FSEvents (Filesystem Events)

macosFilesystem & TimelineDisk Image

Location

/.fseventsd/ (per-volume hidden directory)

Description

macOS filesystem event logging mechanism that records every file and directory creation, modification, deletion, and rename operation on each APFS or HFS+ volume. Events are written in compressed binary log files within the hidden /.fseventsd/ directory and include the full path, event flags, and a monotonically increasing event ID.

Forensic Value

FSEvents provides a high-fidelity chronological record of all filesystem activity, often spanning weeks or months depending on volume activity. It records file operations that leave no other trace, including files created and subsequently deleted by attackers. The event flags distinguish between creations, deletions, renames, and permission changes, enabling precise timeline reconstruction. FSEvents persists even after files are deleted and is one of the most valuable macOS forensic artifacts for establishing attacker file-level activity.

Tools Required

mac_aptFSEventsParserAutopsylog2timeline (Plaso)macOS Artifact Collector

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical