Posted by Administrator
cover-image

MAC OSX .DS_Store Artifact

  • 10.4 Tiger extended .DS_Stroe use to include "Spotlight" comments
  • Similar to Desktop.ini and Shellbags in Windows
  • Shows folders accessed within Finder
  • Stores "Window view settings", "Icon position", "Sorting preferences", "Window sizes and positions", and other metadata
  • Files are created in the enclosing (parent) folder when viewed in "Icon", "List", or "Gallery" view, but NOT in "Column" view
  • Applies to Local, External and Network locations

Caveats

Full paths are not included

  • "Trash put back locations" are a noted exception (put back location path included)

Timestamp are not included

  • Parsing tools can drive some time-related information based upon "File system timestamps" for the .DS_Store files themselves

Data is volatile

  • When a file is deleted/removed, its associated records are removed
  • When a file is renamed, its associated records are renamed

Takeaways

  • Determine original name and path for files and folders in Trash
  • Show user interaction of files and folders via Finder

Resources

YouTube Video:

What's In .DS Store for You? - macOS Forensics

DSStoreParser:

https://github.com/nicoleibrahim/DSStoreParser

Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 1:

https://ponderthebits.com/2017/01/mac-dumpster-diving-identifying-deleted-file-references-in-the-trash-ds_store-files-part-1/

Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 2:

https://ponderthebits.com/2017/02/mac-dumpster-diving-identifying-deleted-file-references-in-the-trash-ds_store-files-part-2/