Blog >> Window Desktop Service Store Files

Investigating Desktop Service Store Files

16/06/2023 Friday

In order to save the user’s configuration and customizations for every folder that Mac’s “Finder” accesses, the macOS operating system creates Desktop Service Store (.DS_Store) file. Those files are used by the OS to retrieve the same Finder window’s appearance from the last time the user browsed this particular folder.

Digital Forensics Value of Desktop Service Store Files


Although this type of file is created by macOS and Windows has nothing to do with it, it is common to see it in Windows machines. This is because those files are shown in any directory that has been connected to macOS at some point of time. The extracted information is important from a forensic perspective because this information can tell the investigator a lot about the user’s activity like; the last accessed date/time,the accessed file size, the accessed file name, and many other Finder window properties.


Location of Desktop Service Store Files Artifacts


Desktop Service Store files’ artifacts can be found in any file with the following name:
.DS_Store


Analyzing Desktop Service Store Files with ArtiFast

This section will discuss how to use ArtiFast to extract Desktop Service Store files artifact from macOS/Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Desktop Service Store Files artifact:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Desktop Service Store files artifact in ArtiFast.


Desktop Services Store Files



For more information or suggestions please contact: kalthoum.karkazan@forensafe.com