macOS 26 (Tahoe): What Digital Forensic Examiners Should Expect

Apple officially announced macOS 26, codenamed “Tahoe,” at WWDC 2025. While Tahoe builds on the foundation laid by macOS 15 (Sonoma), it introduces several refined features that are relevant to forensic practitioners. These updates reflect Apple’s continued emphasis on privacy, on-device intelligence, and minimal data persistence, all of which affect how forensic investigators access and interpret evidence on modern macOS systems.

One of the more notable additions is Clipboard History. Introduced in macOS 26, this feature maintains a persistent list of recently copied items that are searchable using Spotlight. In previous versions of macOS, clipboard content was limited to the most recent item and was generally stored only in memory. Now, clipboard data can be recovered from disk, and may include copied text, snippets from documents, command-line output, or other sensitive material. This gives forensic examiners an additional artifact source that could reveal user intent, context, or sequence of actions. Although the forensic value of clipboard history may be situational, its availability as a persistent, indexed record adds a new layer of insight into user activity.

FaceTime also introduces changes that may affect communication analysis. While the app interface has been updated visually, more important are the structural changes to how recent calls and contact interactions are stored. The databases that track FaceTime activity have been reorganized, and investigators can expect to encounter changes in file locations or table structures. This may influence how call history is logged and how metadata such as call duration, timestamps, and contact associations are stored. Analysts working on cases involving FaceTime communication should validate whether existing parsing methods remain effective and be alert to new or renamed artifacts.

Live Translation is a newly confirmed feature in macOS 26 that extends across Messages, FaceTime, and Phone calls. In Messages, text is translated as the user types and again when they receive a reply. In FaceTime and Phone calls, spoken language is translated in real time with the original voice still audible, and translated captions presented live on screen. Apple has stated that this functionality runs entirely on device using proprietary models, and that no data is transmitted to cloud services. While this improves privacy, it also limits the forensic visibility of these interactions. If a user’s message is composed in one language and translated before sending, the original input may not be stored anywhere. Similarly, audio-based translations during calls are processed in real time and are unlikely to be retained unless manually recorded. In many cases, only the final translated version may remain. This has important implications for investigators attempting to verify message content, intent, or language context.

Another area of interest is the Notes app, which has been enhanced with two features that could produce new types of artifacts. First, Notes now supports exporting and importing in Markdown format. This gives users the ability to transfer note content outside the native Notes framework, potentially creating new files or modifying the default storage behavior. Second, Notes can now accept audio recordings from the Phone app and automatically transcribe them. These transcripts are stored directly within the note, which may exist independently of the original audio file. If the recording is deleted or stored elsewhere, the transcription may persist. This creates a situation where part of a conversation may be preserved as text even if the original voice data is missing. Investigators should examine the Notes database and any associated indexing mechanisms to identify transcribed conversations, especially in cases involving phone-based communication or covert recording.

Taken together, these updates reflect Apple’s continued move toward intelligence-on-device and privacy by design. Rather than introducing broad new data sources, macOS 26 selectively expands what is available and redefines how that data is stored or accessed. Clipboard History and Notes transcription represent tangible new sources of evidence. FaceTime’s reorganized databases and Live Translation represent shifts in how communication data is logged, and in some cases, whether it is retained at all.

Forensic analysis of macOS 26 systems will require careful attention to what is now persisted, what is restructured, and what has been deliberately removed from view. Many of the most powerful new features are designed to avoid creating traditional artifacts, and this trend is expected to continue. Investigators will need to stay current with these changes and adapt their methods accordingly.

In macOS Tahoe, the line between user convenience and forensic visibility continues to narrow. Understanding what is captured, what is translated, and what is silently discarded will be essential to conducting reliable investigations on Apple’s latest platform.

If you are interested in learning more about these topics or want to strengthen your skills in analyzing Apple systems, SUMURI offers dedicated Mac Forensics Training as well as an industry-recognized Certified Forensic Mac Examiner (CFME) program. Our training covers the latest macOS features, forensic acquisition methods, analysis of native artifacts, and real-world case scenarios.

Whether you’re new to Mac investigations or looking to stay current with the latest developments in macOS 26, our courses provide the tools and knowledge needed to perform thorough and defensible examinations. Visit sumuri.com/mac-training to learn more and explore upcoming training opportunities.