This module parses macOS Biome SEGB (Sequential Event Grid Block) files to extract system telemetry and application metrics.
This report is for informational and investigative purposes only. The data presented should be independently verified before being relied upon for any legal, regulatory, or evidentiary purpose.
- Protobuf decoding: Apple does not publish Biome protobuf schemas. Decoding attempts are best-effort and may yield incomplete or incorrectly interpreted data.
- Bundle ID extraction: Bundle identifiers (e.g.,
com.apple.*) are extracted using pattern matching heuristics. Some records may have missing or incorrectly parsed bundle IDs. - Binary data interpretation: Non-protobuf binary data is presented as hex dumps with attempted text extraction. Interpretation requires domain knowledge of specific Biome stream types.
- Timestamp formats: Biome timestamps use Mac Absolute Time (seconds since 2001-01-01). Conversion accuracy depends on timezone assumptions.
- Stream coverage: Not all Biome stream types are fully understood. Some streams may contain data that cannot be meaningfully parsed.
Biome is Apple's system telemetry framework introduced in macOS 12 (Monterey). It records
application usage, system events, and device metrics in binary SEGB format files stored under ~/Library/Biome/.
Forensically relevant data includes:
- Application launch/termination events
- Device wake/sleep cycles
- Location context changes
- Intents and Siri interactions
- Media playback events
Each SEGB file contains a stream of timestamped records. The parser extracts:
- Timestamps: Two timestamp fields per record (typically event start/end or creation/modification)
- Bundle ID: Application identifier when present (e.g.,
com.apple.Safari) - Stream type: v1 or v2 format indicator
- State flags: Record state metadata
- Protobuf content: Decoded protobuf fields when parsing succeeds
- Raw data: Hex dump and extracted text for manual analysis
Records containing only null bytes are flagged as empty and can be filtered during analysis.
| Artifact | Path Pattern | macOS Versions |
|---|---|---|
| Biome Streams | ~/Library/Biome/streams/**/*.segb |
12.0+ (Monterey) |
| Biome Streams | ~/Library/Biome/streams/**/*store |
12.0+ |
Common stream locations include:
public/- General system telemetryrestricted/- Privacy-sensitive metrics (requires elevated access)
- Protobuf schema mapping: Without Apple's schemas, field names and types are inferred
- Biome database files: SQLite databases in Biome directories are not parsed by this module
- Restricted streams: Some streams require root access and may not be available from standard extractions
biome_records.csv- All extracted records with the following columns:source_file- Path to source SEGB filebundle_id- Extracted application bundle identifierstream_type- v1 or v2 formatoffset- Byte offset in source filemetadata_offset- Metadata section offsetstate- Record state flagstimestamp1,timestamp2- Extracted timestamps (ISO 8601)data_size- Raw data length in bytesdata_text- Decoded text contentdata_hex- Hexadecimal data dumpprotobuf_json- Decoded protobuf as JSON (when successful)protobuf_strings- Extracted string fields from protobuf
This module requires the ccl_segb library for SEGB file parsing.
Exemplar only - This module runs during live system scans to capture current Biome state. It is not used for carved/recovered file processing.