File System Enumeration
Overview
Section titled “Overview”Evidence: File System Enumeration
Description: Dump file and folder information as CSV
Group: DiskFilesystem
Sub Group: Disk & File System
Platform: macos
Short Name: fsenum
Is Parsed: Yes
Sent to Investigation Hub: No
Collect Raw File(s): No
Collect as CSV File: Yes
Background
Section titled “Background”File system enumeration provides comprehensive information about files, directories, and file system structure on Unix-like systems. This data is essential for understanding file system state and detecting unauthorized file modifications.
Data Collected
Section titled “Data Collected”This collector gathers structured data about file system enumeration.
File System Enumeration Data
Section titled “File System Enumeration Data”| Field | Description | Example |
|---|---|---|
GroupId | Group Id | 123 |
UserId | User Id | 123 |
Mode | Mode | 123 |
Dev | Dev | 123 |
Nlink | Nlink | 123 |
Size | Size | 123 |
Ino | Ino | 123 |
Path | Path | Example value |
LastChangeTime | Last Change Time | 2023-10-15 14:30:25+03:00 |
AccessTime | Access Time | 2023-10-15 14:30:25+03:00 |
ModificationTime | Modification Time | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector enumerates the file system and records metadata to the file_system_enumeration table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides file system information. It helps investigators understand file system state, detect unauthorized file modifications, and investigate file-based attacks. The data can reveal file changes, directory structures, and potential file system vulnerabilities.