Parse File System (FS) Events
Overview
Section titled “Overview”Evidence: Parse File System (FS) Events
Description: Parse File System Events
Category: DiskFilesystem
Platform: macos
Short Name: fsevntsprs
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”FSEvents are binary logs that record file system changes at the kernel level. The parser decodes these logs to reveal detailed file operations including creates, deletes, renames, permission changes, and extended attribute modifications. This parsed data provides a comprehensive timeline of file system activity essential for forensic analysis.
Data Collected
Section titled “Data Collected”This collector gathers structured data about parse file system (fs) events.
Collection Method
Section titled “Collection Method”This collector parses binary fseventsd log files from the case content, decoding DLS headers, extracting event records, and interpreting flag bitmasks to produce human-readable file operation records stored in the fs_events table.
Forensic Value
Section titled “Forensic Value”Parsed FSEvents provide detailed file operation timelines that survive file deletion and modification. They reveal attacker file operations, malware deployment, data staging, evidence tampering, and lateral movement. This evidence helps reconstruct attack sequences, identify deleted files, and establish precise activity timelines even when file metadata is altered or removed.