Collect File System (FS) Events

Overview

Evidence: Collect File System (FS) Events
Description: Collect File System Events
Category: DiskFilesystem
Platform: macos
Short Name: fsevnts
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

FSEvents maintains a journal of file system changes. This data is essential for reconstructing file activity timelines and detecting suspicious modifications.

Data Collected

This collector gathers structured data about collect file system (fs) events.

Collection Method

This collector copies entries from /System/Volumes/Data/.fseventsd/ into the case content for offline analysis.

Forensic Value

This evidence is crucial for forensic investigations as it reveals file creations, deletions, and renames even when file metadata is missing.