Filesystem Event Log (.fseventsd)
Location
/.fseventsd/ (root volume)Description
Binary log files recording filesystem events on the iOS APFS volume, similar to the macOS FSEvents mechanism. Records file and directory creation, modification, deletion, and rename operations with the full path and event flags. Events are written in compressed binary format within the hidden .fseventsd directory at the volume root.
Forensic Value
FSEvents on iOS provides a chronological record of all filesystem changes including file operations performed by applications, the operating system, and potentially by exploit payloads. This artifact can reveal the creation of files that were subsequently deleted, including malware droppers, exfiltrated data staging files, and temporary exploit artifacts. Because fsevents records persist independently of the files they describe, evidence of attacker filesystem activity survives file deletion. The event flags differentiate between creation, modification, and deletion operations, enabling precise reconstruction of what happened to specific files and directories.