Fsevents

macOS Filesystem Events (FsEvents) track changes to files on a macOS system (similar to UsnJrnl on Windows). Parsing this data can sometimes show files that have been deleted. Resides at /System/Volumes/Data/.fseventsd/ or /.fseventsd on older systems. artemis will try to parse both locations by default.

Other Parsers:

• Velociraptor

References:

• Libyal

TOML Collection

system = "macos"

[output]
name = "fsevents_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"

[[artifacts]]
artifact_name = "fseventsd"

Collection Options

• N/A

Output Structure

An array of Fsevents entries

export interface Fsevents {
  /**Flags associated with FsEvent record */
  flags: string[];
  /**Full path to file associated with FsEvent record */
  path: string;
  /**Node ID associated with FsEvent record */
  node: number;
  /**Event ID associated with FsEvent record */
  event_id: number;
}