FSEvents (Filesystem Events)
Location
/.fseventsd/ (per-volume hidden directory)Description
macOS filesystem event logging mechanism that records every file and directory creation, modification, deletion, and rename operation on each APFS or HFS+ volume. Events are written in compressed binary log files within the hidden /.fseventsd/ directory and include the full path, event flags, and a monotonically increasing event ID.
Forensic Value
FSEvents provides a high-fidelity chronological record of all filesystem activity, often spanning weeks or months depending on volume activity. It records file operations that leave no other trace, including files created and subsequently deleted by attackers. The event flags distinguish between creations, deletions, renames, and permission changes, enabling precise timeline reconstruction. FSEvents persists even after files are deleted and is one of the most valuable macOS forensic artifacts for establishing attacker file-level activity.
Tools Required
Collection Commands
mac_apt
python mac_apt.py -i /path/to/image -o /forensics/output FSEVENTS
cp
sudo cp -r /.fseventsd/ /forensics/fsevents_backup/
FSEventsParser
python FSEParser_V4.0.py -s /.fseventsd/ -o /forensics/fsevents_parsed.csv
log2timeline
log2timeline.py --parsers macosfsevents /forensics/timeline.plaso /path/to/image
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.