Spotlight, FSEvents, and KnowledgeC are three of the most valuable forensic data sources on macOS. They track file metadata, file system changes, user behavior patterns, and historical activity across the system. These artifacts often survive file deletion, system modifications, and even some anti-forensic attempts—making them essential for reconstructing timelines, understanding user behavior, and detecting suspicious activity.

This chapter explains how each artifact works, where it is stored, and how it can be used during macOS forensic investigations.

Spotlight Metadata

Spotlight is macOS’s system-wide search engine. It indexes nearly every file on the system and stores rich metadata, even for files that have been deleted or moved.

What Spotlight Records

Spotlight’s metadata includes:

File names
File locations and paths
Timestamps (creation, modification, last opened, last used)
Keywords and content summaries
Thumbnail data
File type and MIME information
Application associations
Indexing history

Spotlight often stores metadata for deleted files, making it extremely important for forensic recovery.

Spotlight Storage Location

Spotlight keeps its metadata in:

/Volumes/<VolumeName>/.Spotlight-V100/

For APFS systems, metadata is stored in:

/System/Volumes/Data/.Spotlight-V100/

Key files include:

store.db
store.db-wal
store.db-shm

These SQLite-based databases contain detailed metadata entries for all indexed files.

Forensic Value of Spotlight

Spotlight assists with:

Recovering information about deleted files
Tracking file movement across directories
Identifying recently accessed documents
Discovering hidden or renamed files
Reconstructing user search behavior
Building a timeline of file interactions

Because Spotlight indexes content, it may store metadata even after the original file is gone.

FSEvents (File System Events)

FSEvents is macOS’s file system journaling mechanism. It logs changes to the file system at a high level and helps macOS index and track modifications.

What FSEvents Records

FSEvents logs:

File creation
File deletion
File modification
Directory changes
Mount/unmount events
Renaming operations
File moves
System updates
External drive activity

While it does not record exact filenames, it logs directory-level events with timestamps.

FSEvents Storage Location

FSEvents logs are stored here:

/System/Volumes/Data/.fseventsd/

Files typically named:

0000000000000001
0000000000000002
etc.

These files are binary logs but can be parsed with forensic tools.

Forensic Value of FSEvents

FSEvents is essential for:

Tracking file activity over time
Identifying suspicious folder behavior
Detecting mass file deletion or movement
Tracing ransomware activity
Tracking external drive access
Determining if folders were tampered with
Correlating user actions with timestamps

Although filenames aren’t logged, directory events still reveal file activity patterns.

KnowledgeC Database (User Behavior History)

KnowledgeC is one of the most powerful forensic artifacts on macOS.
It forms part of Apple’s “Knowledge” framework used for analytics, Siri suggestions, and usage pattern tracking.

What KnowledgeC Records

KnowledgeC tracks nearly everything a user interacts with, including:

Application Usage

App foreground/background time
App launches
App termination
Duration of use
Usage frequency

Device Interaction

Screen unlocks
Screen time
Touch ID/Face ID events

Web & Search Behavior

Safari domain visits
Search suggestions
Siri interactions

Location & Motion Data

(On macOS with paired devices)

Power and System Events

Sleep/wake events
Charging patterns

KnowledgeC Database Location

The main KnowledgeC database is located at:

/Users/<username>/Library/Application Support/Knowledge/knowledgeC.db

It is a SQLite database consisting of:

ZOBJECT
ZSTREAM
ZSTRUCTUREDMETADATA
ZSOURCE

Each record contains:

Timestamp
Context
App/package identifier
Activity type
Duration
Category

Forensic Value of KnowledgeC

KnowledgeC provides:

Accurate app usage timelines
Detailed user behavior reconstruction
Evidence of what the user was doing and when
Cross-app activity correlation
Context for suspicious or malicious actions

This database is highly timestamp-driven, making it ideal for timeline generation.

Example findings:

When Safari or Chrome was in the foreground
Whether the user interacted with Mail.app
When Zoom, Slack, or messaging apps were active
Whether the user was using a specific app during exfiltration
Last-used timestamps for critical applications

KnowledgeC is often more accurate than system logs.

Combining Spotlight, FSEvents, and KnowledgeC in Forensics

Combining these three artifacts provides extremely powerful insights.

Example:

Spotlight shows metadata for a deleted PDF file.
FSEvents shows directory-level modification shortly before deletion.
KnowledgeC shows the user opened Preview or Safari at that time.

This creates a strong, cross-verified timeline.

Tools for Analyzing These Artifacts

Common forensic tools:

BlackLight
Magnet AXIOM
Cellebrite Inspector
Autopsy (partial support)
fsevents_parser
mac_apt
SQLite browsers for KnowledgeC

Spotlight and KnowledgeC databases can be queried directly via SQLite.

Intel Dump

Spotlight, FSEvents, and KnowledgeC form a powerful trio of forensic artifacts in macOS investigations:

Spotlight stores extensive metadata, including deleted file traces.
FSEvents logs file system activity at the directory level with timestamps.
KnowledgeC records detailed user behavior, app usage, and system interaction history.

Together, they help reconstruct comprehensive timelines, identify user actions, detect malicious activity, and uncover hidden or deleted evidence with exceptional accuracy. Understanding these artifacts is essential for any macOS forensic examination.