macOS Tahoe 26 introduced a new Biome stream, App.MenuItem, that records the exact text of menu selections and timestamps — effectively logging the user's step-by-step interactions with the operating system interface.
App.MenuItem: what the artifact records
The new App.MenuItem stream is stored in the Biome system and captures specific menu selections made by users across macOS Tahoe 26.x. Unlike simple event timestamps, the stream records the literal menu-item text a user selected and the timestamp of that activity, creating a narrative of interface interactions — for example, differentiating a generic "Open" from a menu action that reads "Compress 'stolendata'." The file contains SEGB-encapsulated protobuf entries, the same SEGB format used by the wider Biome system.
Where the artifact lives and how to extract it
The artifact is located at the path ~/Library/Biome/streams/restricted/App.MenuItem/local. Because entries are stored in SEGB-encapsulated protobuf form, they require tooling that understands that format. The blog recommends using open-source tooling such as the ccl-segb project to extract raw text.
- Export the file(s) from ~/Library/Biome/streams/restricted/App.MenuItem/local.
- Run the ccl-segb Python script: python ccl_segb_cli.py <exportedfilename> > outputfilename.txt.
- Convert the resulting text output into CSV for easier filtering and analysis using a Python script.
A concrete timeline pulled from App.MenuItem
The stream can be read as a timeline of user choices. The sample sequence provided in the analysis shows how intent can be inferred from chained menu actions:
- 18:32:37 — Go > Go to Folder… in Finder.
- 18:36:59 — In TextEdit, File > Save… followed by typing "u42validation".
- 18:37:54 — Highlight a folder named "stolendata" and select Compress “stolendata”.
- 18:38:19 — Select Move to Trash.
- 18:38:41 — Interact with the Dock to select Empty Trash.
That sequence — create/save, compress, move to trash, empty trash — illustrates how App.MenuItem can turn otherwise disjointed file-system events into a coherent story of intent, such as data preparation and cleanup that may precede exfiltration.
Limitations and the need for correlation with other logs
App.MenuItem is powerful but not exhaustive. The stream relies on the visible menu-item text; a generic command like "Open" will not include the name of the file or folder acted upon. Because of that limitation, the stream is most valuable when correlated with file-system logs and other Biome streams to link menu actions to specific objects. The discovery also notes that most common commercially available digital forensic tools did not parse this particular stream at the time of testing.
What this means for forensic examiners, tool vendors, and end users
- Forensic examiners: Verify whether App.MenuItem is present in Tahoe images and incorporate it into standard analysis workflows. The artifact provides human-context data that can clarify intent behind file-system actions.
- Commercial forensic tool vendors: The stream is stored in SEGB-encapsulated protobuf entries and was not parsed by the most common commercial tools in the testing described; vendors will need to add support for this stream or rely on community tools like ccl-segb to ingest the data.
- End users and privacy-conscious organizations: The Biome system, already tracking app usage and media consumption, now includes menu-selection data. That change means menu-level interactions are recorded in a retrievable form on devices running macOS Tahoe 26.x.
The appearance of App.MenuItem in macOS Tahoe 26.x adds a distinct layer of human-context to forensic timelines: where system logs show what happened, this stream can show what the user chose to do. Examiners working Tahoe images are urged to check for the artifact, use SEGB-capable extraction tools such as ccl-segb, and correlate menu records with file-system evidence to reconstruct intent with greater precision.
https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/
