Filesystem
Trash
Overview
When files are deleted via Finder on macOS, they are moved to the Trash directory rather than being immediately removed from the filesystem. The Trash retains deleted files until the user explicitly empties it (or the system automatically prunes old items on macOS 13+). Trash forensics involves recovering deleted files, determining their original locations, and establishing deletion timelines.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Deleted file contents | Files still recoverable from Trash |
| Original file paths | Where files were before deletion (via xattr and .DS_Store) |
| Deletion timestamps | When files were moved to Trash |
| Partial emptying | Evidence of selective Trash emptying |
| External volume Trash | Deleted files from external drives |
File Locations
| Artifact | Path | Description |
|---|---|---|
| User Trash | ~/.Trash/ | Main Trash directory |
| Trash DS_Store | ~/.Trash/.DS_Store | Contains put-back paths |
| External volume Trash | /Volumes/<name>/.Trashes/<UID>/ | Per-volume Trash for external drives |
| Trash metadata | Extended attribute com.apple.trash.origpath on each file | Original path |
Key Data Sources
Original Path Recovery
Each file in the Trash has an extended attribute recording its original path:
# Get original path of a trashed file
xattr -p com.apple.trash.origpath ~/.Trash/document.pdf
# Output: /Users/name/Desktop/document.pdf
.DS_Store Put-Back Records
The .DS_Store file in ~/.Trash/ contains ptbL (put-back location) and ptbN (put-back name) records:
from ds_store import DSStore
with DSStore.open('/Users/name/.Trash/.DS_Store', 'r') as d:
for entry in d:
if entry.code in ('ptbL', 'ptbN'):
print(f"{entry.filename}: {entry.code} = {entry.value}")
Deletion Timeline
# List Trash contents with modification times (approximates deletion time)
ls -la ~/.Trash/
# For more precise timing, check the file's filesystem metadata
stat ~/.Trash/*
Analysis Notes
- Dual recovery methods: Both the
com.apple.trash.origpathxattr and the.DS_StoreptbLrecords provide original path information. Cross-reference both for completeness. - Selective emptying: If specific files are missing from Trash but their
.DS_Storeentries remain, the user may have selectively deleted individual items (right-click > Delete Immediately). - Secure Empty Trash: macOS no longer offers a "Secure Empty Trash" option (removed in 10.11), but users may use third-party tools to securely delete files. An empty Trash with recent
.DS_Storeentries suggests recent emptying. - External volume Trash: When files are deleted from an external drive, they go to
/Volumes/<name>/.Trashes/<UID>/rather than~/.Trash/. These directories persist on the external media. - Automatic cleanup: macOS 13+ can automatically remove items from Trash after 30 days if enabled in Finder preferences (
com.apple.finder FXRemoveOldTrashItems). - FSEvents correlation: FSEvents records
ItemRenamedevents when files are moved to Trash, providing precise timestamps and confirming the deletion.
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| xattr (macOS built-in) | Read original path xattr |
| ds_store (Python) | Parse .DS_Store put-back records |
| Finder (macOS built-in) | "Put Back" uses the same metadata |
References
- macOS Trash Forensics
- SANS FOR518: Mac and iOS Forensic Analysis