filmov
tv
Shedding Light on the macOS Spotlight Desktop Search Service - SANS DFIR Summit 2019
Показать описание
The macOS Spotlight desktop search system contains an index of metadata for files and folders on a system. While some of the data it contains duplicate filesystem and exif metadata and their extended attributes, there is also a gold mine of metadata that is unique to this store, including things like use counts and dates for files and folders that can go back years.
However, exactly what there is and how to access the data is largely unexplored by the forensics community. In the last year or so forensics tools have surfaced that can parse the Spotlight metadata store, but there are still tons of unanswered questions about what artifacts can be found, where, and how. In addition to reviewing the basics, this session will address a number of specific topics such as recovering deleted metadata stores, what can be done with the iOS version of the Spotlight store, and what data can be found on removable drives that have hopped from machine to machine. These new techniques will better arm investigators to get to actionable data quickly.
However, exactly what there is and how to access the data is largely unexplored by the forensics community. In the last year or so forensics tools have surfaced that can parse the Spotlight metadata store, but there are still tons of unanswered questions about what artifacts can be found, where, and how. In addition to reviewing the basics, this session will address a number of specific topics such as recovering deleted metadata stores, what can be done with the iOS version of the Spotlight store, and what data can be found on removable drives that have hopped from machine to machine. These new techniques will better arm investigators to get to actionable data quickly.
0:31:17
0:00:23
0:00:22
0:42:36
0:00:22
0:03:11
0:00:15
0:00:52
0:42:09
0:00:17
0:31:46
0:00:26
0:19:57
0:00:13
0:02:30
0:00:25
0:00:12
0:07:01
0:01:01
0:01:00
0:22:07
0:00:52
0:00:16
0:00:34