A simple macOS File System Events Disk Log Stream (FsEventsd) parser (and library) written in Rust!
FsEvent records on macOS keeps track of file changes on a system. This simple library lets you parse these records.
The example binary can parse these records to a csv and json file.
The example binary can be run on a live system or you can provide a directory containing FsEvent files.
- Download
fsevents_parser
binary (or compile and build example yourself)
a. You can compile the example binary by runningcargo build --release --example fseventsd_parser
- If running on a live system, run
sudo ./fsevents_parser
a. You need root access to read FsEvent records on a live system - If FsEvents have been acquired via another tool, run
./fsevents_parser <path to directory containing FsEvent files>
fsevents_parser
will output a CSV file and a json.
Parsing FsEvents is mainly useful for forensic investigations. You can parse FsEvents to determine if a file previously existed on disk.
Ex: Check if malware existed on a system or if a user downloaded a malicious file from the Internet or opened a phishing document.
FsEvent records on macOS keeps track of of file changes on a system. In addition, FsEvents records can be created on additional drives that are formatted with APFS (or HFS+).
A FsEvent files can exist in two locations depending on the macOS version:
/.fsevents
macOS versions below BigSur/System/Volumes/Data/.fseventsd/
macOS BigSur and higher
You need root
permissions in order to read the files.
FsEvent files are compressed with Gzip and are stored in a binary format that must be parsed.
Data that can be extracted from FsEvent data includes:
- Path for file record
- File change event (Event Flags). Such as Created, Removed, Changed, etc.
- Event ID
- Node ID
FsEvents can be disabled for a volume by creating a file named no_log
in the root directory.
https://github.com/libyal/dtformats/blob/main/documentation/MacOS%20File%20System%20Events%20Disk%20Log%20Stream%20format.asciidoc
https://www.crowdstrike.com/blog/using-os-x-fsevents-discover-deleted-malicious-artifact/
https://eclecticlight.co/2017/09/12/watching-macos-file-systems-fsevents-and-volume-journals/