Have you ever plugged in a USB drive from a Mac into a Windows system and seen this:

mac_cooties

 

 

Well, congratulations!  You have Mac “Cooties”.  I hope your shots are up-to-date!

What are these files any way?  On an OS X system the Spotlight feature indexes a lot of metadata, and I mean a lot.  This works all fine and well on an HFS volume but if you copy a file onto a FAT volume, most commonly seen in USB drives, it does not work so well.  OS X does not want to simply throw out all this precious metadata so it creates the “.Spotlight-v100” and “.fseventsd” files in order to preserve it.  These file remain in a deep cryogenic freeze until  you take the Mac Cooties USB and plug it into a different Mac.  The new OS X system will recognize these files and use them to build the metadata back up in Spotlight.

Mac Cooties is also a great indicator that a system has been plugged into a Mac.  Remember this during any triage process of loose media.

If you want to know more about the “.Trashes” files check out one of my previous posts: The Tale of Two Trashes.

If you are looking for more technical details check out the wikipedia entry for Apple Double Files.  A word of advice though, this type of detail is fine among the tech crowd.  However, I have found that when I need to explain the existence of these files to a non-technical person the Mac Cooties story seems to go over better.  Just my thoughts anyway.

Article by Mike Leclair, creator of the Surviving Digital Forensic Series and part of the SUMURI RECON Team.