OS X Mavericks Metadata

Apple recently released the newest version of their desktop operating system, Mac OS X Mavericks.  As a free update to all supported Apple desktops and laptops, a wide adoption rate was expected, and in fact it was estimated that within the first 24 hours, 5.5% of all Mac laptops and desktops were already running the new operating system.  It becomes necessary for a forensic examiner to understand how changes to the file metadata system can be used as a source of new evidence during an investigation.  In this article, I would like to cover two significant changes to the metadata generated by OS X Mavericks that, if properly preserved, can be a useful source of evidence.

Files saved from email attachments

There is a convenient feature in OS X Mavericks, which allows you to open a document that has been saved from an email, make a change to that document (applying a signature to a PDF for example), and “Reply” to the original email from within the preview app’s share function.

The OS X Mavericks Reply Function
The OS X Mavericks Reply Function

In order to accomplish this function, the operating system must maintain a link between the document resident in the file system and the email from which the document originated.  In the case of OS X, the information describing this relationship is stored in the metadata of the saved attachment.  Upon examination of a file’s metadata, a forensic investigator could quickly gather useful information about to the origin of the file before it was saved to the file system.  For example, if the file was saved from an email message, the additional metadata in OSX Mavericks allows an examiner to identify the mail application used, the email message ID, the sender of the email message and the email subject line.

 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The following metadata fields are new to OS X Mavericks:

  • kMDItemOriginApplicationIdentifier
    • The application that the item originated in.
    • Example: “com.apple.mail” for the Apple Mail App
  • kMDItemOriginMessageID
    • The ID number of the message in the Apple Mail App
    • Example: “203245”
  • kMDItemOriginSenderDisplayName
    • The sender display name from the email
    • Example: “John Doe”
  • kMDItemOriginSenderHandle
    • The sender handle from the email, often the same as the display name
    • Example: “John Doe”
  • kMDItemOriginSubject
    • The subject line from the original email
    • Example: “RE: Secret Document, DO NOT SAVE”

In the previous version of Mac OS X, Mountain Lion, some of this information was available but it was all encapsulated in one metadata field called kMDItemWhereFroms.  The new structure will allow forensic tools to more easily identify the origin of files and more definitively connect a file saved to a computer back to a particular email and sender adding additional context to an otherwise “loose” file.

Files tagged with the new tagging system

Mavericks Tag Feature
Mavericks Tag Feature

In addition to the new metadata described above, OS X Mavericks also includes a new feature that allows users to organize files in the OS through a tagging system.  Right clicking on a file and selecting a “Tag” allows a user to organize files into categories.

By default these are color-based categories but can be modified to represent words.  Unlike the color labels in previous versions of Mac OS X, these tags are searchable and their text can be customized.  A single file can also have more than one tag associated with it.  This tag information is stored in the file metadata under the field kMDItemUserTags.  This new user generated metadata can be an important source of context when examining a file because it can indicate how a user chose to categorize a document.  Similarly, documents can be searched and grouped by their tags in order to discover potentially related items.

The new metadata generated in Mac OS X Mavericks can be used as a critical tool in a forensic examiner’s belt, subsequently facilitating a better understanding of the context surrounding the creation and classification of a document.

 Daniel Barak is the Director of Technology and Digital Forensics at Vdiscovery, a litigation support and electronic discovery service provider in New York City.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles