New macOS Tahoe 26 Forensic Artifact 'App.MenuItem' Reveals User Intent in Digital Investigations
Unit 42 researchers have discovered a new macOS forensic artifact in Tahoe 26 that logs every menu selection a user makes, providing unprecedented insight into digital intent for incident responders.
Unit 42 researchers have uncovered a powerful new forensic artifact in macOS Tahoe 26 that captures every menu selection a user makes across the operating system. Dubbed 'App.MenuItem,' this Biome stream provides investigators with a granular, timestamped record of user actions—from compressing files to emptying the trash—offering critical context that traditional file system logs often miss. The discovery, detailed in a June 12, 2026 blog post, promises to transform how forensic examiners reconstruct user intent during incident response.
The artifact resides at ~/Library/Biome/streams/restricted/App.MenuItem/local and is stored in SEGB-encapsulated protobuf format, requiring specialized tooling to parse. Apple likely introduced this stream to facilitate user suggestions or learning behavior, but for forensic analysts, it represents a gold mine of behavioral data. The stream captures the exact text of menu items selected along with precise timestamps, enabling examiners to reconstruct a narrative of user interaction with the interface.
To extract data from the artifact, examiners can use open-source tools like ccl-segb, as standard commercial forensic tools may not yet parse this specific stream. The process involves exporting the file from the local directory, running the ccl-segb Python script, and converting the output to CSV for analysis. This accessibility ensures that even smaller forensic teams can leverage the artifact without expensive proprietary software.
The true value of App.MenuItem lies in its ability to reveal user intent. For example, a file system event might simply show a file was deleted, but this artifact can show the deliberate sequence of selecting 'Move to Trash' followed by 'Empty Trash.' In a sample analysis, Unit 42 observed a pattern of data creation, compression (likely for exfiltration), and subsequent cleanup—a clear indicator of malicious activity. The artifact also captures interactions with specific UI elements, such as Copy and Paste, providing a step-by-step workflow reconstruction.
However, the artifact has limitations. It relies on the menu item text itself; if a menu option does not explicitly contain the file or folder name (e.g., a generic 'Open' command vs. 'Compress Report'), the specific target of the action may not be visible in this stream alone. Nevertheless, when correlated with file system logs, App.MenuItem provides the 'human' context that technical logs often miss, bridging the gap between system events and user behavior.
For incident responders, this discovery is a game-changer. Whether investigating data exfiltration, insider threats, or malware execution, the ability to reconstruct a user's workflow with such precision can mean the difference between understanding what happened and understanding why. The artifact is particularly valuable in cases where attackers use legitimate tools or native macOS features, as it captures the user's deliberate choices rather than just system-level events.
As macOS continues to evolve, forensic methodologies must adapt. Unit 42 encourages all examiners working with Tahoe images to verify if this artifact is present and incorporate it into their standard analysis workflows. The App.MenuItem stream represents a significant step forward in digital forensics, offering a narrative view of user behavior that was previously unavailable. For the cybersecurity community, this discovery underscores the importance of staying ahead of operating system changes to uncover new sources of evidence.