← All articles

Building File System Timelines with FSEvents

Learn how macOS FSEvents journals can reveal file activity that other artifacts miss, and how to leverage them in your investigations.

Toby VervaartFounder & Lead Developer

FSEvents is one of the most underutilised artifacts in macOS forensics. While investigators focus on browser history and logs, FSEvents quietly records nearly every file system operation on the system.

What Are FSEvents?

FSEvents is a macOS subsystem that monitors file system changes. Originally designed to support Spotlight indexing and Time Machine, it maintains a persistent journal of file operations.

What Gets Recorded

  • File creation and deletion
  • Modifications to file content
  • Renames and moves
  • Permission and ownership changes
  • Extended attribute modifications

What Doesn't Get Recorded

  • File reads (access only, no modification)
  • Specific content changes (only that a change occurred)
  • Process information (which application made the change)

Forensic Value

FSEvents can answer questions that other artifacts cannot:

Deleted File Evidence

When a file is deleted, FSEvents records the deletion event. Even if the file itself is unrecoverable, you can prove it existed.

Timeline Gaps

Browser history only shows web activity. FSEvents shows the user downloading a file, moving it, executing it, and deleting it—even if the browser cache is cleared.

Malware Activity

Malware often creates, modifies, and deletes files during execution. FSEvents captures this activity even if the malware cleans up after itself.

Reading FSEvents with macfor

macfor Pro includes comprehensive FSEvents support:

macfor collect --plugin filesystem.fsevents --output evidence.zip

The output includes:

  • Raw gzip-compressed store files (for preservation)
  • Parsed JSONL records (for analysis)
  • Store summaries with statistics

Practical Example

Consider an investigation where you suspect data exfiltration:

  1. FSEvents shows: Multiple archive files created in /tmp/
  2. Timeline correlation: These events occur during after-hours
  3. Follow-up: Browser history shows uploads to file sharing service

Without FSEvents, you might miss the staging activity entirely.

Limitations

FSEvents has some important limitations to keep in mind:

  • Event coalescence: Multiple rapid operations may be combined
  • No content: You see that a file changed, not what changed
  • Rotation: Old events are eventually purged
  • Scope: Only covers local file systems, not network shares

Conclusion

FSEvents is a powerful artifact that deserves more attention in macOS investigations. Combined with other evidence sources, it can reveal activity patterns that would otherwise go undetected.

The macfor Pro FSEvents collector is available now. See the FSEvents artifact documentation for more details.