Fsevents

macOS Filesystem Events (FsEvents) track changes to files on a macOS system (similar to UsnJrnl on Windows). Parsing this data can sometimes show files that have been deleted. Resides at /System/Volumes/Data/.fseventsd/ or /.fseventsd on older systems. artemis will try to parse both locations by default.

Other Parsers:

• Velociraptor

References:

• Libyal

TOML Collection

system = "macos"

[output]
name = "fsevents_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "fseventsd"
[artifacts.fseventsd]
# Optional
# alt_file = ""

Collection Options

• alt_file Use an alternative FsEvent file. This configuration is optional. By default artemis will read the default locations for FsEvent files

Output Structure

An array of Fsevents entries

export interface Fsevents {
  /**Flags associated with FsEvent record */
  flags: string[];
  /**Full path to file associated with FsEvent record */
  path: string;
  /**Node ID associated with FsEvent record */
  node: number;
  /**Event ID associated with FsEvent record */
  event_id: number;
  /**Path to the FsEvent file */
  source: string;
  /**Created timestamp of the FsEvent source */
  source_created: string;
  /**Modified timestamp of the FsEvent source */
  source_modified: string;
  /**Changed timestamp of the FsEvent source */
  source_changed: string;
  /**Accessed timestamp of the FsEvent source */
  source_accessed: string;
}