MAC OSX .DS_Store Artifact
- 10.4 Tiger extended .DS_Stroe use to include "Spotlight" comments
- Similar to Desktop.ini and Shellbags in Windows
- Shows folders accessed within Finder
- Stores "Window view settings", "Icon position", "Sorting preferences", "Window sizes and positions", and other metadata
- Files are created in the enclosing (parent) folder when viewed in "Icon", "List", or "Gallery" view, but NOT in "Column" view
- Applies to Local, External and Network locations
Caveats
Full paths are not included
- "Trash put back locations" are a noted exception (put back location path included)
Timestamp are not included
- Parsing tools can drive some time-related information based upon "File system timestamps" for the .DS_Store files themselves
Data is volatile
- When a file is deleted/removed, its associated records are removed
- When a file is renamed, its associated records are renamed
Takeaways
- Determine original name and path for files and folders in Trash
- Show user interaction of files and folders via Finder
Resources
YouTube Video:
What's In .DS Store for You? - macOS Forensics
DSStoreParser:
https://github.com/nicoleibrahim/DSStoreParser
Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 1:
Mac Dumpster Diving – Identifying Deleted File References in the Trash (.DS_Store) Files – Part 2: