Forensic investigators working macOS cases have a new artifact to add to their playbooks. Researchers at Palo Alto Networks Unit 42 have identified a previously undocumented Biome stream in macOS Tahoe 26 called App.MenuItem, which logs the specific menu selections a user makes across the operating system, complete with timestamps.

What the Artifact Captures

Apple’s Biome system has served as a rich forensic data source for years, tracking app usage, media consumption, and similar activity signals. With Tahoe 26, Apple appears to have added a new stream, likely intended to support feature suggestions or adaptive interface behavior. The forensic byproduct is a detailed record of user intent.

The stream is located at ~/Library/Biome/streams/restricted/App.MenuItem/local. Entries are stored as SEGB-encapsulated protobuf records, a format that requires specialized tooling to parse. Each entry captures the exact text of the selected menu item and the time it was chosen.

Parsing the Data

Most commercially available digital forensic platforms do not yet parse this stream. Unit 42 recommends the open-source ccl-segb tool for extraction. The workflow is straightforward:

  • Export files from ~/Library/Biome/streams/restricted/App.MenuItem/local.
  • Run python ccl_segb_cli.py <exportedfilename> > outputfilename.txt to produce raw text output.
  • Convert the text output to CSV format using a Python script for easier filtering and analysis.

Reconstructing Intent, Step by Step

The practical value of App.MenuItem is its ability to surface the human decision layer behind file system events. Where traditional logs might show only that a file was deleted, this stream can show that a user deliberately selected “Move to Trash” and then “Empty Trash,” in that order.

Unit 42 demonstrated this with a sample timeline that illustrates a recognizable data exfiltration pattern:

  • 18:32:37 – User navigates via Go to Folder in Finder.
  • 18:36:59 – User saves a TextEdit document, entering the filename “u42validation”.
  • 18:37:54 – User compresses a folder named “stolendata” via the Compress menu option.
  • 18:38:19 – User selects Move to Trash.
  • 18:38:41 – User empties the trash via the Dock.

Critically, the menu item text often includes the target file or folder name directly, as seen with “Compress ‘stolendata’,” giving examiners context that raw file system logs cannot provide on their own.

Limitations to Keep in Mind

The artifact is not a complete picture on its own. Generic menu options such as “Open” do not always identify the specific target acted upon. The stream is most valuable when correlated with file system logs and other Biome data, filling in the intent that technical logs omit rather than replacing them.

Recommendations for Examiners

Unit 42 recommends that forensic professionals working with macOS Tahoe 26 disk images verify whether the App.MenuItem stream is present and incorporate it into standard analysis workflows. Given that major commercial tools do not yet support parsing this artifact, familiarity with ccl-segb and the underlying SEGB format will be important for any examiner handling Tahoe-era cases.