Trash Seeker Mac OS

broken image


/Mac Cleaner /Where Is The Trash on Mac? Find and Empty Your Trash!

  1. Trash Seeker Mac Os 11
  2. Empty Trash Mac Os
  3. Trash Seeker Mac Os Download

The Trash folder in macOS is similar to the Recycle bin in Windows computers. This folder is assigned to contain all the least important files including documents, photos, music, videos, and more. Can't find the Trash folder on Mac? Find out where is the trash on Mac and how to conveniently empty and manage it in this brand new post. There are also ways you can do to release full storage on your Mac.

For Mac is a basic program that forces the trash can to completely empty, but has no additional features and is not a useful program. For Mac is available as a free application. Note: The Empty Trash Securely option has been removed from OS X El Capitan and probably all future versions of OS X. Empty Trash using Terminal. Open Terminal by going to Applications, Utilities and Terminal and type in the following command: rm -rf /.Trash/. Make sure you type it exactly as it appears above with no extra spaces or anything else. This Mac trash recovery tool is 100% safe for you to recover files from Trash on Mac running macOS 10.12 or above. It can recover files in 200+ formats, restore files lost under different situations, no matter from internal hard drive or external media/sd card storage device. Why Cisdem is picked as the Best Mac Trash Recovery Software?

Trash X is a fully functional trashcan for Mac OS X. Extremely simple to use, it functions just like the classic Mac OS Trashcan. It also features numerous functions for the power user. Open the Trash on the Mac as usual by selecting it from the Dock. Locate and select the file or item you wish to delete individually in the Trash. Right-click on the individual files icon or name and choose 'Delete Immediately'. Confirm that you want to immediately delete the chosen file or document from the Trash.

Article GuidePart 1. Where is the Trash on Mac?Part 2. How Do I Permanently Delete Trash on My Mac?Part 3. How to Force Empty Trash Using Terminal?Part 4. How to Delete Files on Mac that Won't Delete?Part 5. Summary

Part 1. Where is the Trash on Mac?

Watch mac os. Usually, when we no longer need some files in our system we erase them to free some space and clear up the Mac purgeable space. The trash folder holds all the deleted contents whether documents, photos, videos, music, and more.

While these deleted files are stored inside the trash folder, you can get the chance to restore in case you still need the contents. You can also empty the trash to free up more space on the system. Just because you deleted content doesn't mean it's totally gone.

The trash folder still holds up space on the computer which may also affect performance later on. This is why it is recommended that you clear or empty the trash folder at any time. However, for those using macOS Sierra, all files stored in the trash folder more than 30 days are automatically deleted; permanently.

Where is The Trash Folder on My Mac?

Previous Mac versions put the trash folder on the desktop but eventually, things have changed and upgraded. Since then, many people wondered, where is the trash on Mac? Finding the trash bin on your Mac is easy and can be done in many ways. The bin is located on the Mac dock where you can simply drag and drop the files no longer needed.

Mac os trash location

To Open Trash Folder

Mac

To Open Trash Folder

  • Click the trash icon in the Dock and a Finder window opens up with all the file it contains.

Part 2. How Do I Permanently Delete Trash on My Mac?

A secret keyboard shortcut keyboard and few more tips on how to delete Trash files on Mac are so easy to learn and remember. Here are some:

  1. Use Command+Delete to move file/s to the trash folder
  2. Drag and drop the file to the trash bin
  3. Right click on the file and choose Move to Trash
  4. Use Option/Alt + Command + Delete to delete file/s immediately

To Empty Trash Folder

Cleaning the trash folder is also easy. Try these:

  1. Click on the Trash icon from the Dock and select Empty Trash. Confirm action.
  2. Use keyboard shortcut: Command+Shift+Delete. Click on Empty Trash button to confirm the request

To Restore Files from Trash

Retrieving file/s out of the trash folder can also be done quickly;

  • Simply drag out the file/s you need out of the folder

Part 3. How to Force Empty Trash Using Terminal?

After knowing where is the Trash on Mac and how to delete your Trash folders, you should learn how to force empty your Trash Bin. Because in some occasions, there might be issues with the trash folder and it won't allow you to do any process just like emptying it. However, the terminal is the best way you lean on in times like these. Sometimes you will get an error 'item still in use' or the folder is locked. Whatever scenario you are in, follow these steps on how to navigate and force empty trash via terminal:

  1. Open Terminal on Mac. You may use the Spotlight search
  2. Type in the command: sudo rm –R without pressing Enter. Note that there a space after the letter R otherwise it will not work
  3. Press Control + Click on the Trash icon to open
  4. Highlight all the files inside the Trash folder
  5. Drag all the files into the terminal window and press Enter
  6. Provide the administrator password and hit enter
  7. Wait until the process is completed

It might take a while for the terminal to complete the action.


Part 4. How to Delete Files on Mac that Won't Delete?

Trash Seeker Mac Os 11

If you are wondering how to effectively clear out the files that won't delete, we got you covered. You don't have to spend all day asking 'where is the trash on Mac' rather you can just remove the clutters in just a few clicks.

Junk files are actually least important files you store inside your Mac. They accumulate and pile up and later on causes issues of poor performance, latency, and slowness. To avoid experiencing any of these, why not use iMyMac PowerMyMac program? It is a powerful tool with complete and comprehensive options to boost and clean up Mac.

Among the cleaning tools offered by iMyMac PowerMyMac is the Master Scan where it seamlessly removes all the junks saved inside your system. It only takes a few steps to get rid of these clutters! Here is how to use iMyMac PowerMyMac to delete files on Mac:

  1. Download, install and launch iMyMac PowerMyMac
  2. Select the Master Scan module on the left side toolbar
  3. Click Scan to allow the program to search through your entire system. After a few moments, all the junk files will be displayed on your screen
  4. The files are sorted and listed per categories such as Application Cache, Photo Cache, System Cache, System Logs, and more
  5. Click Clean to delete all the selected junks

Similar steps apply to other modules including Clutter and large and old Files. You can now see that your junk files were gone and have 0KB left. Using iMyMac PowerMyMac gives you the freedom to enjoy more and do more important things than to explore and wander inside your device searching for manual ways of deleting the trash and junk files.

Part 5. Summary

Now you won't ask 'where is the trash on Mac' because we have shown you where to find the trash folder on your Mac. We also included necessary steps on how to delete a file, restore, and even force emptying the bin in case you get error messages.

Regularly maintaining your device helps it perform faster, and work better. So in order to let your device be on its maximum performance daily, use a program called iMyMac PowerMyMac, it offers powerful toolkits that are essential in maintaining and keeping your Mac, safe, secure, and well-performing.

Have you tried other options to keep your Mac in good conditions? Share it with us in the comments below!

ExcellentThanks for your rating.

Rating: 4.7 / 5 (based on 105 ratings)

Family tree (yookond) mac os. People Also Read:

PowerMyMac

A powerful all-in-one App for Mac

Free Download
Comment ()

Clean up and speed up your Mac with ease

Free Download

If you have ever plugged a USB drive into a Mac, done some things, then plugged it into a Windows system, you have no doubt seen (if you have viewing of hidden files enabled) various '.DS_Store' files (among others) strewn throughout the folders on the drive. Though essentially useless to a Windows system, they do in fact serve a particular purpose on an HFS+ file system.

While I won't re-invent the wheel on describing 'What is a .DS_Store File?' (here as well), I would like to highlight its possible use for DFIR in containing/referencing artifacts that may be useful to investigations – traces of deleted files, with filenames and sometimes paths!

In a nutshell, the .DS_Store file stores metadata used by Finder for folder-specific display options such as window placement, layout, custom icons, background, etc. They are created in the parent folder of any folder that is viewed using the 'Icons', 'List', or 'Gallery' views within Finder. Note that no .DS_Store file is created when viewing a folder in the 'Columns' view. For example, if you opened your ~/Music/iTunes/ folder in Finder in 'Gallery' view, a .DS_Store file would be created at ~/Music/.DS_Store.

Thus, these .DS_Store files are (theoretically) created in every folder that Finder accesses, including remote network shares and external devices. Are those annoying .DS_Store files you see in Windows on your FAT32-formatted thumb drive making more sense now?

A part of this metadata is the filename, which got me to thinking… I wonder whether or not any traces get left behind when a file is moved or deleted.

For this post/research, I focused solely on the deletion aspect of when a user deletes a file through Finder.

In testing on my systems (OS X 10.10.5 and macOS Sierra 10.12.2), when a file gets 'deleted' through Finder (not via 'rm' on the command line, that's a very different story), it first gets moved to the user's ~/.Trash/ folder. If at least one file already exists within the user's Trash, an entry for the yet-to-be-deleted file is added to the existing ~/.Trash/.DS_Store file denoting the full path on disk where the file resided before being moved to the Trash. This entry is part of how the 'Put Back' feature works. If no files currently exist in the Trash (due to the user previously emptying the trash), I assumed (more on this in a bit) a new .DS_Store file would be created ('new' meaning a clear/empty file) to again begin storing entries for 'Put Back'. Upon emptying the trash (via either the 'Empty Trash' or 'Secure Empty Trash' option in Finder for pre-Sierra systems), the files are deleted (according to the deletion method associated with each action) from the ~/.Trash/ folder and the ~/.Trash/.DS_Store file is also 'deleted' (stay tuned for why I put this in quotes). Here is a great little writeup on the HFS+ volume structure and what happens 'When Mac deletes it!'.

At this point, since all of the Trash source files are deleted upon emptying the Trash, we would assume that the .DS_Store file and all of its entries would be deleted as well. But, is this the case?

Answer: Not Quite!

In my testing, while the source data files within the ~/.Trash/ folder appear to be reliably deleted (short of carving the disk), various file and path entries within the ~/.Trash/.DS_Store file do not appear to be deleted! In fact, when you move another file to the trash, the ~/.Trash/.DS_Store file is re-created and historical entries* are re-populated into the file! Even if you 'Put Back' the file(s), the associated .DS_Store file and entries remain. WIN!


*Note: These appeared to only be files I've deleted since the last reboot of my machine. Rebooting the machine seems to finally remove all historical entries. Various hypotheses of why/how this happens and where these entries come from will be tested later in this post.

We now have the opportunity to identify references to historical file deletions (sometimes with full path)! This doesn't just apply to the Trash's .DS_Store files, either. This applies to any given directory's .DS_Store file that may contain (or have contained) references to files that existed within it.

Pretty AWESOME, right? How many of you are already putting together the 'find' command to identify all the .DS_Store files on your systems?

*Hint:# find / -name .DS_Store

But, we kinda started this whole story at the end, well after I had finished muddling my way through researching and experimenting to find out how to actually parse these .DS_Store files. So, let's rewind a bit…

Upon first look at a .DS_Store file, they aren't exactly straight forward, and they can't apparently be opened with any native system tool or application. There is no native 'ds_store_viewer' utility that simply parses the file information from the command line. So, how would we be even go about trying to figure out how to parse this thing?

Well, it turns out the .DS_Store format is documented here. Given its format is published, it's likely a parser already exists for it. But, sometimes I just like to see what I can find myself before I go an easy(er) route. So, how should we start exploring what's inside these files?

Your initial thought may be 'strings!' That's a solid idea to start, let's see what that yields…

[jp@jp-mba (:) ~]$ strings -a ~/.Trash/.DS_Store
Bud1
pptbNustr
gptbLustr
xptbLustr
xptbNustr
gptbNustr
..
DSDB
gptbNustr
gptbLustr
gptbNustr
gptbLustr
gptbNustr
fptbLustr

Well, that was less than useful. Oh, wait… maybe they're Unicode strings instead of ASCII. Let's see what the option is for Unix strings to search for Unicode strings instead of ASCII:

[jp@jp-mba (:) ~]$ man strings

At this point you may already know what I'm about to say – the BSD strings utility does NOT have the capability to search for Unicode strings. See my post 'Know Your Tools: Linux (GNU) vs. Mac (BSD) Command Line Utilities' for more about all of that and why.

Fail.

So, you can go a few different ways here:

  1. Stick with native utilities
  2. Install/use a third-party utility that can identify Unicode strings (particularly big-endian Unicode)
  3. Install/use a third-party utility that can directly read .DS_Store format files

Native Utilities

So, what else might exist that we can use to view strings?

When in doubt, Hex it out!

I typically use of two native hex viewers – hexdump and xxd. They are both useful in different ways, but we'll start with hexdump.

Using hexdump, you can dump hex+ASCII by doing the following:

$ hexdump -C

[jp@jp-mba (:) ~]$ hexdump -C ~/.Trash/.DS_Store
00000000 00 00 00 01 42 75 64 31 00 00 38 00 00 00 08 00 |..Bud1.8...|
00000010 00 00 38 00 00 00 10 0c 00 00 02 09 00 00 20 0c |.8...... .|
00000020 00 00 30 0b 00 00 00 00 00 00 00 00 00 00 08 00 |.0.......|
00000030 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |........|
00000040 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 4e |........N|
00000050 00 00 00 04 00 00 10 00 00 65 00 61 00 73 00 65 |.....e.a.s.e|
00000060 00 5f 00 44 00 00 00 00 00 00 00 00 00 00 00 00 |._.D......|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |........|
*
00000200 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 04 |........|
00000210 00 00 00 30 00 50 00 6c 00 65 00 61 00 73 00 65 |..0.P.l.e.a.s.e|
00000220 00 5f 00 44 00 6f 00 63 00 75 00 53 00 69 00 67 |._.D.o.c.u.S.i.g|
00000230 00 6e 00 5f 00 74 00 68 00 69 00 73 00 5f 00 64 |.n._.t.h.i.s._.d|

Empty Trash Mac Os

Here we see the notable 'Bud1' header followed by readable text. Score! But, how do we extract JUST the readable text in some effective way? You can mess around with hexdump to try to make sense of the output formats, or you could do like I did and get so overwhelmed at one point that you just use xxd to create this incredibly unpretty, certainly less than efficient, convoluted, but 'working' one-liner:

$ xxd -p | sed 's/00//g' | tr -d 'n' | sed 's/([0-9A-F]{2})/0x1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'

Voilà. Strings output from Unicode strings only using the built-in utilities. It is very ugly and it is certainly separating at points/lines where it should not, but hey… you get what you get. At least you can more legibly make out filenames and paths that could get you somewhere.

This is an ugly hack. I do not recommend it, but sometimes ugly is better than nothing. YMMV.

Note: I would be very interested if someone who is WAY more versed in hexdump output formatting would create a much simpler way of doing the above solely using the hexdump utility.

Third-Party Utilities

GNU Strings

Believe it or not, you can actually install various GNU utilities on your Mac via a handy little thing called Homebrew. Just takes a command line one-liner to install and opens your Mac to world a new and useful utilities called 'formulas'. Note that Xcode is a pre-req for installing Homebrew.

For our purposes, we want to install strings, which is a part of the GNU coreutils package. With homebrew installed, all it takes is a 'brew install coreutils' and we're up and running. Do note that various GNU utilities will be prepended with 'g' due to naming conflicts. For example, the GNU strings utility must be called/run as 'gstrings' (yeah, I laugh a little each time I see that).

Once installed, we now have full GNU strings capabilities, namely for searching big-endian Unicode text, a la the following:

$ gstrings -a -eb

You don't necessarily need the '-a' option that tells strings 'I don't care whether or not you think it's a searchable file, do it anyway', but I add it out of habit of searching files that the system likes to gripe about.

Using FDB

https://digi.ninja/projects/fdb.php

  1. Enter CPAN shell
    1. $ perl -MCPAN -e shell
  2. Install DSStore
    1. $ cpan[1] > install Mac::Finder:DSStore
  3. Install Switch
    1. $ cpan[1] > install Switch
  4. Run FDB
    1. $ ./fdb.pl --type ds --filename /Users//.Trash/.DS_Store --base_url /Users//

Using ds_store Go Parser

https://github.com/gehaxelt/ds_store

  1. Download and Install Go
    1. Download OS X Package from here: https://golang.org/dl/
  2. Set Go Path in shell
    1. One-time (I set mine as the following but it's up to you)
      1. $ export GOPATH=~/Projects/Go
    2. Permanent
      1. Place above line in /etc/bashrc
      2. Reload shell 'source /etc/bashrc' or close and relaunch terminal
  3. Download ds_store go files
    1. $ go get github.com/gehaxelt/ds_store
  4. Change to the directory of the go project
    1. $ cd $GOPATH/src/github.com/gehaxelt/ds_store
  5. Make a directory for the new project/files (I opted to name mine 'dsdump', but feel free to alter yours) and cd to it
    1. $ mkdir -p bin/dsdump && cd '$_'
  6. (If not already done) Create a .go file (I named mine dsdump.go) and copy/paste the Example Code from https://github.com/gehaxelt/ds_store
    1. $ nano dsdump.go
    2. Copy/paste the Example Code into this file and save it
  7. Build the Go binary
    1. $ go build
  8. Run dsump
    1. $ ./dsump -i

**Note: One of the awesome things about Go is its ability to build static binaries (no additional files needed) for a variety of operating systems. For example, if you wanted to build a binary for a Windows x64 system, you would simply run 'GOOS=windows GOARCH=amd64 go build -o dsdump.exe'. Then, just copy that to whatever Windows x64 system and run it. Pretty sweet, huh?

(Shout out to Slavik at Demisto for quickly getting me up and running with Go before I spent any time looking at documentation.)

— Update 7/31/19 —

Using DSStoreParser

Nicole Ibrahim recently presented at the SANS DFIR Summit on .DS_Store files and pointed us all to a parser she built.

https://github.com/nicoleibrahim/DSStoreParser

Using it is as simple as downloading it and running it (with Python2.7).

  1. Download the source
    1. $ git clone https://github.com/nicoleibrahim/DSStoreParser.git
  2. Change into the directory
    1. $ cd DSStoreParser
  3. Install the requirements (unicodecsv), if needed
    1. $ pip2.7 install unicodecsv --user
  4. Run it by pointing it to the source folder containing the .DS_Store file(s) you'd like to parse, and provide the output folder for the results
    1. $ python2.7 DSStoreParser.py -s /path/to/source/ -o output_dir/

Comparing the .DS_Store Parsing Solutions

As you can see, there are a variety of useful tools, both native and third-party, that can assist in analyzing .DS_Store files. A hex viewer is an invaluable tool for so many reasons, namely for assisting in identifying unknown structures, artifacts, or items within a given file. Gstrings offers an easy way to search for the appropriate strings with an easily installable pseudo-native utility. Fdb allows the option to specify the 'base_url' to prepend its results with the appropriate path, based on the given .DS_Store file's location. The ds_store Go parser does the job as well and it can be compiled to be portable to any major OS, which can be very handy in a Mac Forensics go-kit of sorts. And, Nicole's DSStoreParser is a nice, clean Python-based solution that provides a variety of output reports to better assist in seeing/understanding the information contained within the files.

Trash Seeker Mac Os Download

Wrapping It All Up

Regardless of why/how this ~/Trash/.DS_Store file re-creation occurs (which we'll address in Part 2 of this post) and what option(s) you choose to parse/extract these items, you may now at least have an additional DFIR investigation method and artifact(s) to identify previously deleted files that are no longer resident on (allocated) disk.

Though we focused solely on .DS_Store files in this post, do note that it is not just .DS_Store files that can assist in identifying deleted files on a system. There are several other files/areas that should be searched for such investigations; however, I wanted to hone in on analysis of these files as it is possibly lesser known (at least in my research and experience).

At any rate, I hope this can be somehow useful in your investigations moving forward! As usual, YMMV, so I'm interested to hear feedback and stories of if/how this works in the field for everyone.

/JP





broken image