TinkerTool System 9 Help

The Pane Operational Safety

Storage Space

With the latest versions of macOS, users are regularly confused as to how much storage space on a given volume is actually free and allocated. This confusion has several causes:

Applications may use different definitions of memory units when referring to storage space without correctly labeling it. 1 kilo byte may represent 1,024 bytes or 1,000 bytes, depending on definition. Apple has changed the guidelines for presenting storage space multiple times in the last years. Detailed information on this topic can be found in chapter Basic Operations, section Display of Memory Sizes.
Applications may show storage space from a user’s point-of-view (Finder) or from a technical point-of-view (Disk Utility). For example, the Finder considers storage space allocated for local Time Machine snapshots to be free. This should signal to the user that the storage space used for that purpose could be freed automatically by the operating system when it is needed for something else. Some applications explicitly differentiate between “free” and “available” space, where “available” is defined to be “free plus purgeable”. For further information, please see the chapter The pane Time Machine.
Modern file systems can use special management technologies for the administration of storage where capacity may be counted several times although it exists only once in reality.

Apple’s APFS is one of these modern file systems. Among others, it supports the following technologies used today, which can lead to confusion regarding storage space specifications:

APFS no longer needs partitioning. Within an APFS zone on a disk drive, multiple volumes can be created without the need to divide them into partitions. (A zone administered by APFS is however a partition itself, the APFS container, in order to separate it from the areas not maintained by APFS.) Volumes in the same container can share their storage space, i.e. free blocks don’t need to be permanently assigned to a single volume, but are potentially available to each of the volumes. Consider an APFS container with 250 GB, containing 4 volumes: We have 4 volumes of 250 GB, so apparently 1,000 GB of space, although 250 GB are available in reality only. To capacity is overbooked, which would only become an issue when each of the volumes actually tries to allocate its registered maximum storage.
APFS supports a snapshot feature. If desired, a file system can “remember” its state at any given time across the entire volume. At the touch of a button, this condition can be restored within seconds. Any number of these “frozen” states can be created as long as there is still free capacity to store the old and current version of all data. Technically, the snapshot feature works by no longer discarding deleted or overwritten data blocks, but keeping their former contents. Note that the storage space used for this does not become visible at the file level. The volume will need more storage space than the sum of all currently stored files, however. Modern backup systems typically use snapshots.

So if a volume is using APFS, the question for free space may not be easy to answer.

With modern operating systems, free storage space can have multiple definitions

TinkerTool System can show the different views on storage space supported by macOS for each volume:

Select the sub-item Storage Space of the pane Operational Safety.
Choose the desired volume with the pop-up button Volume.

The system volume is internally split into a read-only system part, a read/write part for data, and a running sealed volume snapshot. However, this is usually hidden by macOS, and all three volumes share the same storage space, so they are presented as single volume in the pop-up button.

The different definitions of used and free storage space will be presented in a table also listing total physical capacity. When APFS is in use, a corresponding warning will be shown below the table. When comparing the results with other applications, please remember to set the correct unit for measuring memory in TinkerTool System as intended. See Basic Operations, section Display of Memory Sizes.

Actual storage space: the physical space allocated on the volume for use.
Space granted to applications: the space available to applications without any restrictions. For safety reasons, a certain reserve is taken into account for the operating system itself.
Space after purge operation: the storage which will become available when the operating system is forced to delete “unimportant” data automatically to regain more actual space. This difference between the true free space and the potentially free space is called purgeable storage by Apple. The actual meaning of this can vary depending on the system version. For example, this could be media files of rental movies already played, which could be downloaded again from the cloud at any time, or it could be local APFS snapshots created by Time Machine.

What Apple actually means by a purge operation to reclaim storage space is not exactly defined.

However, you can press the button Show services that reclaim purgeable space to show the list of all system services that have currently registered with macOS to free storage space when necessary.

Application Integrity

On the pane Applications you may have used the feature Security Check already, which is designed to examine different aspects of an application under security considerations.

The pane Operational Safety allows you to run a specific part of this check, namely the one based on protecting executable code by digital seals (codesigning), for a large number of applications at the same time, e.g. for the entire system volume. This makes it possible to quickly assess the overall security situation of a computer.

The check considers the following items:

Is each application digitally sealed and does each seal meet the security requirements of the currently running operating system?
Has any application been changed after it was sealed?
Is each seal trustworthy?

The bulk check is limited to applications for the graphical user interface. As part of such a test run, you cannot check code for the command line, or other sealed components, like disk images, for example.

All applications of the system can be checked if necessary

Select the sub-item Application Integrity of the pane Operational Safety.
Drag the folder with the applications you like to check from the Finder into the field Top folder to check. You can also click the button […] to navigate to the folder, or click on the white area to enter the UNIX path of the folder.
Click the button Check.

It is possible to choose not only a folder, but an entire volume for the check. The bulk check is automatically limited to one volume even if it contains links to other volumes.

The check can take a long time, depending on how many applications are contained, and how large they are. Particularly large applications, like Xcode or complex computer games, for example, can greatly lengthen the test. During the test run, the button Stop on the wait panel can be clicked to cancel the check.

For technical reasons, test runs that have been started already may not be interrupted immediately when clicking the Stop button. TinkerTool System may continue running some of the test jobs in the background (which still can put load on your Mac) but will then discard the results. To cancel all running checks immediately, you must quit the application after clicking the Stop button.

After all test procedures have been completed, the final results will be shown in a table. It lists all applications with their names and marks the aforementioned aspects of the check in the last three columns, using icons:

Sealed: the application is digitally sealed using Apple’s codesigning technology.
Intact: the seal is not broken, i.e. all components of the application are still unchanged, and nothing has been added or removed. The requirements of the running operating system in respect to the seal are met.
Trusted: the seal was signed by a party currently trusted by Apple.

The following icons are used:

green dot: the test was passed
red cross: the test was not passed
empty field: the test could not be performed

After selecting a line in the results table, details about the application and its check will be shown. The button with the magnifying glass can be used to reveal the respective application in the Finder. If there was a failure, the line Detected issue indicates the reason why the test was not passed.

You can also click the button Close and run full security check on selected application in order to open the program on the pane Applications, letting it perform a complete security test.

By clicking the button Text Report you can create a copy of the result table in text form. This report can either be printed or you can export it in Rich Text Format to a text file.

Programs created automatically by the operating system and not by a software developer are not classified as trustworthy in general. This includes, among other things, workflows that were created with Automator, programs for displaying printer queues, but also their associated template applications that macOS uses on demand to create the specific programs. This behavior is normal and not a cause for concern.

Check the system log for suspicious user activity

To ensure the security of a Mac that is open to the public, it can be helpful to automatically scan the system log for entries related to user authentication or the authorization of privileged operations. If there is an accumulation of an unusually large number of failures (e.g. entering incorrect passwords), it can be assumed that intrusion attempts have taken place. Publicly accessible can hereby mean that the keyboard and screen (called console in classical data processing) are not in a monitored location, e.g. in a school workroom. However, it can also mean that protected services that require a user to log in can be accessed from the local network or from the Internet.

TinkerTool System can evaluate the existing system log regarding the following operations:

successful and failed logins at the macOS login screen,
successful and failed logins on the lock screen, i.e. after exiting the screen saver or after waking from sleep mode,
all unsuccessful attempts to authorize a privileged operation, both locally and when accessed through a network service.

This list does not claim to be complete. It is not possible to predict how long entries will remain in the system log. This depends on the respective operating system version, individual settings, use of maintenance functions and available disk space. FileVault logins occur outside of macOS and are therefore typically not included in the log.

The system log can be evaluated to detect possible intrusion attempts

To start the evaluation, select the desired item under Search for and then click the Check button. The search may take some time depending on available log size. The results will be shown on a separate sheet window.

When evaluating the console and lock screen data, successful logins are highlighted in green, failed ones in red.
When evaluating the authorization of privileged operations, all listed entries refer to failures.

The overviews are computed based on original excerpts from the system log. Therefore, they usually contain quotes which depend on the respective macOS version.