Most forensic artifacts tell you what happened. Disk logs record a file deletion. Network captures record a connection. The System.db confirms an app ran. What they almost never tell you is why the user did what they did, or more precisely, that what happened was deliberate rather than accidental. The gap between “this file was deleted” and “the user selected Compress, then Move to Trash, then Empty Trash in an eleven-minute window” is the difference between circumstantial and compelling.

cover

With macOS Tahoe 26, Unit 42 researchers at Palo Alto Networks have identified a new artifact that begins to close that gap. It is called App.MenuItem, and it is a previously undocumented Biome stream that logs the exact menu selections a user makes across the entire operating system.

In brief

  • macOS Tahoe 26 introduced a new Biome stream, App.MenuItem, located at ~/Library/Biome/streams/restricted/App.MenuItem/local.
  • The stream records the text of every menu item a user selects, along with a precise timestamp.
  • Data is stored in SEGB-encapsulated protobuf format, requiring specific tooling to parse, and the open-source ccl-segb is currently the practical option.
  • Most commercially available DFIR tools do not yet parse this artifact automatically.
  • When combined with file system logs, App.MenuItem provides a narrative layer of user intent that raw technical artifacts cannot supply on their own.
  • The artifact was likely introduced by Apple to support user suggestions or adaptive interface behavior, but its forensic value is substantial.

What Apple Biome is and why it matters

The Apple Biome framework is not new. It has been quietly accumulating forensic significance across macOS and iOS releases, tracking application usage, media consumption, device activity, and behavioral patterns in a structured, timestamped format. If you have spent any time doing macOS forensics, you have almost certainly encountered Biome streams already, even if only in passing.

Each Biome stream represents a specific data category. The framework stores entries in SEGB (Segment-Based) file format, which wraps protobuf-encoded records with metadata and integrity structures. This is not the most examiner-friendly format in the world, but it is consistent and well-structured once you know how to approach it. The forensic community has been building tooling around it for a while, and the OSX forensics tool ecosystem has matured considerably over the past few years.

What Apple appears to have added in Tahoe 26 is a stream specifically dedicated to recording UI-level user interactions, specifically, the menu items a user selects. The likely intended purpose is adaptive UI, autofill suggestions, or behavioral learning. The forensic side effect is an extremely granular log of what the user chose to do, expressed in plain language, with timestamps.

Where to find App.MenuItem and how to parse it

The artifact lives at: ~/Library/Biome/streams/restricted/App.MenuItem/local

The restricted path designation is significant. It signals that this stream is not user-accessible under normal conditions and requires elevated acquisition privileges to export. On a live macOS system acquisition, this means you will need appropriate access before collection. On a disk image, the path is accessible through standard forensic workflows.

Because the file uses SEGB-encapsulated protobuf, most current commercial tools will not parse it automatically. Unit 42 confirmed that none of the major commercially available DFIR platforms they tested processed this specific stream at the time of publication. The practical solution is the open-source Python tool ccl-segb, developed by CCL Group, which handles the SEGB format and exposes the underlying protobuf records.

The parsing workflow is straightforward:

  1. Export the file from ~/Library/Biome/streams/restricted/App.MenuItem/local.
  2. Run the ccl-segb CLI against it: python ccl_segb_cli.py <exportedfilename> > outputfilename.txt
  3. Convert the text output to CSV for easier filtering and timeline correlation using a Python script.

The resulting output will contain timestamped menu item strings in plain text, human-readable action labels like “File > Save…”, “Compress ‘stolendata’”, or “Empty Trash”. Each entry carries a precise UTC timestamp.

Reconstructing user intent from the timeline

The investigative value of App.MenuItem becomes clearest when you look at what a sequence of entries actually communicates. Unit 42 shared a sample analysis timeline that illustrates this well:

  • 18:32:37 User navigates via Go > Go to Folder… in Finder
  • 18:36:59 In TextEdit, user selects File > Save…, types “u42validation”
  • 18:37:54 User highlights a folder named “stolendata” and selects Compress “stolendata”
  • 18:38:19 User selects Move to Trash
  • 18:38:41 User interacts with the Dock to select Empty Trash

In eleven minutes, that sequence tells a story: navigate to a directory, create or edit a file, compress a folder for likely exfiltration, and then cover the tracks. The folder name appearing verbatim in the Compress entry is particularly useful. It provides direct evidence of the target of the action, not inferred from file system metadata.

This is the difference between a file system artifact telling you “a .zip file was created at 18:37:54 and a folder entry disappeared” and an artifact telling you “the user deliberately right-clicked a folder named ‘stolendata’ and selected Compress.” The semantic content is radically different, even when the underlying event is identical. Combined with the approaches discussed in forensic timeline creation, App.MenuItem can fill in the human layer that purely technical logs leave blank.

The artifact also captures Copy, Paste, and other UI interactions that leave minimal traces elsewhere. For investigations involving potential anti-forensic activity (where a user may have deliberately minimized their footprint), the menu item log may capture the very actions taken to clean up.

App.MenuItem is not omniscient, however. If a menu action does not include a specific filename in its label (a generic “Open” rather than “Open ‘evidence.pdf’”), you will see the action but not the target. This limitation is real, and the artifact works best as a corroborating source alongside file system events, unified logs, and other macOS behavioral artifacts, rather than as a standalone case-builder.

Implications for DFIR workflows on macOS

Every macOS release adds new artifacts, deprecates old paths, and occasionally restructures something you were quietly relying on. The transition from Sequoia to Tahoe is no exception. This mirrors a broader pattern: Apple keeps tightening privacy controls for users while simultaneously generating richer behavioral telemetry for its own purposes, telemetry that forensic investigators can, when acquisition conditions allow, turn into evidence.

The immediate practical implication is that examiners working with Tahoe 26 images should verify whether App.MenuItem is present and, if it is, incorporate it into their standard triage workflow. The parsing step is not complex once ccl-segb is set up, and the potential payoff (a timestamped record of deliberate user actions in plain language) justifies the extra step. It is also worth watching whether Volatility 3 and tools like mac_apt add support for this stream in the near term, as macOS memory and disk forensics tooling tends to respond fairly quickly to documented new artifact types.

For investigators who work across both macOS and Windows, the parallel with the recently discovered Windows 11 PCA artifact is worth noting: both represent OS-level logging that was likely designed for user experience optimization and has turned out to carry significant forensic value. The lesson in both cases is the same: keep checking what the OS is recording about itself.

FAQ

What is the App.MenuItem artifact in macOS Tahoe 26?

App.MenuItem is a new Biome stream introduced in macOS Tahoe 26 that logs the specific menu items a user selects across the operating system, along with timestamps. It is stored at ~/Library/Biome/streams/restricted/App.MenuItem/local.

How do I parse the App.MenuItem Biome stream?

The file uses SEGB-encapsulated protobuf format. You can extract it using the open-source ccl-segb tool with the command python ccl_segb_cli.py <exportedfilename> > outputfilename.txt, then convert the output to CSV for analysis.

What forensic value does App.MenuItem provide compared to standard file system logs?

Where file system logs record that a file was deleted, App.MenuItem shows the deliberate sequence of actions, selecting “Move to Trash” then “Empty Trash”, providing the human context and intent behind technical events.