OS X Mavericks Metadata

Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks.  As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the new operating system.  It becomes necessary for a forensic examiner to understand how changes to the file metadata system can be used as a source of new evidence during an investigation.  In this article, I would like to cover two significant changes to the metadata generated by OS X Mavericks that, if properly preserved, can be a useful source of evidence.

Files saved from email attachments

There is a convenient feature in OS X Mavericks, which allows you to open a document that has been saved from an email, make a change to that document (applying a signature to a PDF for example), and “Reply” to the original email from within the preview app’s share function.

The OS X Mavericks Reply Function
The OS X Mavericks Reply Function

In order to accomplish this function, the operating system must maintain a link between the document resident in the file system and the email from which the document originated.  In the case of OS X, the information describing this relationship is stored in the metadata of the saved attachment.  Upon examination of a file’s metadata, a forensic investigator could quickly gather useful information about to the origin of the file before it was saved to the file system.  For example, if the file was saved from an email message, the additional metadata in OSX Mavericks allows an examiner to identify the mail application used, the email message ID, the sender of the email message and the email subject line.

 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


The following metadata fields are new to OS X Mavericks:

  • kMDItemOriginApplicationIdentifier
    • The application that the item originated in.
    • Example: “com.apple.mail” for the Apple Mail App
  • kMDItemOriginMessageID
    • The ID number of the message in the Apple Mail App
    • Example: “203245”
  • kMDItemOriginSenderDisplayName
    • The sender display name from the email
    • Example: “John Doe”
  • kMDItemOriginSenderHandle
    • The sender handle from the email, often the same as the display name
    • Example: “John Doe”
  • kMDItemOriginSubject
    • The subject line from the original email
    • Example: “RE: Secret Document, DO NOT SAVE”

In the previous version of Mac OS X, Mountain Lion, some of this information was available but it was all encapsulated in one metadata field called kMDItemWhereFroms.  The new structure will allow forensic tools to more easily identify the origin of files and more definitively connect a file saved to a computer back to a particular email and sender adding additional context to an otherwise “loose” file.

Files tagged with the new tagging system

Mavericks Tag Feature
Mavericks Tag Feature

In addition to the new metadata described above, OS X Mavericks also includes a new feature that allows users to organize files in the OS through a tagging system.  Right clicking on a file and selecting a “Tag” allows a user to organize files into categories.

By default these are color-based categories but can be modified to represent words.  Unlike the color labels in previous versions of Mac OS X, these tags are searchable and their text can be customized.  A single file can also have more than one tag associated with it.  This tag information is stored in the file metadata under the field kMDItemUserTags.  This new user generated metadata can be an important source of context when examining a file because it can indicate how a user chose to categorize a document.  Similarly, documents can be searched and grouped by their tags in order to discover potentially related items.

The new metadata generated in Mac OS X Mavericks can be used as a critical tool in a forensic examiner’s belt, subsequently facilitating a better understanding of the context surrounding the creation and classification of a document.

 Daniel Barak is the Director of Technology and Digital Forensics at Vdiscovery, a litigation support and electronic discovery service provider in New York City.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles