURL) - When they last performed that search-to-launch action (
LAST_USED)
This can establish that a user was aware of and deliberately accessed specific files or applications at specific times.
Exclusion Analysis
The Exclusions list in VolumeConfiguration.plist and the disabled categories in user preferences can reveal attempts to prevent Spotlight from indexing certain content. Common legitimate exclusions include /tmp, /private/var/vm, and Time Machine backup volumes. Unusual exclusions (such as user document directories or application data folders) warrant further investigation.
Raw Store Analysis
The raw store.db files contain indexed kMDItem metadata properties for every file the Spotlight indexer has processed. This includes:
- File names and paths
- Content types and UTIs
- Creation and modification dates
- File sizes
- Author metadata
- Email addresses and phone numbers (from document content)
Since the metadata store is not immediately purged when files are deleted, it can contain references to files that no longer exist on the filesystem.
Raw store analysis requires external tools (see Tool Support below) as the binary format uses a combination of zlib, LZ4, and LZFSE compression for page data.
Permission Requirements
- User-level shortcuts and preferences are readable by the file owner.
- Volume-level stores at
/.Spotlight-V100/require root access or Full Disk Access (FDA) entitlement. - The
.Spotlight-V100directory is hidden from Finder by default.
Version Differences
| macOS Version | Differences |
|---|---|
| 10.13 (High Sierra) | Introduction of per-user CoreSpotlight stores at ~/Library/Metadata/CoreSpotlight/index.spotlightV3/ |
| 10.15 (Catalina) | APFS volume split moves stores to /System/Volumes/Data/.Spotlight-V100/ |
| 11 (Big Sur) | Signed system volume (SSV). Stores exclusively on Data volume. No format changes. |
| 12 (Monterey) | No observed changes to Spotlight artifacts. |
| 13 (Ventura) | Spotlight UI redesign. No binary format changes. |
| 14 (Sonoma) | Shortcuts may use .v3 variant format. |
| 15 (Sequoia) | Apple Intelligence integration. Index structure remains compatible. |
The Store-V2 binary format has remained structurally stable across all supported macOS versions.
Tool Support
| Tool | Support |
|---|---|
| macfor | Parses shortcuts, preferences, and volume configuration plists; optional raw store collection |
| spotlight_parser (Yogesh Khatri) | Reference parser for the proprietary store.db binary format |
| mac_apt SPOTLIGHT plugin | Spotlight artifact extraction including store.db parsing |
| mdls (macOS built-in) | Displays Spotlight metadata attributes for individual files |
| mdfind (macOS built-in) | Performs Spotlight queries from the command line |
| plutil (macOS built-in) | Converts and inspects binary plist files |