Your Mac keeps a lot of data which is extracted from the documents which you access. Metadata for Spotlight searches are compiled into hidden index files, saved versions of many documents are tucked away in a versions database, and the thumbnails and previews of documents are also kept in a cache database.
Most of these potentially sensitive extracts, caches, and indexes are kept in hidden folders on each volume. If your startup disk isn’t encrypted, but you work on sensitive documents stored on an encrypted disk, those folders are, by and large, stored on that encrypted disk, with the same protection as the original documents.
It has been known for some years that QuickLook, author of those lovely thumbnails and previews which enrich Finder’s views, is different. It keeps its cache in a special User Temporary Directory, placed in the /var/folders/ path. It is partially concealed there in a warren of folders with odd names, but once you know where to look, it isn’t at all hard to find. It’s not encrypted, protected by root permissions, or otherwise secured.
This problem with the QuickLook cache has been known about for some years. It has recently been re-examined by several forensic specialists, who have found it rich pickings for analysis, and by security experts Wojciech Regula and Patrick Wardle, who have published full details in two articles, on Wojciech’s blog and Patrick’s blog.
It is now abundantly clear that it is not difficult for a forensic examiner, intelligence operative, or the author of spyware to recover from your QuickLook cache information such as:
- thumbnails and previews of any documents handled by QuickLook over the previous weeks,
- names and details of documents handled by QuickLook on removable media which have been attached during the previous weeks.
Apple needs to fix this serious vulnerability, and seems likely to do so in macOS 10.14 Mojave, but it is far from clear whether it will address it in High Sierra or earlier releases.
Until such time as Apple does address this robustly, many systems are at risk. There are two workarounds which have been found, although neither is perfect.
One is to turn caching by QuickLook off completely, using an undocumented command
qlmanage -r disablecache
This has the disadvantage that all QuickLook thumbnails and previews then have to be generated from scratch every time.
You may prefer instead to periodically empty QuickLook’s cache, using the command
qlmanage -r cache
This has the disadvantage that it removes all entries in the cache, and that affects the previewing of non-sensitive documents too.
I am not aware of any app which gives direct access to these commands and supporting information to help you deal with this problem. So here is a little tool, Aquiline Check, in its first beta release, which runs on El Capitan, Sierra, High Sierra, and Mojave (with a good Dark Mode): aquiline10b2 (updated to 1.0b2)
It is also available from Downloads above.
Disabling and enabling the QuickLook cache is a simple matter of using its single checkbox. To empty the cache, just click on the Clear cache button. Measurements of cache size and its change give reliable indicators as to whether the cache has been cleared, and whether caching has been properly disabled. You don’t need to go near the command line, but if you do, Aquiline also tells you the full path to the QuickLook cache.
Aquiline Check is an essential tool for everyone using a Mac, and will save you from having to mess around in Terminal.
Please let me know how you get on with it.