FSEvents
macOS File System Events journal providing detailed file activity records for timeline analysis and incident response.
- Status
- available
- CLI plugin
- filesystem.fsevents
- Categories
- filesystem, system
Overview
FSEvents is a macOS subsystem that records file system activity at the volume level. These records are invaluable for timeline reconstruction, identifying file operations, and detecting suspicious activity patterns.
Analysis Tips
- Timeline correlation: FSEvents provide high-resolution file activity timestamps
- Deletion detection: ItemRemoved flag indicates file/folder deletion
- Malware indicators: Look for rapid file creation patterns in suspicious locations
- Data exfiltration: Track bulk file operations in user directories
- Volume coverage: Check both system and data volumes on APFS systems
Event Flags
Key flags for forensic analysis:
| Flag | Description | Forensic Significance | |------|-------------|----------------------| | ItemCreated | File/folder created | New content arrival | | ItemRemoved | File/folder deleted | Data destruction | | ItemModified | Content changed | File tampering | | ItemRenamed | Path changed | Obfuscation attempts | | ItemCloned | APFS clone created | Copy operations |
Store Locations
| Volume Type | Path | Notes |
|-------------|------|-------|
| System (pre-Catalina) | /.fseventsd/ | Single volume |
| System (Catalina+) | /.fseventsd/ | Read-only system volume |
| Data (Catalina+) | /System/Volumes/Data/.fseventsd/ | User data volume |
| External | /Volumes/{name}/.fseventsd/ | Per-volume stores |
Related Artifacts
- Shell History - Correlate commands with file operations
- Safari Browser - Track download file creation
References
Data sources
/.fseventsd/
Volume UUID for path resolution
/.fseventsd/
Compressed event records
/System/Volumes/Data/.fseventsd/
Data volume UUID (Catalina+)