Filesystem Event Log (.fseventsd)
Location
/.fseventsd/ (root volume)Description
Binary log files recording filesystem events on the iOS APFS volume, similar to the macOS FSEvents mechanism. Records file and directory creation, modification, deletion, and rename operations with the full path and event flags. Events are written in compressed binary format within the hidden .fseventsd directory at the volume root.
Forensic Value
FSEvents on iOS provides a chronological record of all filesystem changes including file operations performed by applications, the operating system, and potentially by exploit payloads. This artifact can reveal the creation of files that were subsequently deleted, including malware droppers, exfiltrated data staging files, and temporary exploit artifacts. Because fsevents records persist independently of the files they describe, evidence of attacker filesystem activity survives file deletion. The event flags differentiate between creation, modification, and deletion operations, enabling precise reconstruction of what happened to specific files and directories.
Tools Required
Collection Commands
idevicebackup2
idevicebackup2 backup --full /forensics/ios_backup/
iLEAPP
python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/
FSEventsParser
python3 FSEParser.py -s /path/to/fseventsd/ -o /forensics/fsevents_output/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.